Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Horse Vundo and possibly other spyware or viruses


  • Please log in to reply
5 replies to this topic

#1 Kisara

Kisara

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 13 December 2008 - 06:19 PM

Earlier, I made a topic about having Trojan. Zlob. G as well as the constants ads I've been getting.

After deleting some .exe files, the Security Center Alert has stopped warning me about Trojan.Zlob.G, so I assume the problem has been solved. The popups, however, have not ceased. Although I am getting less popups than before, I am still getting around one every couple minutes. I am not sure if this is significant, but several of the ads' URL start out as c5.zedo.com before changing into whatever ad it is.

To see the steps I took to remove Trojan. Zlob. G and the spyware programs I've already deleted, see this topic.

Lately, I have also been getting several Trojan Horse Vundo from .dll files in system32: iayrfq.dll, hgisht.dll, dzdhml.dll, wuohdmbr.dll, urqnmlig.dll, and dcklzp.dll, to be specific. I've been notified and healed them all today. I suspect, however, that I have other viruses or spyware as well since the description Wikipedia has of Vundo (that it causes popups of only antispyware programs) does not cover all the problems I've had with my computer.

My main goal is to stop the popups as well as the other problems my computer has been experiencing lately: my Internet and other programs constantly freeze, my computer is often unusually slow usually because my CPU is full, although I am not running a lot of programs, and yesterday, my computer froze completely. Also, strangely, sometimes after my Internet is not responding and I've closed it, Firefox will automatically try to re-open, prompting me to choose between starting a new session or continuing my last one, even though I didn't click on Firefox yet.

I've been having problems with my computer since 12/6/08 when I first found Trojan horse Agent.AOEW in a file called gadcom.exe. After scanning my computer with AVG Free Edition and healing the trojan horse virus for a second time, popups began occurring at extremely fast rates. I was getting several popups per minute, and my computer became slower. I've since deleted 2 Internet Speed Monitors, Viewpoint, and several .exe files that are linked with Trojan.Zlob.G, as mentioned in the other topic.

I'm using Windows XP.

Thanks in advance to those who help. I really appreciate it.

Edited by Kisara, 13 December 2008 - 06:25 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 AM

Posted 13 December 2008 - 07:44 PM

Hello You have now updated and run both Supierantispyware and Malware bytes? please post the log here so we can see what was found and/or removed.

First please run SmitFraudFix by S!Ri, and post the report.
The report can be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kisara

Kisara
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 14 December 2008 - 08:29 PM

SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2008 at 09:58 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 00:48:06

Memory items scanned : 478
Memory threats detected : 2
Registry items scanned : 5308
Registry threats detected : 189
File items scanned : 16291
File threats detected : 117

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\FCCCAWWT.DLL
C:\WINDOWS\SYSTEM32\FCCCAWWT.DLL
C:\WINDOWS\SYSTEM32\QOMGEFWN.DLL
C:\WINDOWS\SYSTEM32\QOMGEFWN.DLL
C:\WINDOWS\SYSTEM32\DDCARSJA.DLL

