Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware, Adware, and Automatic Reboot


  • Please log in to reply
14 replies to this topic

#1 plperez82

plperez82

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 11 December 2008 - 04:42 PM

Hi,

My computer runs on Microsoft XP and has been having mulitple problems that are increasingly worsening. 50% of the time when started up, the computer automatically reboots itself after reaching the login screen. Sometimes it will continuously restart for up to 15 minutes.

Also when finally able to get to the main desktop screen an error box reading:
Error Loading C:\WINDOWS\System32\rtbnien.dll
Access Denied
OK
pops up. I have been just closing the box instead of pressing ok.

And another box that reads:
The system has recovered from a serious error
If i hit the send error report it takes you to a screen that tries describing the error but the computer reboots before you can even catch more than a glimpse.
If i hit the dont send button it keep popping up the error box.
The only way to do anything on the computer is to ignore it.

Everytime that you click on internet explorer a box that reads:
C:\WINDOWS\System32\
OK

pops up. I have also been closing that box without pressing ok.

Just yesterday I started getting a random pop up blocker at the top of the browser that says Mirar. I've never downloaded any pop up blockers.

Pop ups are also occuring non-stop, sometimes to the point where i cant even keep up with closing them as fast as they occur. They keep happening so fast that it completely freezes my computer.

Also since yesterday I cannot send an email, and i couldnt even send this post from the computer because everytime I hit a send or submit button, a box pops up that says that internet explorer has encountered an error and my browser automatically closes.

Please let me know what i can do to make my computer run normally again.

Thanks,
plperez82

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 StickDude101

StickDude101

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 11 December 2008 - 05:50 PM

Download smitfraud, and run it in safe mode. You can access safe mode by rapidly pressing F8 at startup until a multiple choice screen apears.
If this doesn't work try running system restore to an earlier point. Just goto your start menu programs and find "System restore" in the accessories/system tools list.

~StickDude101

#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,068 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:02:37 AM

Posted 11 December 2008 - 06:51 PM

StickDude101,

While we do appreciate your willingness to assist our members. You may not be aware of the rules that guide who can assist or how, and with what malware tools. With regards to this and other Bleeping Computer forums.

Please take a look at this post: How do I get help? Who is helping me?

Where it states the following:

Posting instructions for the use of the following by non-staff members is prohibited in this area. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here without Staff approval.

  • Manual file removal instruction
  • ComboFix instructions or discussion
  • SDFix instruction
  • Registry instruction
  • Automated registry cleaners
  • HiJackThis instructions (logs are for review only)
  • Custom scripts, batch files


Thank You for your understanding.

Edited by garmanma, 12 December 2008 - 04:09 PM.
copied text

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 AM

Posted 12 December 2008 - 03:08 PM

Hello lets do 2 things first here and see what we got...
Run MBAM and post a log
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


For the Error Loading C:\WINDOWS\System32\rtbnien.dll
A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 plperez82

plperez82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 December 2008 - 01:17 PM

I ran the scan and it detected 135 infections and said there were some that could not be removed. The following is the report:

Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 1

12/15/2008 12:47:44 PM
mbam-log-2008-12-15 (12-47-44).txt

Scan type: Quick Scan
Objects scanned: 76388
Time elapsed: 34 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 9
Registry Keys Infected: 39
Registry Values Infected: 14
Registry Data Items Infected: 10
Folders Infected: 4
Files Infected: 58

