Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots Of Trojans, Need Some Help.


  • Please log in to reply
21 replies to this topic

#1 SSG DP

SSG DP

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 12 September 2008 - 07:27 PM

Yesterday my computer had rebooted, unk why, my wife may have added something to the computer without her knowledge (which is not much computer wise). I was first greeted with a warning that my automatic updates were not working, then my internet explorer was giving me problems with informing me my security was not up to par (not exact wording) and when clicked it would send me to a virus scan website. The funny thing is it was never the same one. I am somewhat naive to this Trojan but I beleive this is VUNDO. I tried to load a new copy of Internet Explorer and wee if the Windows Malicious Tool would repair during install but this did not work. Luckily I have a laptop available and downloaded some stronger virus killers. See I was not able to get to an internet page and my virus programs (Avast, AVG, etc...) had old definition files. Once I was able to add Windows Defender, Malwarebytes Anti-Malware, Hijack This, a new Ad-Aware, Updated Avast, updated Spybot and spyware balster, it seemed to clear up. I was able to get on the internet. One thing is that there is a second IE open in the task manager when I have an explorer page open. If I end the process it kills both of them. I think I have run 30-40 scans, deep and quick, and restarted and or turned off the computer the same amount. THe last Malwarebyte's scan showed Trojan Vundo, Trojan Agent, Trojan Fake Alert, Malware Trace, Rogue Installer. I just need to make the computer safe again for my family to use. I just ran another Spybot and it gave me a Virtumonde Trojan. Please help me. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:33 AM

Posted 12 September 2008 - 08:41 PM

Hello please post a the last scan log from Malwarebytes. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Is this an XP ,PC?
Do you have the teatimer function of Spybot insatlled?
(Avast, AVG, etc...) how many of these are running?

And welcome to BC !!

Edited by boopme, 12 September 2008 - 08:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SSG DP

SSG DP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 13 September 2008 - 08:14 AM

I have a PC running XP software.

I do have the teatimer function enabled for Spybot.

I have Avast, AVG and Comodo running. Avast is what I commonly use for anti-virus protection along with the firewall.

Here is the malwarebyte's scan I did this AM. Nothing showed up but I still have an extra Internet Explorer running in the background that I cannot pull up. One other thing in the properties screen for IE I cannot change my privacy settings to what it normally is. It is set at allow all cookies, every time I change it and delete the cookies and temp files then select apply and OK, I re-open and the setting was not changed and the cookies come right back.

Malwarebytes' Anti-Malware 1.28
Database version: 1142
Windows 5.1.2600 Service Pack 3

9/13/2008 8:09:58 AM
mbam-log-2008-09-13 (08-09-58).txt

Scan type: Quick Scan
Objects scanned: 49548
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:33 AM

Posted 14 September 2008 - 12:04 PM

Hello again, let's run one more scan please.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 SSG DP

SSG DP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 14 September 2008 - 05:35 PM

The extra internet explorer is still there.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/14/2008 at 04:28 PM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 01:12:46

Memory items scanned : 194
Memory threats detected : 0
Registry items scanned : 5972
Registry threats detected : 0
File items scanned : 24064
File threats detected : 17

Malware.Installer-Pkg/Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{1BC8683F-A059-4250-8B76-F007E21760E9}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{242FA5E5-A025-4240-A022-EBC2FD82C32D}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{35B081E6-2482-4495-90F8-C00D6C42D2A0}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{61D61C52-6E7B-47BA-8DB4-FE5555B67B63}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{7458ACDB-41AA-4178-8E1D-75B4F32B8B93}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{7F9E4E41-A8A0-4D67-A8B8-B00212242DA3}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{8873E019-97A6-4867-8E13-F133142B855E}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{9F39BA0E-2F06-4D9E-8290-EB4238696479}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{B1F233C8-DB6B-4F8E-831E-2806BD72131E}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{DDE99052-8442-4DA0-9CA1-8CF62432849D}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E6B53FFF-9A27-4D17-AFE1-AC7EEAE848A5}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E9DBE727-71EA-4C9F-863C-319652E5EFCC}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{FB90982B-A5EA-4DEA-A780-FD8C4EB89717}.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Kristi\Cookies\kristi@revsci[2].txt


This is the results of the latest Avast scan. I recvd an update this AM and re-ran the scan this time I selected the archived files to be scanned as well.