Trojan.Unclassified/SmartEnhancer-R
HKLM\Software\Classes\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}#AppID
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}\InprocServer32
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}\InprocServer32#ThreadingModel
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}\ProgID
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}\Programmable
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}\TypeLib
HKCR\CLSID\{28632648-E265-3F09-804B-B7E5D0D84267}\VersionIndependentProgID
HKCR\ExpertTool.PrecacheBrowserHost.1
HKCR\ExpertTool.PrecacheBrowserHost.1\CLSID
HKCR\ExpertTool.PrecacheBrowserHost
HKCR\ExpertTool.PrecacheBrowserHost\CLSID
HKCR\ExpertTool.PrecacheBrowserHost\CurVer
HKCR\TypeLib\{BC4083BE-0C0E-0630-51AF-BA4B71510187}
HKCR\TypeLib\{BC4083BE-0C0E-0630-51AF-BA4B71510187}\1.0
HKCR\TypeLib\{BC4083BE-0C0E-0630-51AF-BA4B71510187}\1.0\0
HKCR\TypeLib\{BC4083BE-0C0E-0630-51AF-BA4B71510187}\1.0\0\win32
HKCR\TypeLib\{BC4083BE-0C0E-0630-51AF-BA4B71510187}\1.0\FLAGS
HKCR\TypeLib\{BC4083BE-0C0E-0630-51AF-BA4B71510187}\1.0\HELPDIR
C:\PROGRAM FILES\EXPERTTOOL\EXPERTTOOL-2.DLL
HKLM\Software\Classes\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}#AppID
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}\InprocServer32
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}\InprocServer32#ThreadingModel
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}\ProgID
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}\Programmable
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}\TypeLib
HKCR\CLSID\{638CC12C-4D5A-2F23-18BD-0DACC1D5AAC6}\VersionIndependentProgID
HKCR\ExpertTool.BrowserWatcher.1
HKCR\ExpertTool.BrowserWatcher.1\CLSID
HKCR\ExpertTool.BrowserWatcher
HKCR\ExpertTool.BrowserWatcher\CLSID
HKCR\ExpertTool.BrowserWatcher\CurVer
HKCR\Interface\{20C32A98-B6DF-9EC4-0488-888DF554DCDA}
HKCR\Interface\{20C32A98-B6DF-9EC4-0488-888DF554DCDA}\ProxyStubClsid
HKCR\Interface\{20C32A98-B6DF-9EC4-0488-888DF554DCDA}\ProxyStubClsid32
HKCR\Interface\{20C32A98-B6DF-9EC4-0488-888DF554DCDA}\TypeLib
HKCR\Interface\{20C32A98-B6DF-9EC4-0488-888DF554DCDA}\TypeLib#Version
HKCR\Interface\{3779EC48-B442-FEFC-A361-E01756C92367}
HKCR\Interface\{3779EC48-B442-FEFC-A361-E01756C92367}\ProxyStubClsid
HKCR\Interface\{3779EC48-B442-FEFC-A361-E01756C92367}\ProxyStubClsid32
HKCR\Interface\{3779EC48-B442-FEFC-A361-E01756C92367}\TypeLib
HKCR\Interface\{3779EC48-B442-FEFC-A361-E01756C92367}\TypeLib#Version
HKCR\Interface\{B82458D3-71D6-8A23-419D-9AB15A784798}
HKCR\Interface\{B82458D3-71D6-8A23-419D-9AB15A784798}\ProxyStubClsid
HKCR\Interface\{B82458D3-71D6-8A23-419D-9AB15A784798}\ProxyStubClsid32
HKCR\Interface\{B82458D3-71D6-8A23-419D-9AB15A784798}\TypeLib
HKCR\Interface\{B82458D3-71D6-8A23-419D-9AB15A784798}\TypeLib#Version

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0141402.DLL
C:\WINDOWS\SYSTEM32\CTKHTRBY.DLL
C:\WINDOWS\SYSTEM32\CWAKTB.DLL
C:\WINDOWS\SYSTEM32\WGBLLTPA.DLL

Trojan.Vundo-Variant/NextGen
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57D65F2C-1309-4DD2-B770-192B9122ADA3}
HKCR\CLSID\{57D65F2C-1309-4DD2-B770-192B9122ADA3}
HKCR\CLSID\{57D65F2C-1309-4DD2-B770-192B9122ADA3}\InprocServer32
HKCR\CLSID\{57D65F2C-1309-4DD2-B770-192B9122ADA3}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fcccawwt

