Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First time virus sufferer


  • This topic is locked This topic is locked
7 replies to this topic

#1 zronin99

zronin99

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 14 December 2008 - 07:04 PM

Ok i was browsing on the internet when my broswer suddenly started loading a pdf file I didnt click on or was even near. Of course every thing froze an I waited to long to reboot.

After which whenever I opened a browser I would get attacked by popups and fake virus warnings asking me to download so and so program. Or windows security. It dosnt popup in firefox as much but even if im running firefox it will open IE and bring all the popups from there. Even if im not connect it will try this for a little while even when I dont open a browser. It also takes a long time to delete files.

So i relized i had a problem, I ran AVG anti virus and it found gadcom.exe (Trojan horse agent.AOQC) It said it healed it an needed to reboot so I did but im still having popup trouble so I switched computers as looked the file up.

So I found the 8-step Vires/spyware/Malware Preliminary Removal Instructions. An im starting to go through them so i can get some logs up.
One problem so far I cant disable AVG anti-spyware since im using the AVG free edition (V.8.0.176) it dosnt have an option to just disable the function, I found a way to disable the whole resident shield would this do it? or should I just leave things as they are?

I installed and updated both Avira and Comodo, but Avira keeps detecting HEUR/Crypted (C:\WINDOWS\system32\lhtops.dll) an no matter what i do, deny access, ignore or move to quarantine it keeps coming up. Right now im running a system scan with Comodo. An I think Avira is scaning in the background.

Im adding the events log but this HEUR thing is now coming up every few seconds 3 at a time.


I didnt know how to get all the events into one txt file, but they are all the same so I just put what repeated into seperate files then copied them into one.


All the events are the same for the lhtops.dll and qbjjhpmg.dll file. The second error message concerning the lhtops file normaly happens when I try sending it or qbjjhpmg to quarantine sorry I couldnt get the same message from for it into the log but it was getting real bad with those messages popping up an I couldnt even shutdown without having to just hold down the laptops power button.

After taking 20 minutes clicking on the dections from Avira I finally shut it down an ran a full system scan with MBA. After rebooting im going to boot into safe mode (If i can) and run superantispyware and atf cleaner.

EDIT: Ok now my laptop is stuck at the windows xp screen with that little blue bar going back and forth. Should I just power it off and back on or continue waiting? cause someone told me that MBA needed to have a normal reboot to get rid of those files that needed a reboot. (Nevermind on that part im just shutting it down an bringing it back up in safe mode if i can, cause its been on that screen for more then 45 minutes ago. But still any one have any clues from the log?)

Thanks for your time and awaiting your reply.

My log fromy Avira:

Exported events:

12/14/2008 2:41 [Guard] Malware found
Virus or unwanted program 'EXP/PDF.3355 [exploit]'
detected in file 'C:\Documents and Settings\Owner.YOUR-9552AE6F51\Local
Settings\Temp\AcrBA97.tmp.
Action performed: Delete file

Exported events:

12/14/2008 3:28 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\system32\lhtops.dll
Error code: [0x00000005 - Access is denied.].

Exported events:

12/14/2008 3:28 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\system32\qbjjhpmg.dll
Error code: [0x00000005 - Access is denied.].

Exported events:

12/14/2008 3:20 [Guard] Malware found
Virus or unwanted program 'HEUR/Crypted [heuristic]'
detected in file 'C:\WINDOWS\system32\qbjjhpmg.dll.
Action performed: Deny access

Exported events:

12/14/2008 3:28 [Guard] Malware found
Virus or unwanted program 'HEUR/Crypted [heuristic]'
detected in file 'C:\WINDOWS\system32\lhtops.dll.
Action performed: Move file to quarantine


Exported events:

12/14/2008 3:28 [Guard] Malware found
Virus or unwanted program 'HEUR/Crypted [heuristic]'
detected in file 'C:\WINDOWS\system32\qbjjhpmg.dll.
Action performed: Move file to quarantine


My log from MBA:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/14/2008 6:10:51 PM
mbam-log-2008-12-14 (18-10-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 181588
Time elapsed: 1 hour(s), 51 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 9
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcCUkHa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qbjjhpmg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyvvTLE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lhtops.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvvtle (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6dbb71c-a388-477d-8db5-0b4a031717d1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e6dbb71c-a388-477d-8db5-0b4a031717d1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e6dbb71c-a388-477d-8db5-0b4a031717d1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccukha -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccukha -> Delete on reboot.

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyvvTLE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcCUkHa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aHkUCcdd.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qbjjhpmg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lhtops.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kcabteaw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by zronin99, 14 December 2008 - 07:30 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 AM

Posted 14 December 2008 - 09:50 PM

Hello please open MBam again and select the update Tab,as it is up to database 1500. Then rescan and post the new log.

