Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Problems


  • Please log in to reply
3 replies to this topic

#1 mugeninfinity

mugeninfinity

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 27 August 2008 - 09:04 PM

i recently clicked a bad link and my comp got infected.

my desktop now displays a blue screen with a message in the center saying that i am infected with spyware (win32/adware virtumonde). It tells me to check my antivirus and am constantly told to install software. Also, my internet connection doesnt seem to be working.

i carried out a series of scans Avast, Ad-Aware, SpyBot and Malwarebytes, a few symptoms have disappeared, but the screen is still blue (minus the message) and i cant go into some of my display properties

here is my malwarebytes log:

Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 5.1.2600 Service Pack 2

7:44:58 PM 8/27/2008
mbam-log-08-27-2008 (19-44-58).txt

Scan type: Quick Scan
Objects scanned: 82698
Time elapsed: 18 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{9ad3a9f5-b75e-4992-b3c9-6acd5cedc1e9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44b2a705-1fd2-409b-b75d-76d73e7ac2d4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{44b2a705-1fd2-409b-b75d-76d73e7ac2d4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\blphcehkj0e14n.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcehkj0e14n.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ho\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ho\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\fm\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (Trojan.BHO) -> Quarantined and deleted successfully.

AVAST log:

8/27/2008 3:42:10 PM Administrator 380 Sign of "Win32:Crypt-BIK [Trj]" has been found in "C:\aub0wb8.cmd" file.
8/27/2008 3:42:58 PM Administrator 380 Sign of "Win32:AutoRun-RH [Wrm]" has been found in "C:\awda2.exe" file.
8/27/2008 3:43:28 PM Administrator 380 Sign of "Win32:OnLineGames-EBW [Trj]" has been found in "C:\cfdflx.com" file.
8/27/2008 3:54:43 PM Administrator 380 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\fm\Local Settings\Temp\.tt1.tmp.vbs" file.
8/27/2008 3:55:50 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\fm\Local Settings\Temp\xdx9qx7p.dll" file.
8/27/2008 3:57:51 PM Administrator 380 Sign of "Win32:OnLineGames-EBQ [Trj]" has been found in "C:\Documents and Settings\Ho\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.40711" file.
8/27/2008 4:00:07 PM Administrator 380 Sign of "Win32:OnLineGames-CWW [Trj]" has been found in "C:\Documents and Settings\Ho\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.78543" file.
8/27/2008 4:15:00 PM Administrator 380 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\.tt1.tmp.vbs" file.
8/27/2008 4:15:14 PM Administrator 380 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\.tt28C6.tmp.vbs" file.
8/27/2008 4:15:21 PM Administrator 380 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\.tt4.tmp.vbs" file.
8/27/2008 4:15:25 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\4.dll" file.
8/27/2008 4:15:25 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\54j.dll" file.
8/27/2008 4:15:25 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\5a9av.dll" file.
8/27/2008 4:15:25 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\5o.dll" file.
8/27/2008 4:15:27 PM Administrator 380 Sign of "Win32:AutoRun-ACA [Wrm]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\7eb4nf.dll" file.
8/27/2008 4:15:27 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\9i.dll" file.
8/27/2008 4:15:27 PM Administrator 380 Sign of "Win32:OnLineGames-DJD [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\9szq7sq.dll" file.
8/27/2008 4:15:28 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\as8ffpas.dll" file.
8/27/2008 4:15:28 PM Administrator 380 Sign of "Win32:AutoRun-ABU [Wrm]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\asqhbf.dll" file.
8/27/2008 4:15:50 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\cmctva4c.dll" file.
8/27/2008 4:15:51 PM Administrator 380 Sign of "Win32:Crypt-BIK [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\ddeo5j.dll" file.
8/27/2008 4:16:09 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\e.dll" file.
8/27/2008 4:16:23 PM Administrator 380 Sign of "Win32:OnLineGames-BTM [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\eqgcdql.dll" file.
8/27/2008 4:16:23 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\f.dll" file.
8/27/2008 4:16:23 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\f28.dll" file.
8/27/2008 4:16:25 PM Administrator 380 Sign of "Win32:AutoRun-ALC [Wrm]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\help.exe" file.
8/27/2008 4:17:25 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\lb2t87v.dll" file.
8/27/2008 4:18:56 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\p.dll" file.