Win32:Bravix-B [Drp]
Win32:Bravix [Drp]
Win32:Bravix [Drp]
Win32:Bravix [Drp]
Win32:Bravix-B [Drp]
Win32:Agent-ABNZ[Trj]

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:33 AM

Posted 14 September 2008 - 08:24 PM

Is that task manger process iexplore exactly as that is ..spelling ,all lower case?
You also should only have one AV active. Two running wil cause problems from slownes to false positives.
MBAM is now up to #1153, please update,scan and post the new log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 SSG DP

SSG DP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 15 September 2008 - 09:23 AM

iexplorer.exe is the duplicate program running per task manager. I have tried re-installing Internet Explorer but that did not seem to help. When I use FireFox there is no dup application open. Here is the latest scan with update.



Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 3

9/15/2008 9:20:54 AM
mbam-log-2008-09-15 (09-20-54).txt

Scan type: Quick Scan
Objects scanned: 50889
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 15 September 2008 - 09:40 AM

most of the time infections can be found in windows\sytem32 or windows\ or %temp%, type this command dir /o:d /a:-d > c:\filename.txt

make sure to change the filename everytime you save it. then open these files in drive c and post only the recent files that were downloaded this month. Here's a step by step guide

it would also be helpful if you could post all the programs that are running in your computer

1) Start>Run>type cmd press ok
2) type cd\windows\system32
3) type dir /o:d /a:-d > c:\system32.txt
4) type cd..
5) type dir /o:d /a:-d > c:\windows.txt
6) type cd\
7) type cd %temp%
8) type dir /o:d > c:\temp.txt
9) type tasklist /svc > c:\task.txt - not sure though if this will work if you have windows xp home
10) type exit
11) open my computer
12) open drive c
13) edit the following files system32.txt, windows.txt and temp.txt, leave only the recent files
13) you could post the files here

#9 SSG DP

SSG DP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 15 September 2008 - 10:00 AM

What do you mean by leave only the current files?

#10 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 15 September 2008 - 10:07 AM

the dir command will display the files that you have on the directory specified w/c will include when the file was created... what i meant by leaving the current files/recent files is that you delete all everything on the txt file except for the files that would be are created this month. here's a sample of what the dir command will display

Volume in drive C has no label.
Volume Serial Number is 9848-263C

Directory of C:\WINNT
09/10/2008 03:02 PM 46,785 msgsocm.log
09/10/2008 03:02 PM 163,069 netfxocm.log
09/10/2008 03:02 PM 64,744 MedCtrOC.log
09/10/2008 03:02 PM 454,332 ocgen.log
09/10/2008 03:02 PM 7,822 KB938464.log
09/10/2008 03:02 PM 51,272 ocmsn.log
09/10/2008 03:02 PM 46,969 tabletoc.log
09/10/2008 03:02 PM 431,884 tsoc.log
09/10/2008 03:02 PM 1,374 imsins.log
09/10/2008 03:02 PM 316,451 comsetup.log
09/10/2008 03:02 PM 191,532 ntdtcsetup.log
09/10/2008 03:02 PM 1,062,111 iis6.log
09/13/2008 09:15 PM 32,600 SchedLgU.Txt
09/13/2008 09:16 PM 2,048 bootstat.dat
09/13/2008 09:16 PM 0 0.log
09/13/2008 09:17 PM 5,242,934 BGInfo.bmp
09/13/2008 09:18 PM 455 smscfg.ini
09/14/2008 11:55 AM 736,100 setupapi.log
09/14/2008 11:55 AM 1,797,145 WindowsUpdate.log
09/15/2008 11:02 PM 116 pu32i.ini
263 File(s) 40,726,378 bytes
0 Dir(s) 21,744,812,032 bytes free

there's actually a lot of files in this list but i deleted most of them just so that i won't use up a lot of space here...

