Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bleeping computer site is blocked


  • Please log in to reply
21 replies to this topic

#1 mark5767

mark5767

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 January 2009 - 01:34 PM

I am writing this from my work laptop because my home desktop is infected with rogue antivirus 2008/9 and it won't let me access bleepingcomputer.com to get help!

How can I get the needed software on my machine if it's blocking to website?!?

Help me please!

BC AdBot (Login to Remove)

 


#2 SteelSlasher

SteelSlasher

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 02 January 2009 - 03:23 PM

I am not an official or anything but i would suggest using SmitfraudFix http://siri.geekstogo.com/SmitfraudFix.php (download and run and choose option 1)

I would also suggest using MalwareBytesAntiMalware http://malwarebytes.org/mbam.php (download install run quick scan)

After doing the scans some logs will appear save them and dont change anything on the desktop, an official may ask for the logs

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:54 PM

Posted 02 January 2009 - 03:32 PM

After doing the scans some logs will appear save them and dont change anything on the desktop, an official may ask for the logs


Please hold off in running SmitFraudFix. If needed we will run it later.

Try downloading Malwarebytes to your work computer - along with its updates, and then transferring them to your computer using a flash/pen/jump drive. After you download the Malwarebytes installer rename it to red.com run the program to see if it will install. If it doesn't, let me know and I will send you futher instructions.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 mark5767

mark5767
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 January 2009 - 03:55 PM

Thanks for the replies! I earlier ran Smitfraud because I already had it and was desperate. It didn't work.

Malwarebytes seems to have helped a LOT, because I can now access BC.com. That's very nice!

Here's the log.

Prior to the Malwarebytes product, I also ran the ATF Cleaner, and tried to run SAS in safe mode but SAS died on me a few times before completing. Should I run SAS again or "full scan" of the Malwarebytes product? This website is the GREATEST. Thank you!!!

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 2

1/2/2009 2:37:24 PM
mbam-log-2009-01-02 (14-37-24).txt

Scan type: Quick Scan
Objects scanned: 60712
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 40
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 31

Memory Processes Infected:
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\bkrejran.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMgFVpq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\WINDOWS\system32\__c00B6918.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5eef757a-c10c-44b3-95cf-e8cd6cc52b5e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5eef757a-c10c-44b3-95cf-e8cd6cc52b5e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5eef757a-c10c-44b3-95cf-e8cd6cc52b5e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevance.linker (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevance.linker.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{efaf6ea3-615d-4f83-8748-2f7a576fcea6} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e8249e69-a809-4544-832f-64eb65747a92} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1d22e9e4-f771-4b8d-aa68-ba04e8980e07} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a851c98a-6136-4b02-9ec7-22aaf33e7b97} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4b6a86-82e7-4a9e-abb9-3b225bc214a4} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00b6918 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b40d89aa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f351ca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomgfvpq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomgfvpq -> Delete on reboot.

Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\qoMgFVpq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qpVFgMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qpVFgMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bkrejran.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\narjerkb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebdsdyxx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxydsdbe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBtTMEx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ggtviblp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaidltowqg.dll (Trojan.Seneka) -> Delete on reboot.
C:\WINDOWS\system32\tuvUKApN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcAPIyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ieitnz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temp\senekace2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaoqexmuyd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekavtvvdlfh.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaohcrnmhw.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00B6918.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:54 PM

Posted 02 January 2009 - 04:02 PM

You have a nasty infection...

Please update and rerun Malwarebytes and post a fresh log.

Also, see if you can run SAS now. Please post a log if able.

Thanks,
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 mark5767

mark5767
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 January 2009 - 04:47 PM

Thanks for your help rigel, things are getting better. Still had random pop ups after the first malwarebytes round, ran another quick scan and here is the fresh log...

Also was able to complete an SAS quick scan in safe mode I will post the log in a separate reply. Thanks!