8/27/2008 4:20:31 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\whyghu.dll" file.
8/27/2008 4:20:34 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\xdx9qx7p.dll" file.
8/27/2008 4:20:34 PM Administrator 380 Sign of "Win32:Oliga [Trj]" has been found in "C:\Documents and Settings\Ho\Local Settings\Temp\zclsdp.dll" file.
8/27/2008 4:27:49 PM Administrator 380 Sign of "Win32:Keygen-AX [Tool]" has been found in "C:\Documents and Settings\Ho\My Documents\My Received Files\keygen.doc" file.
8/27/2008 4:27:51 PM Administrator 380 Sign of "Win32:Keygen-AX [Tool]" has been found in "C:\Documents and Settings\Ho\My Documents\My Received Files\keygen.exe\keygen.exe" file.
8/27/2008 4:28:19 PM Administrator 380 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Ho\My Documents\Peter\Multimedia\pacman.exe" file.
8/27/2008 4:33:53 PM Administrator 380 Sign of "Win32:AutoRun-WE [Wrm]" has been found in "C:\ekugb3.bat" file.
8/27/2008 4:33:55 PM Administrator 380 Sign of "Win32:AuCrypt [Cryp]" has been found in "C:\f.exe" file.
8/27/2008 4:37:06 PM Administrator 380 Sign of "Win32:AuCrypt [Cryp]" has been found in "C:\ino6.com" file.
8/27/2008 4:40:36 PM Administrator 380 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll" file.
8/27/2008 4:53:24 PM Administrator 380 Sign of "Win32:AutoRun-ADV [Wrm]" has been found in "C:\q.com" file.
8/27/2008 4:53:29 PM Administrator 380 Sign of "Win32:OnLineGames-DIJ [Trj]" has been found in "C:\ranvrgn.exe" file.
8/27/2008 4:53:29 PM Administrator 380 Sign of "Win32:OnLineGames-EPM [Trj]" has been found in "C:\rthrw.com" file.
8/27/2008 4:54:42 PM Administrator 380 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000019.dll" file.
8/27/2008 4:54:51 PM Administrator 380 Sign of "Win32:Crypt-BIK [Trj]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000035.cmd" file.
8/27/2008 4:54:51 PM Administrator 380 Sign of "Win32:AutoRun-RH [Wrm]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000036.exe" file.
8/27/2008 4:54:51 PM Administrator 380 Sign of "Win32:OnLineGames-EBW [Trj]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000037.com" file.
8/27/2008 4:54:51 PM Administrator 380 Sign of "Win32:AutoRun-WE [Wrm]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000038.bat" file.
8/27/2008 4:54:51 PM Administrator 380 Sign of "Win32:AuCrypt [Cryp]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000039.exe" file.
8/27/2008 4:54:52 PM Administrator 380 Sign of "Win32:AuCrypt [Cryp]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000040.com" file.
8/27/2008 4:54:52 PM Administrator 380 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000041.dll" file.
8/27/2008 4:54:52 PM Administrator 380 Sign of "Win32:AutoRun-ADV [Wrm]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000042.com" file.
8/27/2008 4:54:52 PM Administrator 380 Sign of "Win32:OnLineGames-DIJ [Trj]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000043.exe" file.
8/27/2008 4:54:52 PM Administrator 380 Sign of "Win32:OnLineGames-EPM [Trj]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000044.com" file.
8/27/2008 4:54:52 PM Administrator 380 Sign of "Win32:AuCrypt [Cryp]" has been found in "C:\t.com" file.
8/27/2008 5:01:20 PM Administrator 380 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\gendel32.exe" file.

spybot s&d log


--- Report generated: 2008-08-27 13:53 ---

PSGuard: Web page (File, fixed)
C:\WINDOWS\warnhp.html

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Zlob.Downloader.rid: Program directory (Directory, fixed)
C:\Program Files\RichVideoCodec\

Zlob.Downloader.rid: Library (File, fixed)
C:\WINDOWS\SYSTEM32\RichVideoCodec.dll

DoubleClick: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)


Zedo: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)


Right Media: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)





what should i do?

thanks in advance

Edited by mugeninfinity, 27 August 2008 - 09:06 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 AM

Posted 27 August 2008 - 10:30 PM

First run the Malwarebytes scan once more..and see if it comes up alll clear.

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:

Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall


If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mugeninfinity

mugeninfinity
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 27 August 2008 - 11:31 PM

thanks mate, it worked

(there's one problem though, a desktop icon remained altered, it looks 'blurry' or 'choppy', everything looked like this at one point, but now only one icon is like that)

Edited by mugeninfinity, 27 August 2008 - 11:34 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 AM

Posted 28 August 2008 - 07:44 PM

Perhaps deleting it and making a new one will fix that .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users