Edited by dhants20, 15 September 2008 - 10:08 AM.


#11 SSG DP

SSG DP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 15 September 2008 - 10:13 AM

Volume in drive C has no label.
Volume Serial Number is 8888-3A81

Directory of C:\DOCUME~1\Kristi\LOCALS~1\Temp


09/05/2008 11:10 PM <DIR> hsperfdata_Kristi
09/07/2008 12:01 AM <DIR> {8A9B8148-DDD7-448F-BD6C-358386D32354}_58911
09/11/2008 12:27 PM <DIR> __SkypeIEToolbar_Cache
09/12/2008 01:28 PM <DIR> MPSampleSubmit
09/12/2008 07:14 PM <DIR> CfgEdit
09/12/2008 07:14 PM <DIR> is-TATDD.tmp
09/12/2008 07:14 PM <DIR> nsm7B.tmp
09/12/2008 07:14 PM <DIR> outlook logging
09/12/2008 07:14 PM <DIR> Word8.0
09/12/2008 07:14 PM <DIR> WER5579.dir00
09/12/2008 07:14 PM <DIR> {30465B6C-B53F-49A1-9EBA-A3F187AD502E}_182
09/12/2008 07:14 PM <DIR> _ir_sf7_temp_0
09/12/2008 07:14 PM <DIR> {CC729E93-0ACE-4619-87FB-0F18B0202983}
09/14/2008 05:25 PM <DIR> WPDNSE
09/14/2008 05:37 PM <DIR> msohtml1
09/14/2008 06:52 PM <DIR> _avast4_
09/15/2008 06:44 AM 0 si73.tmp
09/15/2008 09:38 AM 270 AUInst.log
09/15/2008 09:42 AM 0 dzy7C.tmp
09/15/2008 09:42 AM 1,448 wmplog00.sqm
09/15/2008 09:42 AM 0 s697D.tmp
09/15/2008 09:43 AM 0 lmw7E.tmp
09/15/2008 09:44 AM 0 vbg7F.tmp
09/15/2008 09:45 AM 0 n5580.tmp
09/15/2008 09:46 AM 0 5jb81.tmp
09/15/2008 09:47 AM 0 ss782.tmp
09/15/2008 09:47 AM 0 o4083.tmp
09/15/2008 09:50 AM <DIR> .
09/15/2008 09:50 AM <DIR> ..
170 File(s) 678,044 bytes
40 Dir(s) 51,073,146,880 bytes free

