Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo & others


  • This topic is locked This topic is locked
14 replies to this topic

#1 kahzti

kahzti

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 27 December 2008 - 02:03 PM

About a week ago our family computer (running Windows XP) became un-usable, running extremely slowly before crashing, with the internet only opening Pop-ups.

I have run AVG Anti-virus, Spybot Search & Destroy, and Malwarebytes' Anti-Malware, both in 'Normal' and in 'Safe' modes. Each of these scans have found several Trojans / Malware which they apparently removed, including Trojan.Vundo, FakeAlert and "Malware.Trace".

I was also advised by a friend to run Combofix, which doesn't appear to have done anything.

Currently Spybot is finding 3 occurances of "Win32.Agent.pz" every time it is run, and Malwarebytes shows "Malware.Trace" each time it's run, even though I choose to "fix problems" after scanning with both programmes.

AVG Virus Vault currently contains the following Trojans: Agent.AHAR, Agent.AKYE, Agent.AHAS, SHeur2.GKI, BackDoor.Generic10.XPT, Generic12.ACIM and FakeAlert.AF.

Malwarebytes Quarantine shows 5 occurances of Trojan.Vundo, all in the System Restore folder. I have already reset the System Restore, run a virus scan & switched it back on.

Other current symptoms are slow operation (for example it takes a minimum of two minutes for an Internet Explorer window to open after clicking on the shortcut), my Windows Firewall being disabled each time the computer is started, and something which is trying to connect to the internet al lthe time.

I have tried to run the DDS.scr utility, but it takes 5 mins to display the black information window, and I have waited 30 mins without the log report text file appearing.

Please help me! My computer is needed to work from home.

Thanks

Edited by Orange Blossom, 27 December 2008 - 02:07 PM.
Move from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 27 December 2008 - 11:08 PM

Hello ,please post for me the MBAM log file.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 28 December 2008 - 03:54 AM

Here is the report from the MBAM scan I just ran:

Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

2008-12-28 08:37:44
mbam-log-2008-12-28 (08-37-44).txt

Scan type: Quick Scan
Objects scanned: 66712
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Below are the results of my initial MBAM scan a few days ago:

Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

24/12/2008 00:10:00
mbam-log-2008-12-24 (00-10-00).txt

Scan type: Quick Scan
Objects scanned: 68058
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf915ce9-02a7-4abe-847c-4ccd4ab3488a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cf915ce9-02a7-4abe-847c-4ccd4ab3488a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\likivofuju (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9cab41ab (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\punibuya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Please note, neither of the above show the items that Spybot is reporting. Thanks for your help!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 28 December 2008 - 03:58 PM

Hi, Vundo is a stubborn item to remove solet's do a few more things to be sure it's out. Post back 2 logs.

Run ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now SAS..this can take an hour
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Finally one more MBAM..
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 28 December 2008 - 06:46 PM

Hi,

I downloaded ATF - it ran OK.

I downloaded SAS, but every time I double-click on the icon I get the following error mesage:

WINDOWS INSTALLER:
"The Windows Installer Service could not be accessed. This can occur if you are running Windoes in safe mode, or if the Windows Installler is not correctly installed. Contact your support personell for assistance."

NB: I was not in safe mode at the time.

Please advise on the next step I should take.

Thanks for your time & advice.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 28 December 2008 - 07:53 PM

Hi, there's a good chance the Installer has become corrupt or running twice.
Try this. Open Task manager: (Press Ctrl + Alt + del) select Task Manager
Select the Processes tab.
If any of the below show then on each
Click on it (Highlght it ) then press End Task for each.
Then try installing SAS again.

setup.exe
isetup.exe
ikernel.exe
msiexec.exe
idriver.exe
IsUninst.exe
IsUn16.exe
Uninst.exe
Uninst16.exe
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 29 December 2008 - 06:16 AM

Hi

I managed to get SAS running by installing just after restarting.

I ran the scan - results below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2008 at 07:14 AM

Application Version : 4.23.1006

Core Rules Database Version : 3687
Trace Rules Database Version: 1663

Scan type : Complete Scan
Total Scan Time : 07:02:51

Memory items scanned : 194
Memory threats detected : 0
Registry items scanned : 7698
Registry threats detected : 0
File items scanned : 153591
File threats detected : 72

Adware.Tracking Cookie
.122.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.122.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.247realmedia.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.accountancyagejobs.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adopt.hbmediapro.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adserver.adremedy.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adserver.adremedy.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.aoluk.122.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.divx.112.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.keywordmax.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.perf.overture.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.reduxads.valuead.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.roiservice.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.rotator.adjuggler.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.rotator.adjuggler.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.stats.cdrinfo.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.uk.sitestat.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.uk.sitestat.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.uk.sitestat.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.uk.sitestat.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.uk.sitestat.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
.yourmedia.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]
www.accountancyagejobs.com [ C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\23uh6ukh.default\cookies.txt ]



I ran MBAM as instructed. It found the usual item - report below

I also ran Spybot S&D, and it too found the usual three items (plus one new item - "Doubleclick"). I have copied the results below:

Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID

DoubleClick: Tracking cookie (Internet Explorer: Family) (Cookie, nothing done)




My computer is still just as bad. When I tried to open the txt files to copy the logs, it took 3 mins for Notepad to open. Windows Firewall is being turned off al lthe time, and something is still trying to connect to internet.

Thanks again for your time. Help desperately needed!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 29 December 2008 - 01:38 PM

Darn! Something is protecting this malware ,like a driver or service. We'll need to to post a log in the Hijack forum..
Please folllow these instructions.
Preparation Guide For Use Before Using Hijackthis
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 29 December 2008 - 02:00 PM

Your link instructs me to run DDS to get a log, which takes me back to my original post:

I have tried to run the DDS.scr utility, but it takes 5 mins to display the black information window, and I have waited 30 mins without the log report text file appearing.

