Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Virus Infections!


  • Please log in to reply
33 replies to this topic

#1 Bradlee22

Bradlee22

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 07 January 2008 - 04:07 PM

Hi I am new to this forum, my computer recently started running extremely slow, pop-ups, loss of desktop background, and endless ads for registry cleaners. I knew enough to know this was from a virus so I atempted to use AVG free edition. When that didn't work I came here. I tried to go through the steps listed I am unable to download the ad-ware, spybot, McaFee Stinger, or a firewall, I was able to download the bit defender it stated I had 16 viruses (log posted below). I did download Hijack this. (log also posted below). I was unable to open any of the links from your page for the downoad, so I went to download.com ateempted to download from their without sucess. I was able to save some of them to my desktop but they would shut down during instalation. Please advise what I need to do to fix these problems, thanks!


BIT DEFENDER LOG:


//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 07/01/2008 08:02:23
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 6207
Files : 181359
Archives : 3859
Packed files : 8698
Identified viruses : 16
Infected files : 29
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 15
Renamed files : 0
I/O errors : 49
Scan time : 01:37:51
Scan speed (files/sec) : 30

Virus definitions : 885812
Scan plugins : 14
Archive plugins : 38
Unpack plugins : 7
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip=>MagicApplet.class Infected Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip=>MagicApplet.class Disinfection failed
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip=>OwnClassLoader.class Infected Trojan.Exploit.Byteverify.V
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip=>ProxyClassLoader.class Infected Trojan.Exploit.Byteverify.AC
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip=>ProxyClassLoader.class Disinfection failed
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip=>Installer.class Infected Trojan.Downloader.Java.Agent.A
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee4da-2f13cb0d.zip Moved
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee56c-4266dbe8.zip=>MagicApplet.class Infected Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee56c-4266dbe8.zip=>MagicApplet.class Disinfection failed
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee56c-4266dbe8.zip=>OwnClassLoader.class Infected Trojan.Exploit.Byteverify.V
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee56c-4266dbe8.zip=>ProxyClassLoader.class Infected Trojan.Exploit.Byteverify.AC
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee56c-4266dbe8.zip=>ProxyClassLoader.class Disinfection failed
C:\Documents and Settings\Chad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1f3ee56c-4266dbe8.zip=>Installer.class Infected Trojan.Downloader.Java.Agent.A
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0010 Infected Trojan.Downloader.Tsupdate.N
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0010 Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0010 Move failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0011 Infected Trojan.Downloader.Tsupdate.R
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0011 Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0011 Move failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0012 Infected Trojan.Generic.50695
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0012 Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0012 Move failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0013 Infected Trojan.Downloader.TSUpdate.Q
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0013 Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe=>wise0013 Move failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\!update-4395[1].0000 Infected Trojan.Downloader.PurityScan.DH
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\!update-4395[1].0000 Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\!update-4395[1].0000 Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\popup[1].htm Infected Trojan.Clicker.CM
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\popup[1].htm Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\popup[1].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\popup[2].htm Infected Trojan.Clicker.CM
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\popup[2].htm Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\popup[2].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[1].htm=>(IFRAME) Infected Trojan.IFrame.AN
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[1].htm=>(IFRAME) Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[2].htm=>(IFRAME) Infected Trojan.IFrame.AN
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[2].htm=>(IFRAME) Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[2].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[3].htm=>(IFRAME) Infected Trojan.IFrame.AN
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[3].htm=>(IFRAME) Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\8G5HRDMJ\process[3].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\DEMZKJKL\popup[1].htm Infected Trojan.Clicker.CM
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\DEMZKJKL\popup[1].htm Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\DEMZKJKL\popup[1].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\1199714715[1].exe Infected Generic.Drop.Alpha.3E78C0DB
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\1199714715[1].exe Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\1199714715[1].exe Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\acdt-pid70[1].exe Infected Dropped:Trojan.Clicker.Small.YD
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\acdt-pid70[1].exe Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\acdt-pid70[1].exe Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\popup[1].htm Infected Trojan.Clicker.CM
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\popup[1].htm Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\popup[1].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\process[1].htm=>(IFRAME) Infected Trojan.IFrame.AN
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\E1JBU7SN\process[1].htm=>(IFRAME) Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\FH75B6IP\popup[1].htm Infected Trojan.Clicker.CM
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\FH75B6IP\popup[1].htm Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\FH75B6IP\popup[1].htm Moved
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\U3U7TAJC\install[1] Infected MemScan:Trojan.Agent.AGHH
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\U3U7TAJC\install[1] Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\U3U7TAJC\install[1] Move failed: Quarantine full
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\U3U7TAJC\process[1].htm=>(IFRAME) Infected Trojan.IFrame.AN
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\U3U7TAJC\process[1].htm=>(IFRAME) Disinfection failed
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\U3U7TAJC\process[1].htm Moved
C:\WINDOWS\avp.exe Infected Generic.Drop.Alpha.3E78C0DB
C:\WINDOWS\avp.exe Disinfection failed
C:\WINDOWS\avp.exe Moved
C:\WINDOWS\b104.exe=>(NSIS o)=>lzma_solid_nsis0002 Infected Trojan.Downloader.Small.BUY
C:\WINDOWS\b104.exe=>(NSIS o)=>lzma_solid_nsis0002 Disinfection failed
C:\WINDOWS\b104.exe=>(NSIS o)=>lzma_solid_nsis0002 Move failed
C:\WINDOWS\mgrs.exe Infected Generic.Dld.Alpha.83127FF2
C:\WINDOWS\mgrs.exe Disinfection failed
C:\WINDOWS\mgrs.exe Moved








HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:06 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Insider\Insider.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chad\My Documents\?ymantec\?poolsv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
c:\program files\softwin\bitdefender8\bdlite.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?product=s...version=g_4.4.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll
O2 - BHO: (no name) - {B6F8AF45-3CAD-6F2B-D82F-38E676F55E9C} - C:\WINDOWS\system32\odiydm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [megeziq] C:\Program Files\MSN Gaming Zone\megeziq77798.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Command Service (cmdService) - CMD Technology, Inc. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - http://www.yamaha-motor.com/products/atv/5...0_wht_act94.jpg
O24 - Desktop Component 1: (no name) - http://i23.ebayimg.com/05/i/06/d4/2f/b0_3.JPG
O24 - Desktop Component 2: (no name) - http://www.lakewaymotors.com/01berger/gallery.jpg
O24 - Desktop Component 3: (no name) - http://www.lakewaymotors.com/01berger/engineside.jpg

--
End of file - 10063 bytes

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 13 January 2008 - 08:46 PM

Hi, Welcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 Bradlee22

Bradlee22
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 14 January 2008 - 02:29 AM

Thanks for your reply, i will be waiting for further instructions!

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 14 January 2008 - 02:55 PM

Hi Bradlee22 you are infected by Trojan-Downloader.Win32.Alphabet, for more informations look here.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if every products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as every products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Actually you have installed this anti-virus:
  • AVG
  • McAfee
  • BitDefender
You need choose one of them.

Next,

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 Bradlee22

Bradlee22
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 15 January 2008 - 09:57 PM

ok, i have tried to click on the link and nothing happens. I have tried to right click and open in a new window, but nothing will open.

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 16 January 2008 - 08:42 AM

What link doesn`t work? I tested both and they works.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 Bradlee22

Bradlee22
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 17 January 2008 - 12:25 AM

I also tested the link on another computer and it does work fine, but on the infected computer I cannot open the link by clicking on it or by opening it in another window. I had the same problem while i was trying to download the other removal programs (ad-aware, spybot, etc...). I also tried to download some of them from download.com but it would not allow me to do it there either. The link would not open, or the program would shut down during installation.

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 17 January 2008 - 02:42 PM

Please, burn a CD with these programs in other computer.After you have finished burning the necessary programs to a cd, please follow my earlier instructions from Post #4.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 Bradlee22

Bradlee22
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 25 January 2008 - 07:43 PM

Sorry for the delay, below are the results from Smitfraud:

SmitFraudFix v2.274

Scan done at 18:37:50.34, Fri 01/25/2008
Run from C:\Documents and Settings\Jennifer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MSN Gaming Zone\megeziq77798.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Insider\Insider.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS

C:\WINDOWS\.protected FOUND !
C:\WINDOWS\avp.exe FOUND !
C:\WINDOWS\mgrs.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Jennifer


C:\Documents and Settings\Jennifer\Application Data


Start Menu

C:\DOCUME~1\Jennifer\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

C:\DOCUME~1\Jennifer\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Helper\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6E5F1D9C-3B8F-4D99-A71A-66470119D5C4}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6E5F1D9C-3B8F-4D99-A71A-66470119D5C4}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6E5F1D9C-3B8F-4D99-A71A-66470119D5C4}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254


Scanning for wininet.dll infection


End

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 27 January 2008 - 09:05 AM

Hi Bradlee22 :thumbsup:.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Next,

Please copy SDFix on your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" again.