--------------

Volume in drive C has no label.
Volume Serial Number is 8888-3A81

Directory of C:\WINDOWS\system32



08/13/2008 03:05 AM 610,130 TZLog.log
08/22/2008 02:42 AM 443,392 ieapfltr.dll
08/22/2008 02:49 AM 56,413 ieuinit.inf
08/22/2008 02:57 AM 156,160 msls31.dll
08/22/2008 02:58 AM 181,760 ieui.dll
08/22/2008 03:04 AM 66,560 tdc.ocx
08/22/2008 03:04 AM 45,568 mshta.exe
08/22/2008 03:04 AM 1,659,392 mshtml.tlb
08/22/2008 03:05 AM 48,128 mshtmler.dll
08/22/2008 03:05 AM 48,640 PrivacIE.dll
08/22/2008 03:05 AM 70,656 mshtmled.dll
08/22/2008 03:05 AM 217,088 dxtrans.dll
08/22/2008 03:05 AM 45,056 pngfilt.dll
08/22/2008 03:05 AM 35,840 imgutil.dll
08/22/2008 03:05 AM 346,624 dxtmsft.dll
08/22/2008 03:05 AM 61,952 icardie.dll
08/22/2008 03:05 AM 53,760 msfeedsbs.dll
08/22/2008 03:05 AM 13,312 msfeedssync.exe
08/22/2008 03:05 AM 186,880 iepeers.dll
08/22/2008 03:05 AM 630,272 mstime.dll
08/22/2008 03:05 AM 580,608 msfeeds.dll
08/22/2008 03:06 AM 1,778,688 iertutil.dll
08/22/2008 03:06 AM 128,512 advpack.dll
08/22/2008 03:06 AM 94,720 inseng.dll
08/22/2008 03:06 AM 55,808 iernonce.dll
08/22/2008 03:06 AM 36,864 ieudinit.exe
08/22/2008 03:06 AM 163,840 ieakui.dll
08/22/2008 03:06 AM 71,680 iesetup.dll
08/22/2008 03:06 AM 162,304 ie4uinit.exe
08/22/2008 03:06 AM 72,704 admparse.dll
08/22/2008 03:06 AM 552,960 jscript.dll
08/22/2008 03:06 AM 434,176 vbscript.dll
08/22/2008 03:06 AM 124,928 ieakeng.dll
08/22/2008 03:06 AM 228,864 ieaksie.dll
08/22/2008 03:06 AM 385,024 iedkcs32.dll
08/22/2008 03:06 AM 28,672 jsproxy.dll
08/22/2008 03:07 AM 18,944 corpol.dll
08/22/2008 03:07 AM 193,536 msrating.dll
08/22/2008 03:07 AM 116,224 occache.dll
08/22/2008 03:07 AM 105,984 url.dll
08/22/2008 03:08 AM 43,008 licmgr10.dll
08/22/2008 03:08 AM 878,592 wininet.dll
08/22/2008 03:08 AM 236,544 webcheck.dll
08/22/2008 03:08 AM 1,206,784 urlmon.dll
08/22/2008 03:08 AM 208,384 winfxdocobj.exe
08/22/2008 03:08 AM 1,415,680 inetcpl.cpl
08/22/2008 03:09 AM 5,699,584 mshtml.dll
08/22/2008 03:10 AM 11,985,408 ieframe.dll
08/22/2008 03:14 AM 10,240 advpack.dll.mui
08/22/2008 03:15 AM 1,216,512 ieframe.dll.mui
08/26/2008 01:28 PM 16,208,504 MRT.exe
09/11/2008 06:30 PM 1,176,693 byvtodoh.ini
09/11/2008 08:22 PM 48 83abfe50-.txt
09/12/2008 07:27 AM 803,228 llSAbJlm.ini2
09/12/2008 07:27 AM 803,228 llSAbJlm.ini
09/12/2008 10:52 AM 444,424 PerfStringBackup.INI
09/12/2008 10:52 AM 54,280 perfc009.dat
09/12/2008 10:52 AM 384,596 perfh009.dat
09/12/2008 11:36 AM 1,177,805 uwklgbus.ini
09/14/2008 05:30 PM 2,206 wpa.dbl
09/14/2008 06:41 PM 2,626 CONFIG.NT
2199 File(s) 513,781,649 bytes
0 Dir(s) 51,073,155,072 bytes free

-----------------

Volume in drive C has no label.
Volume Serial Number is 8888-3A81

Directory of C:\

08/04/2004 05:00 AM 47,564 NTDETECT.COM
08/10/2004 01:04 PM 0 AUTOEXEC.BAT
08/10/2004 01:04 PM 0 MSDOS.SYS
08/10/2004 01:04 PM 0 CONFIG.SYS
08/10/2004 01:04 PM 0 IO.SYS
04/25/2006 03:07 PM 6,626 dell.sdr
04/25/2006 03:28 PM 830 IPH.PH
04/25/2006 03:28 PM 87 SystemInfo.ini
05/03/2006 05:36 PM 211 boot.ini
05/03/2006 06:05 PM 15,063,040 Printer Driver.exe
05/03/2006 06:48 PM 4,128 INFCACHE.1
10/09/2006 09:18 PM 12,245,199 AVG7QT.DAT
02/01/2008 04:16 PM 0 Log.txt
08/01/2008 10:13 PM 250,048 ntldr
09/11/2008 02:58 PM 2,100 lxal.log
09/12/2008 07:00 PM 136 VundoFix.txt
09/14/2008 04:44 PM 2,145,386,496 pagefile.sys
09/14/2008 04:44 PM 2,145,538,048 hiberfil.sys
09/15/2008 09:55 AM 114,370 system32.txt
09/15/2008 09:56 AM 0 windows.txt
20 File(s) 4,318,658,883 bytes
0 Dir(s) 51,073,167,360 bytes free