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ebcab97e-7d58-4f3b-a24a-8a6be88dd380}
HKCR\CLSID\{EBCAB97E-7D58-4F3B-A24A-8A6BE88DD380}
HKCR\CLSID\{EBCAB97E-7D58-4F3B-A24A-8A6BE88DD380}\InprocServer32
HKCR\CLSID\{EBCAB97E-7D58-4F3B-A24A-8A6BE88DD380}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RROIZH.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Kisara\Cookies\kisara@trafficmp[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@specificmedia[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@www.burstbeacon[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@revsci[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@html[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@www.halstats[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@wmvmedialease[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@exitexchange[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@googleadservices[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@media.adrevolver[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@go[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@clicks.smartbizsearch[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@www.burstnet[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@advertising[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@doubleclick[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@lynxtrack[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@adrevolver[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@questionmarket[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@enhance[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@gadget[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@ad.yieldmanager[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@specificclick[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@login.revenueloop[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@cgi-bin[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@at.atwola[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@tacoda[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@mediatraffic[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@bs.serving-sys[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@ads.pointroll[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@burstnet[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@insightexpressai[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@atdmt[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@mywebsearch[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@ads.redorbit[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@serving-sys[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@cdn.at.atwola[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@atwola[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@zedo[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@adopt.specificclick[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@tribalfusion[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@chitika[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@redorbit[2].txt
C:\Documents and Settings\Kisara\Cookies\kisara@Banners[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@track[1].txt
C:\Documents and Settings\Kisara\Cookies\kisara@media.licenseacquisition[2].txt
C:\Documents and Settings\Kisara\Local Settings\Temp\Cookies\kisara@advertising[2].txt
C:\Documents and Settings\Kisara\Local Settings\Temp\Cookies\kisara@atwola[2].txt
C:\Documents and Settings\Kisara\Local Settings\Temp\Cookies\kisara@at.atwola[1].txt
C:\Documents and Settings\Kisara\Local Settings\Temp\Cookies\kisara@cdn.at.atwola[1].txt
C:\Documents and Settings\Kisara\Local Settings\Temp\Cookies\kisara@revsci[1].txt
C:\Documents and Settings\LitMage\Cookies\litmage@mywebsearch[2].txt
C:\Documents and Settings\LitMage\Cookies\litmage@2o7[1].txt
C:\Documents and Settings\LitMage\Cookies\litmage@msnportal.112.2o7[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-1801674531-1957994488-682003330-1003\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
HKLM\SOFTWARE\Fun Web Products#CacheDir
HKLM\SOFTWARE\Fun Web Products\CursorLoader
HKLM\SOFTWARE\Fun Web Products\CursorLoader#Dir
HKLM\SOFTWARE\Fun Web Products\ScreenSaver
HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
HKLM\SOFTWARE\Fun Web Products\Settings
HKLM\SOFTWARE\Fun Web Products\Settings\AvatarSmallBtn
HKLM\SOFTWARE\Fun Web Products\Settings\AvatarSmallBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\AvatarSmallBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\AvatarSmallBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\FunBuddyIconBtn
HKLM\SOFTWARE\Fun Web Products\Settings\FunBuddyIconBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\FunBuddyIconBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\FunBuddyIconBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\MailStampBtn
HKLM\SOFTWARE\Fun Web Products\Settings\MailStampBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\MailStampBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\MailStampBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\MyFunCardsIMBtn
HKLM\SOFTWARE\Fun Web Products\Settings\MyFunCardsIMBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\MyFunCardsIMBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\MyFunCardsIMBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\MyFunCardsIMBtn#aim6.exe.pos
HKLM\SOFTWARE\Fun Web Products\Settings\MyStationeryBtn
HKLM\SOFTWARE\Fun Web Products\Settings\MyStationeryBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\MyStationeryBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\MyStationeryBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\Promos
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#firefox.exe.pos
HKU\S-1-5-21-1801674531-1957994488-682003330-1003\SOFTWARE\FunWebProducts
HKU\S-1-5-21-1801674531-1957994488-682003330-1003\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch\bar
HKLM\SOFTWARE\MyWebSearch\bar#pid
HKLM\SOFTWARE\MyWebSearch\bar#Dir
HKLM\SOFTWARE\MyWebSearch\bar#DSSEnabled
HKLM\SOFTWARE\MyWebSearch\bar#CurInstall
HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir
HKLM\SOFTWARE\MyWebSearch\bar#sr
HKLM\SOFTWARE\MyWebSearch\bar#pl
HKLM\SOFTWARE\MyWebSearch\bar#Id
HKLM\SOFTWARE\MyWebSearch\bar#CacheDir
HKLM\SOFTWARE\MyWebSearch\bar#HTMLMenuRevision
HKLM\SOFTWARE\MyWebSearch\bar#sscLabel
HKLM\SOFTWARE\MyWebSearch\SearchAssistant
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#CurInstall
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Id
HKLM\SOFTWARE\MyWebSearch\SkinTools
HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
HKLM\Software\FocusInteractive
HKLM\Software\FocusInteractive\bar
HKLM\Software\FocusInteractive\bar\Switches
HKLM\Software\FocusInteractive\bar\Switches#incmail.exe
HKLM\Software\FocusInteractive\bar\Switches#msimn.exe
HKLM\Software\FocusInteractive\bar\Switches#msn.exe
HKLM\Software\FocusInteractive\bar\Switches#outlook.exe
HKLM\Software\FocusInteractive\bar\Switches#waol.exe
HKLM\Software\FocusInteractive\bar\Switches#aim.exe
HKLM\Software\FocusInteractive\bar\Switches#icq.exe
HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe
HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe
HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe
HKLM\Software\FocusInteractive\bar\Switches#ypager.exe
HKLM\Software\FocusInteractive\bar\Switches#au
HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll
HKLM\Software\FocusInteractive\bar\Switches#ok
HKLM\Software\FocusInteractive\bar\Switches#od
HKLM\Software\FocusInteractive\bar\Switches#nk
HKLM\Software\FocusInteractive\bar\Switches#nd
HKLM\Software\FocusInteractive\Email-IM
HKLM\Software\FocusInteractive\Email-IM\0
HKLM\Software\FocusInteractive\Email-IM\0#Toolbar
HKLM\Software\FocusInteractive\Email-IM\0#AppName
HKLM\Software\FocusInteractive\Outlook
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\History
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings
C:\Program Files\MyWebSearch\bar
C:\Program Files\MyWebSearch\mxfilerelatedcache.mxc2
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts\mxfilerelatedcache.mxc2
C:\Program Files\FunWebProducts\ScreenSaver\Images\004A47BF.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images
C:\Program Files\FunWebProducts\ScreenSaver
C:\Program Files\FunWebProducts\Shared
C:\Program Files\FunWebProducts