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt and SmitFraudFix log in your next reply along with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:18 PM

Posted 01 February 2008 - 06:47 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#12 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:18 PM

Posted 17 February 2008 - 08:44 PM

Topic reopened at original posting members request.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#13 Bradlee22

Bradlee22
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 18 February 2008 - 01:45 AM

I hacve completed the steps, below are the requested reports:
I have also had problems with the computer crashing, and it continously maks attemts to download a file called s3.cookingluck.com.htm, and i am getting registry errors.

SDFix: Version 1.131
Run by Administrator on Wed 02/06/2008 at 07:28 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Jennifer\Desktop\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\PROGRA~1\PAGE~1.HTM - Deleted
C:\PROGRA~1\COMPLU~1\RTESER~1.HTM - Deleted
C:\PROGRA~1\MSNGAM~1\MEGEZI~1.EXE - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk - Deleted
C:\Program Files\Ultimate Cleaner\program.info - Deleted
C:\Program Files\Ultimate Cleaner\ucleaner.pkg - Deleted
C:\Program Files\Ultimate Cleaner\UltimateCleaner.db - Deleted
C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe - Deleted
C:\Program Files\Ultimate Cleaner\Uninstall.exe - Deleted
C:\Program Files\Ultimate Cleaner\com\ucsecuredelete.dll - Deleted
C:\Program Files\spoolsv.exe - Deleted
C:\Program Files\ucleaner_setup.exe - Deleted
C:\WINDOWS\Casino.ico - Deleted
C:\WINDOWS\Free Online Dating.ico - Deleted
C:\WINDOWS\Spyware Remover.ico - Deleted

Folder C:\Documents and Settings\Jennifer\Application Data\Ultimate Cleaner - Removed
Folder C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007 - Removed
Folder C:\Program Files\Ultimate Cleaner - Removed

The below files have been patched by Trojan.Agent.zb to load users32.dat and should be replaced:
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 19:36:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\DOCUME~1\Jennifer\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes:
Fri 28 Jul 2006 10,217 A..H. --- "C:\TEMP\t4.bak"
Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 29 Dec 2004 233,554 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0a\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0a\rbm.exe"
Tue 2 Aug 2005 187,904 A.SHR --- "C:\WINDOWS\Q2hhZA\asappsrv.dll"
Sat 29 Dec 2007 18,432 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0007522.exe"
Sat 29 Dec 2007 10,752 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0007523.exe"
Tue 5 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{1bc4badf-acd6-4634-b6b1-4aafc46fcf84}\UnknownBoot.dll"
Wed 6 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{28abf604-d30b-474e-9800-9c4c734436c5}\ComponentChk.dll"
Sun 27 Jan 2008 12,838 ..SHR --- "C:\WINDOWS\Installer\{2aeef4b6-e083-47aa-81ee-cfec2af0551a}\SrvKernel.dll"
Thu 31 Jan 2008 12,838 ..SHR --- "C:\WINDOWS\Installer\{5082aa1e-f243-4939-bc0f-83bad928efc2}\UnknownSetup.dll"
Mon 4 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{543df3b9-2dd1-42e6-93ca-2bb5679ae9d0}\DriveDrive.dll"
Wed 6 Feb 2008 39,462 ..SHR --- "C:\WINDOWS\Installer\{548fbba3-faef-4eca-92f2-9da32e0981d8}\zip.dll"
Wed 6 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{9309c251-e186-484d-95b5-5fccda496fc3}\BootChk.dll"
Sun 3 Feb 2008 39,462 ..SHR --- "C:\WINDOWS\Installer\{ce12e9e4-d6a3-49b2-820c-288db891ddd4}\zip.dll"
Mon 4 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{d200ed0d-fe4a-4984-b698-2c0c3ddfe52d}\DrvBoot.dll"
Sun 7 Oct 2007 1,148 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 7 Jan 2008 18,432 ...H. --- "C:\Program Files\Softwin\BitDefender8\Quarantine\avp.exe"
Mon 7 Jan 2008 10,752 ...H. --- "C:\Program Files\Softwin\BitDefender8\Quarantine\mgrs.exe"
Wed 4 Jan 2006 94,208 ...H. --- "C:\Program Files\Softwin\BitDefender8\Quarantine\netmon.exe"
Thu 30 Aug 2007 25,755,448 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf0471ca1f3f12affe6c8fea1ffc6ddb\BIT457.tmp"
Sun 6 May 2007 8 A..H. --- "C:\Documents and Settings\Jennifer\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 6 May 2007 8 A..H. --- "C:\Documents and Settings\Jennifer\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 25 Jul 2007 8 A..H. --- "C:\Documents and Settings\Jennifer\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 25 Jul 2007 8 A..H. --- "C:\Documents and Settings\Jennifer\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!