Memory Processes Infected:
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\opnkjKAR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sudipemi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yitezoha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kisuhebo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ljJATNgD.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pcdxqr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wineg77.dll (Adware.Mirar) -> Delete on reboot.
C:\WINDOWS\system32\svchstb.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\winih77.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{115b98e6-b27c-47b1-a1ba-df2fd52a3722} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{115b98e6-b27c-47b1-a1ba-df2fd52a3722} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6e6259ed-c137-4b30-907a-b348311b51f6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6e6259ed-c137-4b30-907a-b348311b51f6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8050a07-0bab-4c32-adaa-312b0f702244} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c8050a07-0bab-4c32-adaa-312b0f702244} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afe9d974-fb2f-4528-bfb6-7399e5172348} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{afe9d974-fb2f-4528-bfb6-7399e5172348} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afe9d975-fb2f-4528-bfb6-7399e5172348} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afe9d975-fb2f-4528-bfb6-7399e5172348} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\imeshmediabar.stockbar (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\imeshmediabar.stockbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rndismpp (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rndismpp (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rndismpp (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4a66af02-4daf-40c8-929b-77b0ef3b5417} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4a66af02-4daf-40c8-929b-77b0ef3b5417} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54f6d7b1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suwemosule (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{afe9d974-fb2f-4528-bfb6-7399e5172348} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{afe9d974-fb2f-4528-bfb6-7399e5172348} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4a66af02-4daf-40c8-929b-77b0ef3b5417} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4a66af02-4daf-40c8-929b-77b0ef3b5417} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnkjkar -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kisuhebo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kisuhebo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kisuhebo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnkjkar -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\winhelp.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\winhelp.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\winhelp.exe,C:\WINDOWS\System32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\System32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\v9 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pcdxqr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\opnkjKAR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\RAKjknpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RAKjknpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gatemutd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dtumetag.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\icytlslf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flsltyci.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rtsbnien.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\neinbstr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yitezoha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sudipemi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\rndismpp.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\ljJATNgD.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\kisuhebo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wineg77.dll (Adware.Mirar) -> Delete on reboot.
C:\WINDOWS\system32\svchstb.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hmqlfrkb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mecaqv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vulukoka.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcBqpNh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfCtrQG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kiuwbeny.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soyzth.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qz.sys (Rootkit.Haxdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lfgjisnu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJYSijG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlkLfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\Drivers\bflcuvwq.dat (Rootkit.Agent) -> Delete on reboot.
C:\S87ekhV.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat14.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\4ZUV29AT\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\G5I341AB\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\v9\MAV982S.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winih77.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winhelp.exe (Trojan.Agent) -> Delete on reboot.
C:\Settings\arm80.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\cs.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rc.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmds.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmonb.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps.a3d (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\klo5.sys (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\klgcptini.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stt82.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\alog.txt (Stolen.Data) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\ntos.exe (Backdoor.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.

As far as the autorun, I could not find the file related to the aboved mentioned. BUT when i restarted the computer after the MBAM scan the error message did not occur. However the message that reads:

The system has recovered from a serious error

Still pops up. Let me know what further steps i need to take. The Mirar pop up blocker is gone and the computer seems to be running a little faster now.

#6 plperez82

plperez82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 December 2008 - 02:26 PM

Few other details. The message box that reads:

C:\WINDOWS\System32\
OK

Still continues to occur when i open internet explorer or click to open MY COMPUTER.

Also i reran the same MBAM scan so that i could copy down the files that could not be deleted. The following is the message box that pops up when i select remove all:


Certain items could not be removed! The first few are listed below. All items that could not be removed have been added to the delete on reboot list. Please restart your computer now. A logfile was saved to the Logs folder.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hffqrjwv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hffqrjwv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hffqrjwv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

Your computer needs to be restarted to complete the removal process. Would you like to continue?

I restarted the computer because it also reported some additional infected files that needed a reboot to delete. Here is the newest report:

Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 1

12/15/2008 2:07:07 PM
mbam-log-2008-12-15 (14-07-07).txt

Scan type: Quick Scan
Objects scanned: 76344
Time elapsed: 32 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\Drivers\bflcuvwq.dat (Rootkit.Agent) -> Delete on reboot.

The computer upon reboot kept rebooting everytime it was about to reach the login screen. After 10 times of self rebooting it was workable.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 AM

Posted 15 December 2008 - 02:28 PM

Hi Ok this is good and we are making slow progress. These Vundo and Downloaders can get in pretty deep. So lets keep digging them out.
First rerun Mbam and post a new log.

EDIT: Sorry I noticed that there are Rootkit infections

One or more of the identified infections is a backdoor / Rootkittrojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Next run ATF and SAS:
ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now SAS
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by boopme, 15 December 2008 - 02:34 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 plperez82

plperez82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 December 2008 - 05:01 PM

I re-ran MBAM and the same message about not being able to remove certain files popped up. The following is the report:

Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 1

12/15/2008 4:55:45 PM
mbam-log-2008-12-15 (16-55-45).txt

Scan type: Quick Scan
Objects scanned: 77049
Time elapsed: 32 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hffqrjwv (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\Drivers\bflcuvwq.dat (Rootkit.Agent) -> Delete on reboot.