Trojan.DNSChanger-Codec
HKLM\Software\MRSoft
HKLM\Software\MRSoft#Add
HKLM\Software\MRSoft#LN
HKLM\Software\MRSoft#CODIGO
HKLM\Software\MRSoft\P
HKLM\Software\MRSoft\P#N
HKLM\Software\MRSoft\P#PostDel
HKU\S-1-5-21-1801674531-1957994488-682003330-1003\Software\GetModule
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck#UninstallString

Adware.AdSponsor/ISM
C:\Program Files\GetModule\GetModule31.exe
C:\Program Files\GetModule\GetModule32.exe
C:\Program Files\GetModule
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\iCheck
C:\WINDOWS\Prefetch\GETMODULE31.EXE-2B7DA28F.pf

Adware.JavaCore/NoDNS
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP

Adware.AdSponsor/ISM-Installer
C:\DOCUMENTS AND SETTINGS\KISARA\LOCAL SETTINGS\TEMP\GETTPA226.EXE

Trojan.Unclassified
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4138DA83-748F-4310-8584-6E420D603328}\RP322\A0136664.DLL

Adware.Vundo/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0141425.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0141426.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0141428.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0141429.DLL
C:\WINDOWS\SYSTEM32\AEMQULND.DLL
C:\WINDOWS\SYSTEM32\CNDPJTCB.DLL
C:\WINDOWS\SYSTEM32\EQJISFIH.DLL
C:\WINDOWS\SYSTEM32\MCGVYJ.DLL
C:\WINDOWS\SYSTEM32\MJBBQYHD.DLL
C:\WINDOWS\SYSTEM32\NNUSQS.DLL
C:\WINDOWS\SYSTEM32\PHONORSL.DLL

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\AKETWSJJ.INI
C:\WINDOWS\SYSTEM32\KBIKFFPC.INI
C:\WINDOWS\SYSTEM32\LCXQIWQG.INI
C:\WINDOWS\SYSTEM32\MBELSYMT.INI
C:\WINDOWS\SYSTEM32\NYHQJDWR.INI
C:\WINDOWS\SYSTEM32\PHDQDAGY.INI
C:\WINDOWS\SYSTEM32\RBMDHOUW.INI
C:\WINDOWS\SYSTEM32\RGOWNTHM.INI
C:\WINDOWS\SYSTEM32\SLGFDHGS.INI

Adware.Vundo Variant/ESET
C:\WINDOWS\SYSTEM32\DENEKILO.DLL
C:\WINDOWS\SYSTEM32\GOPIGEDE.DLL
C:\WINDOWS\SYSTEM32\YONEVENA.DLL
C:\WINDOWS\SYSTEM32\ZIRATUVI.DLL

Trojan.Dropper/CPX
C:\WINDOWS\SYSTEM32\WPV171229156886.CPX
C:\WINDOWS\SYSTEM32\WPV401228549770.CPX
C:\WINDOWS\SYSTEM32\WPV601229210935.CPX
C:\WINDOWS\SYSTEM32\WPV861229156876.CPX
C:\WINDOWS\Prefetch\WPV401228549770.CPX-1414E88B.pf