Follow with:ATF and SAS.. Post back the MBAM and SAS logs and tell us how things are now.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 15 December 2008 - 05:21 AM

Iv had been trying to update MBA but it seems like my router cut off my computer (I checked my router web interface from another computer in the house the day my laptop was infected and its security log was spammed with something about some flooding) So I can't get the laptop to connect to the net by wire to my router or wireless, I even unplug both the router and modem for several minutes hoping to reboot them but still can't connect on that laptop. (If u have any advise here it would be very helpful or even if you just know where I could ask about this problem :thumbsup: )

So I ran MBA:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/14/2008 6:10:51 PM
mbam-log-2008-12-14 (18-10-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 181588
Time elapsed: 1 hour(s), 51 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 9
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcCUkHa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qbjjhpmg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyvvTLE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lhtops.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvvtle (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6dbb71c-a388-477d-8db5-0b4a031717d1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e6dbb71c-a388-477d-8db5-0b4a031717d1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e6dbb71c-a388-477d-8db5-0b4a031717d1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccukha -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccukha

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyvvTLE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcCUkHa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aHkUCcdd.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qbjjhpmg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lhtops.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kcabteaw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

When I tried rebooting afterwards it stuck at the windows xp boot screen for an hour. So I shutdown and turned it back on, It booted fine but to get into safe mode I had to use SAS since for some strange reason my laptop won't normally boot into safe mode.

So I ran AFT then SAS (scan took 6 hours):


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2008 at 03:36 AM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 06:26:52

Memory items scanned : 167
Memory threats detected : 0
Registry items scanned : 7021
Registry threats detected : 5
File items scanned : 130908
File threats detected : 6

Rogue.Component/Trace
HKLM\Software\Microsoft\A050A2A3
HKLM\Software\Microsoft\A050A2A3#a050a2a3
HKLM\Software\Microsoft\A050A2A3#Version
HKLM\Software\Microsoft\A050A2A3#a0500f23
HKLM\Software\Microsoft\A050A2A3#a05066c6

Adware.Tracking Cookie
C:\My Backup -- 06-08-09 0809AM\Documents and Settings\Owner.Yasin\Cookies\owner@acvs.mediaonenetwork[1].txt
C:\My Backup -- 06-08-09 0809AM\Documents and Settings\Owner.Yasin\Cookies\owner@ad.zanox[1].txt
C:\My Backup -- 06-08-09 0809AM\Documents and Settings\Owner.Yasin\Cookies\owner@audit.median[1].txt
C:\My Backup -- 06-08-09 0809AM\Documents and Settings\Owner.Yasin\Cookies\owner@kanoodle[1].txt
C:\My Backup -- 06-08-09 0809AM\Documents and Settings\Owner.Yasin\Cookies\owner@m1.webstats4u[2].txt
C:\My Backup -- 06-08-09 0809AM\Documents and Settings\Owner.Yasin\Cookies\owner@mediaonenetwork[1].txt



Then booted back into normal windows an ran hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:13 AM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

****
Everything seems fine now other then my inability to connect to that laptop out of the four computers running in my house.
I deleted Comodo, Avira, SAS, hijackthis, AFT and MBA thinking maybe one of them was causing this but still nothing. (I still have AVG running though)

So hows my viral status look?

Edited by boopme, 15 December 2008 - 11:52 AM.
Removed HJT log As not allowed in this forum~~boopme


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 AM

Posted 15 December 2008 - 11:53 AM

Would you try to Update the MBam and rescan Please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 15 December 2008 - 02:52 PM

Unless there is someway I can download an updated version of MBA on another computer I cant, since as I was saying that laptop can not connect to the internet for some reason.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 AM

Posted 15 December 2008 - 03:03 PM

Ok since you do have an HJT log. The best course is to post it here and have them get you thru this.
HijackThis Logs and Malware Removal
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 15 December 2008 - 06:58 PM

Ok added new scans from MBA and hijackthis, also reinstalled MBA, hijackthis and SAS. When I installed one of these not sure which one it put a firewall on my wirless connecter and wired. (posted the logs on the forum u said to)

I tried connected both in normaly boot and safe mode, however I get the same errors: If I try connecting by wire to the router then it says there was a error "Renewing the IP Adress" this same error happens if I try the repair option.

When I try connecting with the wirless or repairing it, it says "Connection failed!"

This are the same errors I get when none of the above programs are install and when they are and have there firewall up.

I added the logs from MBA which found nothing *wipes brow* and hijackthis, however now I am still faced with the inability to connect to the internet from it. Oh I also tried connecting to the routers web interface with that computer but it timeout after trying to load it. The network connection shows up in the system tray as being limited or no connectivity.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:13 AM

Posted 15 December 2008 - 07:05 PM

Hello zronin99,

Now that you have an HJT log is posted here: http://www.bleepingcomputer.com/forums/t/186838/1st-time-virus-sufferer/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users