Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Virtumondo, Antivirus 2009, Bratsk and buddies


  • This topic is locked This topic is locked
8 replies to this topic

#1 mach430

mach430

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 29 December 2008 - 07:01 PM

I've spent the last 24 hours trying to get this off my computer. When it first started, I could not run any antivirus/spyware programs and my online searches were corrupt. Several hours later, I now have control over those, but I can not seem to keep bratsk, zcfsvgvy and bgvovsvk out of my msconfig or registry.

Please help. I'm running XP service pack 3.

Thank you,
Ben

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:20 AM

Posted 29 December 2008 - 07:43 PM

1. Please print these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop where they can be easily found.

3. Download Vundo Fix:
http://www.atribune.org/ccount/click.php?id=4
and save it to your desktop.

4. When it has completed downloading, double-click VundoFix.exe to run it.

5. Click the Scan for Vundo button.

6. Once it's done scanning, click the Remove Vundo button.

7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

8. When completed, it will prompt that it will shutdown your computer, click the OK button.

9. When the computer has shutdown, turn your computer back on.

The WinFixer and Vundo infection should now be removed from your computer.



If you are still having a problem then please perform the following steps:

Note: This step should only be used if the instructions in the previous steps did not remove the infection:

1. Download VirtumundoBegone:
http://www.bleepingcomputer.com/malware-re...%3C%DL2_LNK%%3E

and save it to your desktop.

2. Now reboot into Safe Mode.

1. This can be done tapping the F8 key as soon as you start your computer

2. You will be brought to a menu where you can choose to boot into safe mode.

3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.

4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

4. Exit when it has finished, and reboot back to normal mode.

The WinFixer and Vundo infection should now be removed from your computer. Conclusion

Edited by garmanma, 29 December 2008 - 07:43 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 29 December 2008 - 11:13 PM

Thank you. I was able to take care of the virtumondo prior to running vundofix.exe (which in my case did not originally find it). However, it occassionally returns, which I think may be the result of other infections on my computer. I failed to mention in my previous post that I have also seen SmitFraud (I have run Smitfraudfix and SDFix).

SDFix is what brought back control over the web searches and antivirus/spyware programs. I have since then tried erasing every form of bratsk, bgvovsbk and acfsvgvy from the registry/msconfig but they either return immediately or upon reboot.

My computer is running properly, but w/ those items running in the registry, I'm concerned.

#4 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 29 December 2008 - 11:16 PM

Logfiles from MBAM scans (oldest to most recent):
------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/28/2008 11:57:44 PM
mbam-log-2008-12-28 (23-57-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 171339
Time elapsed: 40 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5467DA96-4133-E0DC-906B-07838681BFB9} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8e3fbde2-7dbd-4040-85d9-29bbc559c129} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8e3fbde2-7dbd-4040-85d9-29bbc559c129} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\winmsg (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{8e3fbde2-7dbd-4040-85d9-29bbc559c129} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\fxahpj\WinMsg.dll (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS4f34.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS4ff0.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS50ca.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5222.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS53c8.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS55db.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS56d5.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS585c.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5b0b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5d4d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc8dd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSScab2.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nqtwa.bak1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nqtwa.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
-----------------------

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/29/2008 12:05:52 AM
mbam-log-2008-12-29 (00-05-52).txt

Scan type: Quick Scan
Objects scanned: 23486
Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------------

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/29/2008 6:29:52 AM
mbam-log-2008-12-29 (06-29-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 171170
Time elapsed: 2 hour(s), 21 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\TDSS4d5f.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5464.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


-------------------

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/29/2008 8:29:07 AM
mbam-log-2008-12-29 (08-29-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 99247
Time elapsed: 1 hour(s), 51 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------

Malwarebytes' Anti-Malware 1.31
Database version: 1568
Windows 5.1.2600 Service Pack 3

12/29/2008 9:45:47 AM
mbam-log-2008-12-29 (09-45-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 173342
Time elapsed: 52 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1568
Windows 5.1.2600 Service Pack 3

12/29/2008 9:45:47 AM
mbam-log-2008-12-29 (09-45-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 173342
Time elapsed: 52 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------

Malwarebytes' Anti-Malware 1.31
Database version: 1565
Windows 5.1.2600 Service Pack 3

12/29/2008 2:37:02 PM
mbam-log-2008-12-29 (14-37-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 176419
Time elapsed: 50 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8e3fbde2-7dbd-4040-85d9-29bbc559c129} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------
Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

12/29/2008 7:36:42 PM
mbam-log-2008-12-29 (19-36-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172388
Time elapsed: 49 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
----------------

#5 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 30 December 2008 - 12:01 AM

SD Fix log (This was the first program I was able to run, as the others were all blocked by the malware).

