Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Viruses all in one i think


  • Please log in to reply
8 replies to this topic

#1 wbrigg

wbrigg

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 26 December 2008 - 09:40 PM

I'm not really sure what virus the laptop i'm trying to clean up (to no avail) has, i'm unable to run AVG, it crashes if i try to run it, and it's unable to update, and Spybot search& destroy doesn't seem to be finding anything else. I used something called "regrun2" or "reanimator" too, that got rid of a load of junk also i think, and i scanned the computer using XoftSpySE too (but i couldn't remove the numerous viruses it found because i had to buy the program to remove things with is). Then i used Malwarebytes' Anti-Malware program, and that got some stuff off too, yet my google searches are still being hijacked (the status bar thingy at the bottom of the page says things like "waiting for www.copy-book.com" and "waiting for www-search-and-find.com" or "waiting for offsw.com" when the page is loading, and then a page loads which just isn't google. When the Offsw.com shows, i get a "reported attack site!" warning, and can't browse to the page, and if i turn off the warning thing (in firefox) then the browser crashes.

It's been this way for about 3 days now, everything i try seems to remove some of the problems, but then more pop up in their place. I tried to DDS.scr like it says in the "preparation guide" but i get an error - "Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search" - I imagine it's just been deleted by a virus.

Please help!

Edited by Orange Blossom, 26 December 2008 - 10:05 PM.
Move from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:53 PM

Posted 26 December 2008 - 11:02 PM

Can you post the MalwareBytes log please.

If possible try to run this tool (SAS) and post that log also.. It will run for an hour or so.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 wbrigg

wbrigg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 27 December 2008 - 09:45 AM

I can't find the button to add attachments, so here are the two logs:

MBAM:

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2

26/12/2008 23:20:08
mbam-log-2008-12-26 (23-20-08).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 52583
Time elapsed: 1 hour(s), 15 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\husovetu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tazamuto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mayunosi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zinefowo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b8ce664-9911-4593-9d0b-a20c178c608a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b8ce664-9911-4593-9d0b-a20c178c608a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0b8ce664-9911-4593-9d0b-a20c178c608a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wegiposaje (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5b8233a0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\zinefowo.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\husovetu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\utevosuh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vazogeya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tazamuto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mayunosi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zinefowo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Lynne\Local Settings\Temp\tmp13.tmp (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxcdovdkmu.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\zesigema.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


and .


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2008 at 02:17 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 00:44:32

Memory items scanned : 154
Memory threats detected : 0
Registry items scanned : 3932
Registry threats detected : 53
File items scanned : 14303
File threats detected : 10

Rootkit.Cloaked/Service-GEN
HKLM\system\controlset001\services\msqpdxserv.sys
C:\WINDOWS\SYSTEM32\DRIVERS\MSQPDXEPFWKPAK.SYS
HKLM\system\controlset002\services\msqpdxserv.sys

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL#LT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\spyware+virus+won%27t+allow+me+to+run+spybot+search+and+destroy
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\spyware+virus+won%27t+allow+me+to+run+spybot+search+and+destroy#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\spyware+virus+won%27t+allow+me+to+run+spybot+search+and+destroy#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\spyware+virus+won%27t+allow+me+to+run+spybot+search+and+destroy#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace
HKLM\Software\Microsoft\58B112B2
HKLM\Software\Microsoft\58B112B2#58b112b2
HKLM\Software\Microsoft\58B112B2#Version
HKLM\Software\Microsoft\58B112B2#58b1bf32
HKLM\Software\Microsoft\58B112B2#58b1d6d7

Trojan.Downloader-Gen/Suspicious
C:\DOCUMENTS AND SETTINGS\LYNNE\LOCAL SETTINGS\TEMP\IE29.TMP
C:\DOCUMENTS AND SETTINGS\LYNNE\LOCAL SETTINGS\TEMP\IEC.TMP
C:\DOCUMENTS AND SETTINGS\LYNNE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7AMDD8CO\6000[2].EXE

Trojan.BotNet/Dropper
C:\DOCUMENTS AND SETTINGS\LYNNE\LOCAL SETTINGS\TEMP\TMP12.TMP
C:\DOCUMENTS AND SETTINGS\LYNNE\LOCAL SETTINGS\TEMP\TMP25.TMP

Trojan.SystemDriver
C:\32788R22FWJFW\CREG.DAT

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\JKKHAPNO.DLL

Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\LJJASKKD.DLL

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSMTYE.DAT

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:53 PM

Posted 27 December 2008 - 03:28 PM

Hello we have found some seriously nasty trojans and Rootkits on this PC. I must let you read this before we go on.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 wbrigg

wbrigg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 27 December 2008 - 05:08 PM

if i were to reformat the computer, would i be able to back up the data already on it? or would it all have to be discarded?

i.e. could the nasty files have embedded themselves into text files on the computer? or photos?

#6 wbrigg

wbrigg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 27 December 2008 - 05:12 PM

also, is it possible to find out when and how this infection came about?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:53 PM

Posted 27 December 2008 - 10:10 PM

Yes you can back up those files. Most are safe. You could even then scan that location once it is all separate.

Finding the exact date is diffficult to say.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 wbrigg

wbrigg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 December 2008 - 05:47 AM

So once the backup is down, it is relatively safe to use? is this because the computer isn't booting from the backup?


and should i use the two programs you sent me to scan the backed up data and then send it back to you guys to tell me if it's infected?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:53 PM

Posted 28 December 2008 - 04:20 PM

Yes and Yes, Please just name those logs 2nd drive,so I don't get confused ,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users