Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hopeless Limewire Addict


  • Please log in to reply
6 replies to this topic

#1 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:51 AM

Posted 26 March 2008 - 07:03 AM

An aquaintance, note I did not say a friend, having been warned about downloading and installing software from Limewire finally hit the motherload

I think they ran cureit from safe mode at some point, he brought his laptop to me to restore the wireless internet, said everything else is working fine tho

:thumbsup:

As an exercise I downloaded ATF, SAS, MBAM and HJT with appropriate manual def updates to a usb drive

After glancing at HJT log I knew we were in trouble

Installed SAS w/updates and MBAM ditto

ran ATF and SAS from safe mode

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2008 at 06:29 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:15:35

Memory items scanned : 156
Memory threats detected : 0
Registry items scanned : 5743
Registry threats detected : 24
File items scanned : 12630
File threats detected : 18

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}
HKCR\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}
HKCR\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}\InprocServer32
HKCR\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSTR.DLL
HKLM\Software\Classes\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}
HKCR\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}
HKCR\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}\InprocServer32
HKCR\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJJG.DLL
HKLM\Software\Classes\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}
HKCR\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}
HKCR\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}\InprocServer32
HKCR\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8913AD6-7AB9-477B-B220-44673CAD228B}

Trojan.ZQuest
HKLM\Software\Classes\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}
HKCR\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}
HKCR\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}\InProcServer32
HKCR\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\INTERNET EXPLORER\LAVUHA.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}
HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}
HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}
HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}\InProcServer32
HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\FOHELO89104.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE3E45CB-BABD-481D-BA21-16240D8081BE}

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Trojan.Downloader-CommandDesktop
C:\DOCUMENTS AND SETTINGS\PAUL THE PARTYMAN\DOCTORWEB\QUARANTINE\CMDINST.EXE

Trojan.Unclassifed/Loader-Suspicious
C:\EJAY\HIPHOP4_DEMO\EJAY\EJAY\LOADER.EXE

Trojan.Downloader-Gen/Svchost-Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67BBC2F1-2328-4819-BEC9-4623DBE7FD42}\RP266\A0068863.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67BBC2F1-2328-4819-BEC9-4623DBE7FD42}\RP266\A0068864.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67BBC2F1-2328-4819-BEC9-4623DBE7FD42}\RP266\A0079220.DLL

Trojan.Downloader-Gen/MROFIN
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU1188.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\CBADD.INI
C:\WINDOWS\SYSTEM32\CBADD.INI2

Adware.Adservs
C:\WINDOWS\SYSTEM32\XTMP\V55API.EXE

Trojan.ZQuest-Installer
C:\WINDOWS\TK58.EXE
Chewy

No. Try not. Do... or do not. There is no try.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:51 AM

Posted 26 March 2008 - 07:39 AM

In addition to a vundo infection they also have Core.cache.dsk. This infection is basically a rootkit usually protected by a driver which must be identified and removed by the use of more powerful tools than we use in this forum in order to remove the infection completely. Before that can be done you will need you to create and post a hijackthis log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DaChew

DaChew

    Visiting Alien

  • Topic Starter

  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:51 AM

Posted 26 March 2008 - 08:27 AM

Thanks,
I am aware of the severity of the infection

a further note, be sure and format the usb drive after transferring any files

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#4 DaChew

DaChew

    Visiting Alien

  • Topic Starter

  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:51 AM

Posted 26 March 2008 - 12:00 PM

for future reference I hope anyone advocating the use of a usb drive to transfer fixes to an infected computer will
make sure the clean computer and the usb drive are properly prepared for the transfer
Chewy

No. Try not. Do... or do not. There is no try.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:51 AM

Posted 26 March 2008 - 05:52 PM

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature on USB and removable drives (especially an external drive used for backup) as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Always scan USB Flash Drives after they have been used in other computer systems, even your own.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 DaChew

DaChew

    Visiting Alien

  • Topic Starter

  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:51 AM

Posted 26 March 2008 - 06:53 PM

In managing this epidemic, 4 computers and 2 usb drives, Flash_Disinfector.exe seems to need a little more work

One drive already had an autorun.inf file, the infection blew right past it and infected the computer I am working on now,
the bookkeeper wants it back to cut some checks?

I love a challenge.


My friend with Vista is having some real issues!

I will burn cd's in the future and the heck with recovering a log off an infected computer

Edited by DaChew, 26 March 2008 - 06:55 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 DaChew

DaChew

    Visiting Alien

  • Topic Starter

  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:51 AM

Posted 27 March 2008 - 01:30 PM

Final footnote:

Or at least I hope, the last xp computer was so hosed by incomplete malwareremovals over the last 2 years and this latest infection it would not boot into normal mode without locking up, it even had a few issues in safe mode.

Scanners had a limited success rate in safe mode, SDFix seemed to work the best after other scanners cleaned up most of the junk, but sdfix would crash after rebooting to normal mode. I fixed that by running xp as a repair disk but made a fatal assumption that windows would be fine after sdfix ran, it was still corrupted, and after crashing several times applying updates I ran xp as a repair disk again, then reloaded the nvidia motherboard chipset drivers again and the nvidia video drivers again.

People should always backup, a clean install and reload from backup would have taken me 1/10 of the time.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users