Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected And Not Sure How To Remedy It


  • Please log in to reply
9 replies to this topic

#1 TarHeel1

TarHeel1

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 August 2008 - 09:24 AM

Hi guys, new to the forum, but needed some help removing a virus or two from my computer. Started running just a tad bit slower this week and I started getting pop up's all over the place. I downloaded the the latest Spy Bot and cleaned everything up that way, but I also ran a Virus Scanner and it came back with the following results:

C:\WINDOWS\system32\iehlpr32.dll is infected with Downloader
C:\Program Files\eSoftware\studio.dll is infected with Trojan.Zlob

I was able to go in and delete the second file, simply by searing for it and deleting it. The first one, however, would not let me touch. Any ideas on how I can get my computer back to normal? Thanks, and just an FYI, I'm not the most computer literate person out there. I'm more than serviceable, but nowhere near an expert, so I'll probably need step by step instructions if it becomes involved. Thanks alot.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:01 AM

Posted 30 August 2008 - 09:42 AM

http://www.bleepingcomputer.com/forums/ind...st&p=928651

Please follow these directions to install MBAM and run a scan and clean and post the log.

Make sure spybot's teatimer is permanently disabled first
Chewy

No. Try not. Do... or do not. There is no try.

#3 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 August 2008 - 10:01 AM

Malwarebytes' Anti-Malware 1.25
Database version: 1098
Windows 5.1.2600 Service Pack 2

10:59:32 AM 8/30/2008
mbam-log-08-30-2008 (10-59-32).txt

Scan type: Quick Scan
Objects scanned: 54286
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Common\_helper.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\system32\iehlpr32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00344AF.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d83a7b12-a4d4-4984-8f72-d41c6b4c1e6e} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f3bd5c6-7f84-455b-a562-d248033813b0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00344af (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f6aa610.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Common Files\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common\_helper.dll (Adware.BHO) -> Delete on reboot.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehlpr32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00344AF.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:01 AM

Posted 30 August 2008 - 10:18 AM

thaat looks promising

let's do 2 more things, after the reboot into normal mode to finish removal rerun MBAM and post that log

and then let's doublecheck and see if there's anything else still hiding

http://www.bleepingcomputer.com/forums/ind...st&p=928173

follow these directions for atf cleaner and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#5 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 August 2008 - 11:11 AM

Malwarebytes' Anti-Malware 1.25
Database version: 1098
Windows 5.1.2600 Service Pack 2

12:10:43 PM 8/30/2008
mbam-log-08-30-2008 (12-10-43).txt

Scan type: Quick Scan
Objects scanned: 54192
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



If I've already run Spybot 1.6 (minus the Tea Timer) do I still need to run the additional programs?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 30 August 2008 - 11:30 AM

Yes it would be good to run ATF and SAS now. Post the SAS log too please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 August 2008 - 02:50 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2008 at 03:36 PM

Application Version : 4.20.1046

Core Rules Database Version : 3552
Trace Rules Database Version: 1540

Scan type : Complete Scan
Total Scan Time : 01:50:34

Memory items scanned : 163
Memory threats detected : 0
Registry items scanned : 5921
Registry threats detected : 0
File items scanned : 60398
File threats detected : 10

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE



Here's the SAS Log. Anything else I need to do or am I clean?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:01 AM

Posted 30 August 2008 - 04:20 PM

Anything else I need to do or am I clean?


Just keep a close eye on your computer, you should be clean but with any newer infection there is never an absolute certainty of an all clean, or a time to relax your guard.

You can turn teatimer back on if you understand how it works, I leave it off myself but use the immunize function on a regular basis.
Chewy

No. Try not. Do... or do not. There is no try.

#9 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 August 2008 - 04:31 PM

I didn't install the Tea Timer application when I downloaded the latest Spybot. I try to use the Spybot every week or so.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:01 AM

Posted 30 August 2008 - 05:13 PM

I try to use the Spybot every week or so.


I go back with spybot to before BC started, it's probably my favorite essential program for prevention since I don't use much resident protection. Infections and malware prevention have evolved so much since the old days that no one program can even attempt at dealing with them.

It's very encouraging to see Spybot S & D rise to the occasion and evolve with the times.

As you might guess TEATIMER has tripped me up a time or two.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users