---------

Per Task Manager these are the active processes.

ashWebSv.exe
svchost.exe
ashServ.exe
wmiprvse.exe
MsMpEng.exe
DSAgnt.exe
MSASCui.exe
explorer.exe
ashDisp.exe
cfp.exe
ashMaiSv.exe
LogiTray.exe
winlogon.exe
aawservice.exe
spoolsv.exe
csrss.exe
cmdagent.exe
SearchProtection.exe
services.exe
ctfmon.exe
sprtcmd.exe
LVCOMSX.exe
lsass.exe
avgemc.exe
DLACTRLW.exe
hpgs2wnf.exe
aswUpsSv.exe
McTskshd.exe
avgupsvc.exe
FxSvr2.exe
LEXBCES.exe
ati2evxx.exe
stsystra.exe
hpgs2wnd.exe
DMXlauncher.exe
MDM.exe
LEXPPS.exe
SUPERantispyware.exe
sprtsvc.exe
Mcdetect.exe
issch.exe
avgcc.exe
jusched.exe
avgamsvr.exe
alg.exe
smss.exe
System
System Idle Process

#12 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 15 September 2008 - 10:22 AM

byvtodoh.ini
llSAbJlm.ini2
llSAbJlm.ini
uwklgbus.ini

these files really doesnt make any sense but they are just ini files. check for attributes or hidden files in system32 first and post the files that you have on system32 again

1) start>run>cmd
2) cd\windows\system32
3) attrib -r -a -s -h > c:\attributes.txt
4) attrib *.* -r -a -s -h
5) dir /o:d /a:-d > c:\system32.txt
6) then post both attributes.txt and system32.txt

as for the files in your temp files delete all of them

1) start>run>cmd
2) cd\
3) cd %temp%
4) cd..
5) echo y | rd temp /s
6) it might display that it has not completely removed the folder but that is ok
7) when you reboot your computer it will automatically create another temp folder anyway

Edited by dhants20, 15 September 2008 - 10:24 AM.


#13 sifusylvain

sifusylvain

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:08:33 AM

Posted 15 September 2008 - 10:26 AM

This looks very much like my posted topic "Monster Virus"

It seems many of the recent posts are about this bad boy!

can we combine these???

I for one cannot stay on the internet for long before all sorts of cookies and adware windows start popping up and eventually KILL IE... so I don't know that I can download much on the infected box itself.

That is why I am using my laptop (second computer) to access this site...

Sylvain
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

#14 SSG DP

SSG DP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 15 September 2008 - 10:29 AM

For the temp instructions it gave me this:


Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kristi>cd\

C:\>cd %temp%

C:\DOCUME~1\Kristi\LOCALS~1\Temp>cd..

C:\DOCUME~1\Kristi\LOCALS~1>echo y | rd temp /s
temp, Are you sure (Y/N)? y
temp\etilqs_NK70danhKxzw5A3wOsaT - The process cannot access the file because it
is being used by another process.

#15 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 15 September 2008 - 10:39 AM

download avenger from http://swandog46.geekstogo.com/avenger2/avenger.zip ...

then on the box type this:

folders to delete:
%temp%

files to delete:
c:\windows\system32\byvtodoh.ini
c:\windows\system32\llSAbJlm.ini2
c:\windows\system32\llSAbJlm.ini
c:\windows\system32\uwklgbus.ini

am going to work in 15 minutes so I might not be able to help you anymore... you could use process explorer and autoruns to do a deeper scan on all startup programs and process explorer is actually an advanced taskmanager program.

btw, autoruns and process explorer are not automated programs. Do a research first before you disable anything.

Oh... and don't forget to optimize your ie, delete all cookies and files, make sure that the reset buttons in security and privacy are grayed out and disable suspicious addons.

- start>run> inetcpl.cpl

Edited by dhants20, 15 September 2008 - 10:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users