Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VirusLab2009


  • Please log in to reply
3 replies to this topic

#1 Kboy

Kboy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 18 October 2008 - 01:12 PM

Hello,

First let me say that I am pretty new to using tech help forums, so if I do something wrong here or can post something more helpful please let me know.

One of my computers was recently infected with VirusLab2009 and a few other malware programs. I also receive "system alert" messages from my system tray that are being created by malware, because when I click on this icon in the system tray it tries to open a barrage of browser windows and force more installs onto my computer. I have taken the following actions thus far to try and remove the problem.

Updated my virus scan definition files and run multiple virus scans.

Updated my defintion files for Spybot S&D and for Ad-aware SE(free version) and run both of those scans.

I have removed all of the suspicious start up processes from msconfig.

I have deleted any suspicious looking programs under control panel, add/remove programs. (there were a few)

I haven't worked on trying to fix the problem for a few days, so I don't remember what else I did. I have a Windows XP SP3 operating system. Media Center Edition, Version 2002 if that matters.

I will re-run scans again today and make screen print copies so I may post that also. Thank you in advance for your assistance.

BC AdBot (Login to Remove)

 


#2 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 18 October 2008 - 01:21 PM

Hiya, welcome to Bleeping Computer.... :thumbsup:
First, please run a scan with MalwareBytes AntiMalware, you can download it here:
http://www.malwarebytes.org/mbam.php
Download and install the file, and run MalwareBytes Antimalware (MBAM). Clicm on the 'Update tab' and press the 'Check For updates' button. If the update fails, you can manually download the latest update from the website where you downloaded the program. When updates are finished, click back onto the 'Scanner' tab and run a full scan. When finished, please post your MBAM log here. Also, if it asks you to restart, do so IMMEDIATELY to prevent re-infection

#3 Kboy

Kboy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 18 October 2008 - 03:35 PM

Ok, I have done all of that. Here is the log.

Malwarebytes' Anti-Malware 1.29
Database version: 1286
Windows 5.1.2600 Service Pack 3

10/18/2008 3:12:21 PM
mbam-log-2008-10-18 (15-12-15).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 136469
Time elapsed: 1 hour(s), 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 14
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\eivrbsi.dll (Trojan.Zlob) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\virrlwarning.warningbho (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\virrlwarning.warningbho.1 (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{be1a344f-9ff5-4024-949b-52205e6db2d0} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a81ebfd7-0fa3-41ec-b60d-6dae78b4d31a} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be1a344f-9ff5-4024-949b-52205e6db2d0} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a81ebfd7-0fa3-41ec-b60d-6dae78b4d31a} (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\antivirus2008y (Rogue.Antivirus2008) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> No action taken.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{da75fab1-136e-4ead-834d-0e04fbd6edc1} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\311496 (Trojan.BHO) -> No action taken.
C:\Documents and Settings\Kyle\Application Data\Antivirus2008y (Rogue.Antivirus2008) -> No action taken.

Files Infected:
C:\END (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\eivrbsi.dll (Trojan.Zlob) -> No action taken.





So far everything seems fine. Is there anything I should do to make sure it cleared everything permanently or do I just wait? And thank you for your fast reply to my first post! Much appreciated!!

#4 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 19 October 2008 - 06:30 AM

If your popups and spyware have stopped then disregard this...
OK, first just a quick question: Are you sure you removed the objects? This doesn't mean they aren't gone, but in your log file next to everything it says 'No action taken.' There can be 2 possible reasons; 1) You copied the log after scanning but before removal (most likely) or 2) You didn't remove anything.

Regard This bit:
I now want you to run SUPERantispyware. You can download the free edition here:
http://www.superantispyware.com/
Install the program, jump through the quick setup questions and press the 'Update Definitions' button. Wait for it to update, then run a quick or full scan. A quick scan should suffice, but if you really want you can run a full scan (note the scanner isn't that fast)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users