7 Replies Latest reply on May 10, 2010 2:50 PM by exbrit

    Infected, what do I do?

    quik66

      the other night ( May 4th, 2010), my computer became infected.  First thing that occurred was that McAfee Security Center prompted me that a program was asking for permission to access the internet...  I blocked the request, and immediately initiated a scan...

       

      One file was send to "quaranteen":  File name N002106201R04,  detection name Artemis!E3F6A36...

      I also initiated a cleaning of my computer, and was surprised to see a few files return.  These were in the C:\Documents and Settings\user\Local settings\temp\

       

      I "shredded" them, but they came back after I rebooted...  Some of these are Perflib_perfdata_e70.dat, perflib_perfdata_ff4.datMar16.tmp, etc

       

      When i go to Internet Explorer, I will often be redirected to "not-so-random" websites 9 especially when clicking on Google hits...

       

      Then I had Microsoft Development Environment automatically open ( run, design, etc).  Most is usually blank, but I did see a few popups from the Micro Devel program that have website addresses ( like WWW.locatefindweb, etc and some with IP addresses)...

       

       

      Tonight, I again rescanned, and 4 files were detected/quaranteened, all were Generic FakeAlert!ho ( trojan), Multiprocessormmxcore.exe, fliterffactory3.00.exe, reportingmicrosoft.exe and Colorsanpa4378.exe.   All in C:\program files and one in common files...

       

      during the scan, I got a pop up message "McAfee MISP Shell has encountered a problem and needs to close"  I didn't acknowledge, and the scan continued running...

       

      After the scan, I had Microsoft Development open again...  This time I did some sleuthing ( I don't know what I am doing).  I checked the drop-down menus; "debug\processes"

       

      The box showed MCShell.exe and SVCHost.exe...  Nothing else, but it showed a user named "UserXX" ( not my user name on my computer).  So I am thinking this virus is trying to change McAfee as well as other stuff...

       

      I tried to send the quaranteened files to McAfee, but they failed ( one said "too large", one just failed, etc)

       

      Please help.

      I'd also appreciate specific steps ( as much as can be provided), as i am an amatuer.  I have sucessfully removed virus's in the past, but

      I don't know where to go to find other products, its been a while since i operated in "safe mode", etc...

       

      Thanks.

       

      Windows XP, McAfee ( AT&T Security Suite) Security Center 9.15, VirusScan 13.15

        • 1. Re: Infected, what do I do?
          k3tg

          quik66

           

          Please review this link from McAfee to assist you in resolving your issue

           

          Required Reading - Home User Assistance Malware Troubleshooting

           

          After following the suggestions in the link if you still have problems then try Malwarebytes www.malwarebytes.org and SuperAntispyware www.superantispware.com both of which are free. Just follow the directions given and let them clean anything they may find.You may need to download these on a non infected pc by way of a usb stick or pen drive. You should rename the download and and when you are ready to install rename the install folder. This method usually works this way cause malware and spyware is written to protect themselves from these type of programs to be installed to kill the infections.

           

          Good Luck

          1 of 1 people found this helpful
          • 2. Re: Infected, what do I do?
            Peacekeeper

            Also use the submission details in above doc to submit the files via email to Mcafee labs the quarantine submission is error prone but being looked at.

            • 3. Re: Infected, what do I do?
              exbrit

              Moved to Security Awareness > Malware Discussion > Artemis Discussion

              • 4. Re: Infected, what do I do?
                quik66

                Thank you K3TG and Peacekeeper.   I'll go through that "required reading" document and see what happens...

                 

                It might take me a few days ( especially if I need to find a "non-infected PC".  My work might not allow me to download the Malware files).

                 

                I'll report back...

                 

                Thanks again...

                 

                Quik66

                • 5. Re: Infected, what do I do?
                  quik66

                  Well,

                   

                  Still having issues...