Any suggestions to get DDS to run? Should I try it in Safe mode? Are there any processes I can stop to get DDS to run?

I have tried several times, and never gotten past the information screen. It says it should take 3 mins, but it takes me longer than that just to get the window open!

Thanks

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 29 December 2008 - 02:22 PM

Ok.. Thought we could run it now? Let's see what SDFix pulls out.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 29 December 2008 - 05:53 PM

Hi

I ran SDFix. I almost gave up - it said it takes approx 20 mins, but it actually took 2 hours.

Is it worth trying DDS again and just leaving it to run overnight? I only left it for about half an hour (it says it should take three mins).

I hope I ran SDFix correctly. You said to disable antivirus programmes, but as I ran the scan in safe mode I couldn't turn off AVG / Spybot.

SDFix log below:


SDFix: Version 1.240
Run by Family on 2008-12-29 at 21:49

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 22:37:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"="C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe:*:Enabled:PowerCinema"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Games\\Battlefield 2 Demo\\BF2.exe"="C:\\Program Files\\Games\\Battlefield 2 Demo\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Games\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\Games\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Games\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Games\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Games\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"="C:\\Program Files\\Games\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe:*:Enabled:Unreal Tournament 3 Demo"
"C:\\Program Files\\Games\\Painkiller Overdose Demo\\Bin\\OverdoseDemo.exe"="C:\\Program Files\\Games\\Painkiller Overdose Demo\\Bin\\OverdoseDemo.exe:*:Enabled:Painkiller Overdose Demo"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Games\\Enemy Territory - QUAKE Wars Demo\\etqw.exe"="C:\\Program Files\\Games\\Enemy Territory - QUAKE Wars Demo\\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars™ Demo"
"C:\\Program Files\\Games\\Enemy Territory - QUAKE Wars Demo\\etqwded.exe"="C:\\Program Files\\Games\\Enemy Territory - QUAKE Wars Demo\\etqwded.exe:*:Enabled:etqwded.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"="C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.1"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Games\\Football Manager 2009\\fm.exe"="C:\\Program Files\\Games\\Football Manager 2009\\fm.exe:*:Enabled:Football Manager 2009"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sat 16 Sep 2006 209 A.SHR --- "C:\BOOT.BAK"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 20 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 23 Mar 2008 81,920 ...H. --- "C:\Documents and Settings\Family\My Documents\~WRL0004.tmp"
Tue 9 Dec 2008 7,829,056 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Sun 19 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 3 Apr 2003 82,944 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL0180.tmp"
Thu 3 Apr 2003 82,432 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL0806.tmp"
Thu 3 Apr 2003 89,600 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL1204.tmp"
Thu 3 Apr 2003 92,672 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL1753.tmp"
Thu 3 Apr 2003 88,576 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL1890.tmp"
Thu 3 Apr 2003 88,064 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL1997.tmp"
Thu 3 Apr 2003 86,016 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL2517.tmp"
Thu 3 Apr 2003 86,528 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL2963.tmp"
Thu 3 Apr 2003 76,288 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL3366.tmp"
Thu 3 Apr 2003 83,968 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL3607.tmp"
Thu 3 Apr 2003 85,504 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\~WRL4040.tmp"
Sun 18 Nov 2007 1,301 ...HR --- "C:\Documents and Settings\Family\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 3 Mar 2003 4,348 A..H. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv1key.bak"
Sun 5 Dec 2004 20 A..H. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 5 Dec 2004 488 A..H. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv2key.bak"
Sun 5 Dec 2004 1,536 A..H. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv2lic.bak"
Thu 20 Feb 2003 26,624 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\University\~WRL0328.tmp"
Thu 20 Feb 2003 28,672 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\University\~WRL2197.tmp"
Thu 20 Feb 2003 28,672 A..H. --- "C:\Documents and Settings\Family\My Documents\Nathalie\University\~WRL2477.tmp"
Tue 4 Dec 2001 22,016 A..H. --- "C:\Documents and Settings\Family\My Documents\University\Labour Economics\~WRL0300.tmp"
Tue 4 Dec 2001 20,992 A..H. --- "C:\Documents and Settings\Family\My Documents\University\Labour Economics\~WRL1647.tmp"
Tue 4 Dec 2001 19,456 A..H. --- "C:\Documents and Settings\Family\My Documents\University\Labour Economics\~WRL1988.tmp"
Wed 27 Sep 2006 8,043,272 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a48ab74d9334b1044aceb519ba7fec62\BIT4A.tmp"

Finished!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 29 December 2008 - 08:00 PM

First please do this and then you can try DDS. How is the PC running now? Is this an old PC by chance.

Next:Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 30 December 2008 - 02:54 AM

PC is only 2 years old, with fairly good specs. It was running perfectly before it came under attack! Now it is so slow that it is unusable, and hangs often.

MBAM log below, same results as before:


Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

2008-12-30 07:51:09
mbam-log-2008-12-30 (07-51-09).txt

Scan type: Quick Scan
Objects scanned: 67344
Time elapsed: 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 kahzti

kahzti
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 30 December 2008 - 03:12 AM

I managed to get DDS to run - I ran it as Windows was starting up after a Reboot (when all the programmes were loading).

I have started a new post in the Hijackthis Logs Thread.

Thanks for all your time & help.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 30 December 2008 - 10:20 AM

Great news ,I am so glad we got there, The BC HJT team will take care of the rest and have that machine humming soon....You're welcome.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users