SDFix: Version 1.240
Run by Ben on Sun 12/28/2008 at 08:43 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Ben\Desktop\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdu.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSoiqh.dll
Could Not Remove C:\WINDOWS\system32\TDSSbrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSSxfum.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 20:51:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Ben\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\WINDOWS\\system32\\msiexec.exe"="C:\\WINDOWS\\system32\\msiexec.exe:*:Enabled:Windowsr installer"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\SteamApps\\twirqed@yahoo.com\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\twirqed@yahoo.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\mach430\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\mach430\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\SteamApps\\mach430\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\mach430\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1141980085\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1141980085\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1141980085\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1141980085\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Steam\\SteamApps\\mach430\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\mach430\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Tremulous\\tremulous.exe"="C:\\Program Files\\Tremulous\\tremulous.exe:*:Enabled:tremulous"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"D:\\setup\\HPZNET01.EXE"="D:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\\setup\\HPONICIFS01.EXE"="D:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Spooler SubSystem App"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\kgiorybn.exe"="C:\\WINDOWS\\system32\\kgi"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Folding@Home Windows SMP Client V1.01\\mpiexec.exe"="C:\\Program Files\\Folding@Home Windows SMP Client V1.01\\mpiexec.exe:*:Enabled:mpiexec"
"C:\\Program Files\\Folding@Home Windows SMP Client V1.01\\smpd.exe"="C:\\Program Files\\Folding@Home Windows SMP Client V1.01\\smpd.exe:*:Enabled:smpd"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSE.tmp\\setup\\HPZnui01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSE.tmp\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSE.tmp\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSE.tmp\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\RpcAgentSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\WNt500x86\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS69A.tmp\\setup\\HPZnui01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS69A.tmp\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS69A.tmp\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS69A.tmp\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5B1.tmp\\setup\\HPZnui01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5B1.tmp\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5B1.tmp\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5B1.tmp\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5E8.tmp\\setup\\HPZnui01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5E8.tmp\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5E8.tmp\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5E8.tmp\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5C.tmp\\setup\\HPZnui01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5C.tmp\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5C.tmp\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS5C.tmp\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS60.tmp\\setup\\HPZnui01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS60.tmp\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS60.tmp\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS60.tmp\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Steam\\SteamApps\\mach430\\age of chivalry\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\mach430\\age of chivalry\\hl2.exe:*:Enabled:hl2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32\TDSSoiqh.dll Found
C:\WINDOWS\system32\TDSSbrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSSxfum.dll Found

File Backups: - C:\DOCUME~1\Ben\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\spybotsd.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 2 Jan 2008 6,519 A.SH. --- "C:\WINDOWS\system32\nqtwa.bak1"
Thu 3 Jan 2008 700,103 A.SH. --- "C:\WINDOWS\system32\nqtwa.bak2"
Wed 6 Aug 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 25 Jun 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Sun 19 Aug 2007 57,344 A.SH. --- "C:\Documents and Settings\Ben\Desktop\100CASIO\SIV2F5.tmp"
Sun 5 Aug 2007 65,536 A.SH. --- "C:\Documents and Settings\Ben\Desktop\100CASIO\SIV379.tmp"
Thu 3 Apr 2008 456 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Tue 24 May 2005 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 24 May 2005 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Sun 27 Jan 2008 0 ...H. --- "C:\Documents and Settings\Ben\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 7 Sep 2007 0 ...H. --- "C:\Documents and Settings\Ben\Application Data\Microsoft\Word\~WRL2112.tmp"
Fri 7 Sep 2007 0 ...H. --- "C:\Documents and Settings\Ben\Application Data\Microsoft\Word\~WRL2366.tmp"
Wed 26 Jul 2006 0 ...H. --- "C:\Documents and Settings\Ben\Application Data\Microsoft\Word\~WRL3027.tmp"
Wed 26 Jul 2006 0 ...H. --- "C:\Documents and Settings\Ben\Application Data\Microsoft\Word\~WRL3265.tmp"
Sat 27 Oct 2007 857 ...H. --- "C:\Documents and Settings\Ben\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 25 Jun 2005 4,348 A..H. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv1key.bak"
Fri 3 Nov 2006 20 A..H. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 31 Mar 2006 488 A.SH. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

#6 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 30 December 2008 - 01:12 AM

mbam - latest log:
Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

12/29/2008 10:11:59 PM
mbam-log-2008-12-29 (22-11-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172004
Time elapsed: 50 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:20 AM

Posted 30 December 2008 - 11:16 AM

You've got something stubborn in there
I would recommend preparing a HJT log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then submit it in the proper forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 30 December 2008 - 11:37 AM

Done thank you.

#9 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:20 AM

Posted 30 December 2008 - 03:19 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users