                   

                  I followed the "Required Reading" mentioned above... disabled "system restore", Downloaded the stinger...  Then I downloaded and used both Malwarebytes and the SuperAntiSpyware ( maybe this was a problem?   They seemed to download fine to my computer)...  the SAS found 60 "adware cookies" and deleted them, but nothing else listed...  Malwarebytes found:

                  1 registry Value infected, (Trojan.Agent)

                  1 Registry data item infected ( trojan: JSRedir.H) and "Good:" wdmaud.drv ( not sure what that means)...

                  4 folders infected and 5 files infected ( Trojan.agent, Trojan.JSRedir, Trojan.Swisyn and Malware.Trace)

                   

                  All "Quarantined and deleted suscessfully"

                   

                  I ran both scans in "Safe Mode" and again in egular mode after a reboot.  The new scans came back with no infections...

                   

                  HOWEVER,

                  I noticed a file in the C;\Doc & settings/user\local settings\tempfolder...  "perflib_Perfdata_830.DAT file...  I tried to "delete" and to "shred" it with McAfee, to no avail...  And soon, the McAfee popup appeared asking whether I wanted to block or allow access to a registry change for "C:\Windows|explorer.exe"  I Blocked it...

                   

                  I have yet to see the Microsoft Developer Environment open (saw it open after a few scans, even while in "Safe Mode', but nothing after the last reboot -YET).

                   

                  I still have problems.  When I accessed the internet, while i opened this address, a seperate screen opened with another website ( actually several redirects)...

                  I can type in an address or use "favorites" and its okay, but IF i search Google, when I click on a result, I am sent to another website instead of the result...  Example:  I Googled "Disneyland" and from the results, i clicked the actual Disney website (Disney.go or something), but instead I was redirected to another search engine with different "Disney" links...  I can cut an past the addresses from the Google results ( if complete), and its fine...

                   

                  So Now, despite having Malwarebytes, Antispyware and McAfee all having clean scans, I am still having issues...

                   

                  Whats the next step?

                   

                  I actually already had Malwarebytes program on my computer from a previous virus issue last year, so I guess it was just an update on the definition files...

                   

                   

                   

                  Thanks

                   

                  PS,  While looking through some files, I came across a folder named "C:\Avenger" that was used today...  Is this part of Malwarebytes or AntiSpy???...  There was a text file noting an address: http://swandog46.geekstogo.com...  "Beginning to process script file:" Error:  fileC:\... failed!  --> the object does not exist"   The file names were all the same as those previous Q&Deleted by Malwarebytes...  Is this bad?  or is this a program running within the scans?

                   

                  Another thing odd.  "McAfee" found a program without the scan...  It found and older anti-virus program named Combifix (or something)...  Odd that McAfee found something that hadn't run in 12+ months ( and McAfee never found it previously)...  Is this prehaps the virus trying to eliminate anti-virus programs?  "Fake alert"?

                  • 6. Re: Infected, what do I do?
                    Peacekeeper

                    There seems to be a heap or these redirect malware. Mine on my son in law's pC was easy to fix ensure when you install MWB etc you update them immediately the installed version is not always upto date.

                     

                    TRy himan pro 3.5 from cnet website as a backup but run stinger as the doc mentioned on high sensitivity with report only set on. That way if it finds something you can email it to Mcafee labs so they can find a solution. Will point some of the techs here

                     

                     

                    Message was edited by: Peacekeeper on 10/05/10 5:37:45 PM
                    • 7. Re: Infected, what do I do?
                      exbrit

                      You might also want to post a Hijackthis log on one of the forums that specialise in them and they will analyze it and advise you on what's best to do next:

                       

                      DOWNLOAD HIJACKTHIS

                       

                       

                      Do not post the log here, we can't help!

                       

                       

                      Post the logs at a specialist Forum:

                       

                       

                      AUMHA FORUM

                       

                       

                      BLEEPING COMPUTER FORUM

                       

                       

                      MAJOR GEEKS FORUM

                       

                       

                      MALWAREBYTES FORUM

                       

                       

                      MALWARE REMOVAL FORUM

                       

                       

                      SPYWAREHAMMER FORUM

                       

                       

                      SPYWARE INFO FORUM

                       

                       

                      WHAT THE TECH FORUM

                       

                       

                      Be sure to read all the sticky announcements/instructions at the top of each malware forum!

                       

                       

                      Message was edited by: Ex_Brit on 10/05/10 3:50:49 EDT PM