I will now run the other scans. I have a few questions though. First, how can i avoid this problem from occuring on any other computers? Do hackers randomly attack any computer? AND can they just hack in out of nowhere or does this occur from downloading programs and files from online?
Also, if i later decide to reformat, will my computer still never be 100% safe to go onto online banking or make purchases online?
As soon as the other scans are done I will post additional reports. Thanks!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 AM

Posted 15 December 2008 - 08:39 PM

Most infections are tranfered thru emails, opening executables. Then by visiting websites and downloading, next I believe is P2P and torrent sites.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 plperez82

plperez82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 December 2008 - 10:08 AM

The following is the report from SAS. I will run the program you suggested above next.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2008 at 06:55 AM

Application Version : 4.23.1006

Core Rules Database Version : 3675
Trace Rules Database Version: 1654

Scan type : Complete Scan
Total Scan Time : 11:27:57

Memory items scanned : 151
Memory threats detected : 0
Registry items scanned : 5663
Registry threats detected : 22
File items scanned : 82523
File threats detected : 33

Adware.Tracking Cookie
C:\Documents and Settings\Daniel\Cookies\daniel@doubleclick[1].txt
C:\Documents and Settings\Daniel\Cookies\daniel@atdmt[2].txt
C:\Documents and Settings\Daniel\Cookies\daniel@ad.yieldmanager[2].txt
C:\Documents and Settings\Daniel\Cookies\daniel@powerfulvirusremover2008[1].txt
C:\Documents and Settings\Daniel\Cookies\daniel@kontera[2].txt
C:\Documents and Settings\Daniel\Cookies\daniel@adtrafficstats[1].txt
C:\Documents and Settings\Daniel\Cookies\daniel@chitika[2].txt

Trojan.Avpe64/32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64\0000\LogConf

Rogue.Component/Trace
HKLM\Software\Microsoft\54F6C53F
HKLM\Software\Microsoft\54F6C53F#54f6c53f
HKLM\Software\Microsoft\54F6C53F#Version
HKLM\Software\Microsoft\54F6C53F#54f668bf
HKLM\Software\Microsoft\54F6C53F#54f6015a
HKU\S-1-5-21-973306172-579611626-2671436164-1007\Software\Microsoft\CS41275
HKU\S-1-5-21-973306172-579611626-2671436164-1007\Software\Microsoft\FIAS4018

Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\AVPE32.DLL

Adware.Vundo Variant/ESET
C:\WINDOWS\SYSTEM32\HEFAMUPA.DLL
C:\WINDOWS\SYSTEM32\URQRJCUL.DLL

Trojan.QZ
C:\WINDOWS\SYSTEM32\QZ.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\LZJSLLOR\index[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\GJEE3NSS\secure_installers[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\I6W9NQO5\closebutton[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\GDARS92F\progressbar[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\2F4ZUDWF\common[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\I6W9NQO5\crypt[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\2F4ZUDWF\input[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\ZQHZE9OB\VirusRemover2008_Setup_Free_en[1].exe
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\01QFGHU7\bleep[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\GJEE3NSS\activex[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\GJEE3NSS\bg[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\ZQHZE9OB\down[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\4ZUV29AT\bleep2[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\LZJSLLOR\params[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\01QFGHU7\ex[1].html
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\ZQHZE9OB\secstat[1].gif
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\G5I341AB\120[2]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\ZQHZE9OB\settings[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\G5I341AB\index_new[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\2F4ZUDWF\styles[2].css
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\4ZUV29AT\vars[2].js
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\01QFGHU7\managers[2].js

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 AM

Posted 16 December 2008 - 10:15 PM

OK,waiting on report.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 plperez82

plperez82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 17 December 2008 - 02:22 PM

This is the report from SDFix:

SDFix: Version 1.240
Run by Administrator on Wed 12/17/2008 at 01:16 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\Temp\10.sys - Deleted
C:\WINDOWS\Temp\13.sys - Deleted
C:\WINDOWS\Temp\14.sys - Deleted
C:\WINDOWS\Temp\17.sys - Deleted
C:\WINDOWS\Temp\18.sys - Deleted
C:\WINDOWS\Temp\1B.sys - Deleted
C:\WINDOWS\Temp\1C.sys - Deleted
C:\WINDOWS\Temp\1F.sys - Deleted
C:\WINDOWS\Temp\20.sys - Deleted
C:\WINDOWS\Temp\23.sys - Deleted
C:\WINDOWS\Temp\24.sys - Deleted
C:\WINDOWS\Temp\27.sys - Deleted
C:\WINDOWS\Temp\28.sys - Deleted
C:\WINDOWS\Temp\2B.sys - Deleted
C:\WINDOWS\Temp\2C.sys - Deleted
C:\WINDOWS\Temp\2F.sys - Deleted
C:\WINDOWS\Temp\3.sys - Deleted
C:\WINDOWS\Temp\30.sys - Deleted
C:\WINDOWS\Temp\33.sys - Deleted
C:\WINDOWS\Temp\34.sys - Deleted
C:\WINDOWS\Temp\37.sys - Deleted
C:\WINDOWS\Temp\38.sys - Deleted
C:\WINDOWS\Temp\3B.sys - Deleted
C:\WINDOWS\Temp\3C.sys - Deleted
C:\WINDOWS\Temp\3F.sys - Deleted
C:\WINDOWS\Temp\4.sys - Deleted
C:\WINDOWS\Temp\40.sys - Deleted
C:\WINDOWS\Temp\7.sys - Deleted
C:\WINDOWS\Temp\8.sys - Deleted
C:\WINDOWS\Temp\B.sys - Deleted
C:\WINDOWS\Temp\C.sys - Deleted
C:\WINDOWS\Temp\F.sys - Deleted
C:\WINDOWS\system32\bb1.dat - Deleted
C:\WINDOWS\system32\tb.dr - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 13:41:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName"="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arm64reg]
"DllName"="c:\Settings\arm64.dll"
"Startup"="arm64reg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arm86reg]
"DllName"="c:\Settings\arm86.dll"
"Startup"="arm86reg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=str(2):"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=str(2):"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljJATNgD]
"Asynchronous"=dword:00000001
"DllName"="ljJATNgD.dll"
"Impersonate"=dword:00000000
"Logon"="o"
"Logoff"="f"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=str(2):"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=str(2):"sclgntfy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=str(2):"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 14 Sep 2008 36,352 ..SH. --- "C:\Settings\arm64.dll"
Wed 26 Nov 2008 36,352 ..SH. --- "C:\Settings\arm86.dll"
Mon 31 Mar 2003 77,824 ...H. --- "C:\Program Files\MSN\msnupdate!@#@.exe"
Mon 8 Sep 2008 63,721 A.SH. --- "C:\WINDOWS\system32\birukoho.dll.tmp"
Mon 8 Sep 2008 63,721 A.SH. --- "C:\WINDOWS\system32\mebudahi.dll.tmp"
Mon 8 Sep 2008 63,721 A.SH. --- "C:\WINDOWS\system32\vanakuyo.dll.tmp"
Sun 7 Sep 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 18 Jul 2008 55,808 ...H. --- "C:\Documents and Settings\Daniel\My Documents\~WRL2742.tmp"

Finished!

I just read a report from YahooNews that stated that Internet Explorer Version 7 has been having security problems and many computers have been hijacked from just visiting corruptly incripted websites. I'm wondering if this is part of the problem my computer has been having.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 AM

Posted 17 December 2008 - 03:58 PM

So that took out a lot! The PC running better now? Any symptoms?
You should Update Mbam and scan again(quick Scan) posy a new log.
Yes IE is very prone to infection and spyware. You still should keep it updated and patched,but consider using another browser like Firefox unstead.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 plperez82

plperez82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 18 December 2008 - 10:56 AM

Few things, first I'm updating my XP because its been a long time since I've updated. The computer still reboots itself off and on. The message that reads that The System has recovered from a serious error still appears upon reaching the desktop. I've noticed that the error that reads:

C:\WINDOWS\System32\
OK

Sometimes reads on the gray bar on top of the error box message "-NO HOME" and sometimes it reads "Embedding" Sometimes it says nothing.

The computer is definately running faster and i have not encountered any pop up problems.

I tried updating MBAM and it said:

Update Failed. Make sure you are connected to the internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the internet.

When i went to change my firewall settings a message appeared that read:

Due to an unidentifed problem, Windows cannot display Windows firewall settings.

What can i do so that i can update MBAM?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 AM

Posted 18 December 2008 - 11:43 AM

Hi, We've a couple things here now.
First you should set a new restore point(instructions below). So that any proccedures you do now to repair the rest that may result in reseting to a restore point won't have you reinfecting your self.
I think you have either a software or hardware problem. Repairing that may probably allow you to do updates.
You should now ask about thes issues in the XP forum as those with these skills asnd answers are in that forum..

In the meantime you can manually update MBam fronm a Flash drive,USB device etc.. Copy the file and transfer it.
Manually download them from[/color] here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.[/i][/list]On the Scanner tab:
  • Restore Point:
    Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:[list]
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users