Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gallimp.com


  • Please log in to reply
3 replies to this topic

#1 BobFoxx

BobFoxx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 27 November 2008 - 11:41 PM

Rigel:

Great Advice - Thank You!!!

I too was infected by Gallimp.com and went through the aforementioned process.

My system is nearly back to normal, however, I am still having a problem.
Upon startup, there seems to be a process that I believe is registering malware dll's. I'm not sure since little seems to be published about these.
The following are the keys, value names and values. I disabled the implementation of these dlls by renaming them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [CPM83c45b39][REG_SZ][Rundll32.exe "c:\windows\system32\sikonese.dll",a]

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run [bofulajazo][REG_SZ][Rundll32.exe "C:\WINDOWS\sytem32\hajifagu.dll",s]

Any further suggestions?

Thanks again,

- Bob



By the way when I ran SuperAntiSpyware I received the following:

---------------------------------------------

Core Rules Database Version : 3640
Trace Rules Database Version: 1635

Scan type : Complete Scan
Total Scan Time : 01:42:42

Memory items scanned : 210
Memory threats detected : 0
Registry items scanned : 12421
Registry threats detected : 8
File items scanned : 140990
File threats detected : 3

Adware.Vundo Variant
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B82F29E4-8368-4B14-9C00-5138C0D94034}
HKU\S-1-5-21-2274774592-2905261997-972462058-97088\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B82F29E4-8368-4B14-9C00-5138C0D94034}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B82F29E4-8368-4B14-9C00-5138C0D94034}

Trojan.DNSChanger-Codec
HKU\S-1-5-21-2274774592-2905261997-972462058-97088\Software\uninstall

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-2274774592-2905261997-972462058-97088\SOFTWARE\Microsoft\fias4013

Trojan.Downloader-Gen/A
C:\PROGRAM FILES\ANIMATICS\SMI\A.EXE

Adware.HotBar (Low Risk)
C:\PROGRAM FILES\PIONEER HI-BRED INT'L INC\PRISM\HANDHELD_UTILITIES\INSTALLFDE\HBINST.EXE
C:\PROGRAM FILES\PIONEER HI-BRED INT'L INC\PRISM DEVELOPMENT\HANDHELD_UTILITIES\INSTALLFDE\HBINST.EXE

------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------------------------

SDFix gave me the following:

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\kx16.dll - Deleted
C:\WINDOWS\KX32.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 00:47:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe:*:Enabled:Sentinel Protection Server"
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe:*:Enabled:Sentinel Keys Server"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SH. --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 25 Nov 2008 93,236 A.SH. --- "C:\WINDOWS\system32\kajopezi.dll"
Sun 24 Aug 2008 60,416 A.SH. --- "C:\WINDOWS\system32\kufisobe.dll"
Mon 24 Nov 2008 87,092 A.SH. --- "C:\WINDOWS\system32\tijojepe.dll"
Mon 17 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 23 Aug 2008 50,176 ...H. --- "C:\Documents and Settings\SPICERMARK\My Documents\~WRL0148.tmp"
Sat 23 Aug 2008 50,176 ...H. --- "C:\Documents and Settings\SPICERMARK\My Documents\~WRL1268.tmp"
Sat 23 Aug 2008 41,984 ...H. --- "C:\Documents and Settings\SPICERMARK\My Documents\~WRL2299.tmp"
Fri 12 Sep 2003 538 A..H. --- "C:\Program Files\MINITAB 14\Profiles\EnableSixSigma.reg"
Fri 10 Oct 2008 1,560,576 A..H. --- "C:\System Volume Information\_restore{4340D8D6-CFE0-4EE3-8DE0-52F2C81BF743}\RP856\A0330876.dll"
Sat 18 Oct 2008 1,560,576 A..H. --- "C:\System Volume Information\_restore{4340D8D6-CFE0-4EE3-8DE0-52F2C81BF743}\RP865\A0332667.dll"
Sat 18 Oct 2008 1,560,576 A..H. --- "C:\System Volume Information\_restore{4340D8D6-CFE0-4EE3-8DE0-52F2C81BF743}\RP865\A0332704.dll"
Wed 5 Nov 2008 1,560,576 A..H. --- "C:\System Volume Information\_restore{4340D8D6-CFE0-4EE3-8DE0-52F2C81BF743}\RP880\A0337512.dll"
Sat 8 Dec 2007 39,936 ...H. --- "C:\Toastmasters\Speeches\Boat to Vote\~WRL3898.tmp"
Wed 1 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 27 Nov 2008 0 A..H. --- "C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp"
Wed 1 Nov 2006 20,480 A..H. --- "C:\Program Files\National Instruments\MeasurementStudioVS2005\DotNET\LicenseEngine.2005.exe"
Thu 19 Jun 2008 605,224 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e131e71ba03f05e356deb2f98ba72491\BIT21.tmp"
Thu 27 Nov 2008 0 A..H. --- "C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Mon 26 Feb 2007 58,358 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\Documents and Settings\Default User\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\Default User\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\Default User\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\Documents and Settings\glaubitzjl\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\glaubitzjl\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\glaubitzjl\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\Documents and Settings\schoenberger\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\schoenberger\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\schoenberger\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\Documents and Settings\sicanicaz\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\sicanicaz\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\sicanicaz\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\Documents and Settings\SPICERMARK\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\SPICERMARK\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\Documents and Settings\SPICERMARK\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Thu 3 Feb 2005 7,318 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Wed 27 Aug 2003 8,246 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"

Finished!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:15 AM

Posted 28 November 2008 - 11:39 AM

Hi BobFoxx,

Since you had diffent issues popping up, I have created your own thread.

Please update and rerun SuperAntiSpyware... Post a new log.

Then..Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.



*** If you have already downloaded Malwarebytes, please update - run - and post a new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 BobFoxx

BobFoxx
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 07 December 2008 - 11:21 PM

Rigel:

Thanks much for you help. :thumbsup:

Here's the SuperAnitSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2008 at 07:03 PM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 01:57:24

Memory items scanned : 491
Memory threats detected : 0
Registry items scanned : 12504
Registry threats detected : 0
File items scanned : 140314
File threats detected : 0


------------------------------------------------------------------------------------------

Here's the Malwarebytes' Log it did find 6 items. I'll monitor my system in the next few days to see if there are any remaining problems.

Thanks again,

- Bob

Malwarebytes' Anti-Malware 1.31
Database version: 1472
Windows 5.1.2600 Service Pack 2

12/7/2008 10:09:36 PM
mbam-log-2008-12-07 (22-09-36).txt

Scan type: Quick Scan
Objects scanned: 77256
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dfd6b30f-5555-4a72-a4e3-f5a9bf3f1a3d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dfd6b30f-5555-4a72-a4e3-f5a9bf3f1a3d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8a933d0-8805-4033-8f02-2cafbdb75f45} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f8a933d0-8805-4033-8f02-2cafbdb75f45} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm83c45b39 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:15 AM

Posted 09 December 2008 - 09:39 PM

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Please update and rerun Malwarebytes... Post a fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users