BleepingComputer.com: Really bad infection, what is it?

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Really bad infection, what is it? Taking over my executables! Help!!

#1 User is offline   toddly 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 10-December 08
  • Gender:Male
  • Location:Seattle, WA USA

Posted 22 October 2009 - 06:39 PM

I tried posting this problem months ago, but nobody responded, so the computer sat gathering dust for a bit. I am hoping this new post will finally get some attention. (link to old post: http://www.bleepingcomputer.com/forums/topic243337.html).

Somehow a bug got into my computer and it has taken over all of my security and registry software, so I cannot run the programs. Even Microsoft WORD will not run. I also cannot run Task Manager. And the virus has substituted the program icons on the desktop as well, and renamed programs to "ACME", like ACMEWORD and ACMEEXCEL, and so on. I am dead in the water.

I also noticed some odd files on the computer: gamesetup.exe, askbarsetup.exe, ccsetup210.exe, wsus3setup.cab, and setup.exe. I also notice that I now have some "exe.exe" files, which I find odd.
Some of these files are supposedly associated with a fujack virus. I copied mbam from another computer onto the sick one and ran it. It found some stuff, 7 infections, but not the stuff at the heart of the problem. MBAM said it fixed the infections, but it totally missed the monster of a virus running the machine. Also, the computer is running on Windows2000, so I am not able to run many of the fujack removal tools or anti-virus programs like AVG8.5.

Before my last post was removed, it recommended that I run a program (DDS), so I did. Below is the log from that program. I hope someone can help out. Thanks.

DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Todd Putnam at 16:00:49.41 on Thu 2009-10-22
Internet Explorer: 5.00.3700.1000 BrowserJavaVersion: 1.6.0_14
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.128.59 [GMT -7:00]


============== Running Processes ===============

C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
E:\FOROLD~1\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\2.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\2.bin\SPYBLOCK.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\winnt\is-JLTU3.exe" /REG
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with &DAP
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download &all with DAP
IE: {85d1f590-48f4-11d9-9669-0800200c9a66}
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

S1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2009-4-12 394952]
S2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
S3 ess;ESS Audio Driver (WDM);c:\winnt\system32\drivers\ess.sys [1980-2-19 64144]
S3 NAV Alert;NAV Alert; [x]
S3 NAV Auto-Protect;NAV Auto-Protect; [x]
S3 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [2008-9-2 30946]
S3 RegGuard;RegGuard;c:\winnt\system32\drivers\regguard.sys [2008-9-2 25773]
S3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;c:\winnt\system32\drivers\Mrv8000c.sys [2006-1-28 253568]

=============== Created Last 30 ================

2009-10-22 16:00 16,384 a------t c:\winnt\system32\Perflib_Perfdata_184.dat
2009-10-22 15:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-10-22 14:53 693,760 a------- c:\winnt\is-JLTU3.exe
2009-10-22 14:53 10,498 a------- c:\winnt\is-JLTU3.msg
2009-10-22 14:53 370 a------- c:\winnt\is-JLTU3.lst
2009-10-22 13:50 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a0.dat

==================== Find3M ====================

2009-10-22 13:53 10 ---shr-- c:\program files\Desktop_.ini
2009-09-10 14:54 38,224 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 18,520 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-21 11:54 144,792 a------- c:\documents and settings\todd putnam\java.exe.exe
2009-07-21 11:50 2,235,920 a------- c:\documents and settings\todd putnam\AWC.exe.exe
2008-09-01 20:45 662,016 a------- c:\documents and settings\todd putnam\MemCleaner.exe.exe
1999-12-06 15:00 32,528 a------- c:\winnt\inf\wbfirdma.sys
1980-02-19 16:50 21,952 ----h--- c:\program files\folder.htt
1980-02-19 16:50 271 ----h--- c:\program files\desktop.ini
2008-05-26 17:29 161,792 a--shr-- c:\winnt\wmsoft08735.exe

============= FINISH: 16:01:43.03 ===============

Let me know what other information I need to supply to help diagnose this infestation. Thanks for any help you can offer!

toddly

This post has been edited by toddly: 22 October 2009 - 07:15 PM

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users