SmitFraudFix v2.274
Scan done at 20:02:41.37, 2008-02-16
Run from C:\Documents and Settings\Jennifer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\xInsIDE\xInsIDE.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
hosts

C:\

C:\WINDOWS

C:\WINDOWS\system

C:\WINDOWS\Web

C:\WINDOWS\system32

C:\Documents and Settings\Jennifer

C:\Documents and Settings\Jennifer\Application Data

Start Menu

C:\DOCUME~1\Jennifer\FAVORI~1

Desktop

C:\Program Files

Corrupted keys

Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

Rustock

DNS
Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
DNS Server Search Order: 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6E5F1D9C-3B8F-4D99-A71A-66470119D5C4}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6E5F1D9C-3B8F-4D99-A71A-66470119D5C4}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6E5F1D9C-3B8F-4D99-A71A-66470119D5C4}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254

Scanning for wininet.dll infection

End

#14 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 18 February 2008 - 06:37 AM

Please, post a new hijackthis log.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#15 Bradlee22

Bradlee22
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 19 February 2008 - 09:09 AM

Following is the hijack this log, i also am receiving the following error upon startup and the computer is running extremely slow:

ERROR MESSAGE:

Error in the system registry
P-07-0100 irqli 1f sysver 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED



HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:59, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C2832213329D26033AAC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O21 - SSODL: SrvKernel - {2aeef4b6-e083-47aa-81ee-cfec2af0551a} - C:\WINDOWS\Installer\{2aeef4b6-e083-47aa-81ee-cfec2af0551a}\SrvKernel.dll
O21 - SSODL: UnknownSetup - {5082aa1e-f243-4939-bc0f-83bad928efc2} - C:\WINDOWS\Installer\{5082aa1e-f243-4939-bc0f-83bad928efc2}\UnknownSetup.dll
O21 - SSODL: zip - {ce12e9e4-d6a3-49b2-820c-288db891ddd4} - C:\WINDOWS\Installer\{ce12e9e4-d6a3-49b2-820c-288db891ddd4}\zip.dll
O21 - SSODL: DriveDrive - {543df3b9-2dd1-42e6-93ca-2bb5679ae9d0} - C:\WINDOWS\Installer\{543df3b9-2dd1-42e6-93ca-2bb5679ae9d0}\DriveDrive.dll
O21 - SSODL: DrvBoot - {d200ed0d-fe4a-4984-b698-2c0c3ddfe52d} - C:\WINDOWS\Installer\{d200ed0d-fe4a-4984-b698-2c0c3ddfe52d}\DrvBoot.dll
O21 - SSODL: UnknownBoot - {1bc4badf-acd6-4634-b6b1-4aafc46fcf84} - C:\WINDOWS\Installer\{1bc4badf-acd6-4634-b6b1-4aafc46fcf84}\UnknownBoot.dll
O21 - SSODL: ComponentChk - {28abf604-d30b-474e-9800-9c4c734436c5} - C:\WINDOWS\Installer\{28abf604-d30b-474e-9800-9c4c734436c5}\ComponentChk.dll
O21 - SSODL: BootChk - {9309c251-e186-484d-95b5-5fccda496fc3} - C:\WINDOWS\Installer\{9309c251-e186-484d-95b5-5fccda496fc3}\BootChk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8883 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users