Trojan.Dropper/Gen
C:\WINDOWS\SYSTEM32\~.EXE
C:\WINDOWS\Prefetch\~.EXE-3B3A448A.pf


Malware Bytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600

12/14/2008 12:20:06 AM
mbam-log-2008-12-14 (00-20-06).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 166612
Time elapsed: 1 hour(s), 58 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 23
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 59

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gqwiqxcl.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule31 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc0655c7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Kisara\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Kisara\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temp\tem11.tmp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temp\temD.tmp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temp\upd18.tmp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temp\upd19.tmp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\Z6LYU40W\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\004A47BF.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\mxfilerelatedcache.mxc2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\mxfilerelatedcache.mxc2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP317\A0134528.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP320\A0135805.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP322\A0136611.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138038.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138039.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138041.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138042.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138043.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138044.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138045.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138046.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138047.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138048.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138049.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138050.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138051.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138052.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138053.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138054.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138055.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138056.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138057.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138060.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138061.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138064.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138066.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138067.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP325\A0138070.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0138153.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0138154.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP326\A0142428.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142451.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142452.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142453.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142454.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142455.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142456.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4138DA83-748F-4310-8584-6E420D603328}\RP327\A0142457.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gqwiqxcl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lcxqiwqg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchstb.dll (Trojan.BHO) -> Quarantined and deleted successfully.

I will run SmitFraudFix asap and post it as well.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 AM

Posted 14 December 2008 - 09:19 PM

Ok, awaiting that log. After that . Open MBam again and click the Update Tab,( now at Database version: 1500) . Rescan (Quick scan)and psot that log again,please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Kisara

Kisara
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 15 December 2008 - 02:05 AM

SmitFraudFix v2.385

Scan done at 22:41:16.70, Sun 12/14/2008
Run from C:\Documents and Settings\Kisara\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kisara\Application Data\Google\fhexj6825097.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Kisara\Application Data\gadcom\gadcom.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Nova Development\Photo Explosion Deluxe\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Kisara


C:\DOCUME~1\Kisara\LOCALS~1\Temp


C:\Documents and Settings\Kisara\Application Data


Start Menu


C:\DOCUME~1\Kisara\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="rroizh.dll jherrn.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2A34F09-2E6B-4772-861D-103DADECB956}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2A34F09-2E6B-4772-861D-103DADECB956}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F2A34F09-2E6B-4772-861D-103DADECB956}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


Scanning for wininet.dll infection


End



Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600

12/14/2008 11:05:00 PM
mbam-log-2008-12-14 (23-05-00).txt

Scan type: Quick Scan
Objects scanned: 53626
Time elapsed: 12 minute(s), 32 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 29

Memory Processes Infected:
C:\Documents and Settings\Kisara\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\vavtqybe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyyyAqP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfCtsqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jherrn.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Kisara\Application Data\Google\mjkdpl.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43f5cc9e-bbe2-4998-97a7-43e2871d006f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{43f5cc9e-bbe2-4998-97a7-43e2871d006f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a7fb756f-fa14-4fc5-872d-ac12dbad8de5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a7fb756f-fa14-4fc5-872d-ac12dbad8de5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfctsqo (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc0655c7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyyyaqp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyyyaqp -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\Kisara\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jherrn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyyyAqP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\PqAyyyxx.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\PqAyyyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vavtqybe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ebyqtvav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfCtsqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Kisara\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smbmngr.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\chpgulem.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loqrnexu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nmlpvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aynwbcip.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwdjqhyn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tmyslebm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temp\ismbar.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temp\stf3AE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\6HD2E1JA\load[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\6HD2E1JA\pipo[1] (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\6HD2E1JA\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\WQ28TWND\CALOU1XN (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\Z6LYU40W\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\Z6LYU40W\load[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Local Settings\Temporary Internet Files\Content.IE5\ZCW16LZD\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Application Data\upd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchstb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack\GrandPack.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kisara\Application Data\Google\mjkdpl.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Kisara\Application Data\Google\fhexj6825097.exe (Trojan.FakeAlert) -> Delete on reboot.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 AM

Posted 15 December 2008 - 11:47 AM

OK please reboot again, then run Mbam again posting back a new log. After that repair your Java.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users