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 2

1/2/2009 3:11:14 PM
mbam-log-2009-01-02 (15-11-14).txt

Scan type: Quick Scan
Objects scanned: 60936
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the SAS log, thanks!!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/02/2009 at 03:34 PM

Application Version : 4.24.1004

Core Rules Database Version : 3688
Trace Rules Database Version: 1664

Scan type : Quick Scan
Total Scan Time : 00:11:36

Memory items scanned : 192
Memory threats detected : 0
Registry items scanned : 601
Registry threats detected : 14
File items scanned : 26072
File threats detected : 18

Trojan.Smitfraud Variant/IE Anti-Spyware
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034A523-D068-4BE8-A284-9DF278BE776E}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034A523-D068-4BE8-A284-9DF278BE776E}

Adware.Tracking Cookie
C:\Documents and Settings\Mark\Cookies\mark@doubleclick[1].txt
C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ad.yieldmanager[2].txt
C:\Documents and Settings\Mark\Cookies\mark@media.adrevolver[1].txt
C:\Documents and Settings\Mark\Cookies\mark@adrevolver[1].txt
C:\Documents and Settings\Mark\Cookies\mark@advertising[2].txt
C:\Documents and Settings\Mark\Cookies\mark@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Mark\Cookies\mark@nextag[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Mark\Cookies\mark@tacoda[2].txt
C:\Documents and Settings\Mark\Cookies\mark@atdmt[1].txt
.perf.overture.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\9v2gvpqv.slt\cookies.txt ]

Trojan.Media-Codec/V4
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#E404Helper [ {8bc07666-c3c5-463a-ab8e-89769f3a554d} ]

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

Rogue.Component/Trace
HKLM\Software\Microsoft\B40D9B24
HKLM\Software\Microsoft\B40D9B24#b40d9b24
HKLM\Software\Microsoft\B40D9B24#Version
HKLM\Software\Microsoft\B40D9B24#b40d36a4
HKLM\Software\Microsoft\B40D9B24#b40d5f41
HKU\S-1-5-21-1978674668-3855844963-2845932803-1005\Software\Microsoft\CS41275
HKU\S-1-5-21-1978674668-3855844963-2845932803-1005\Software\Microsoft\FIAS4018

Edited by mark5767, 02 January 2009 - 04:48 PM.


#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:54 PM

Posted 02 January 2009 - 05:36 PM

Glad to hear we are making progress. Now it is time for SmitFraudFix..

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 mark5767

mark5767
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 January 2009 - 07:05 PM

Thanks for sticking with me rigel! Here is the SmitfraudFix report...

I also ran a complete scan of SAS in safe mode with 9 or so hits and a complete scan of MBAM in normal mode with zero hits. Great work!

SmitFraudFix v2.256

Scan done at 17:57:36.85, Fri 01/02/2009
Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wireless Desktop\LgWDskTp.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\EXSHOW95.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Mark


C:\Documents and Settings\Mark\Application Data


Start Menu


C:\DOCUME~1\Mark\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="lbfykn.dll"


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/1000 PM Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 65.41.112.28
DNS Server Search Order: 71.0.1.211

HKLM\SYSTEM\CCS\Services\Tcpip\..\{255EEFE2-31F0-4331-B7E6-907168964869}: DhcpNameServer=65.41.112.28 71.0.1.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{255EEFE2-31F0-4331-B7E6-907168964869}: DhcpNameServer=65.41.112.28 71.0.1.211
HKLM\SYSTEM\CS3\Services\Tcpip\..\{255EEFE2-31F0-4331-B7E6-907168964869}: DhcpNameServer=65.41.112.28 71.0.1.211
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.41.112.28 71.0.1.211
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.41.112.28 71.0.1.211
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=65.41.112.28 71.0.1.211


Scanning for wininet.dll infection


End

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 02 January 2009 - 07:24 PM

Hello.

Hope you don't mind me jumping in here, Rigel.
---
Looks much better.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Install Antivirus
From what I see in the SmitFraud fix log, you do not have an antivirus installed. If you do, there is no need to install a new one.

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.
Any further symptoms of infection?

With Regards,
The Panda

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:54 PM

Posted 02 January 2009 - 08:11 PM

Not at all... teamwork :thumbsup:

Mark... Panda has the lead. Please follow his guidance and we will both learn.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 mark5767

mark5767
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 January 2009 - 08:37 PM

Many thanks to Rigel and now to you Panda, I have not had any symptoms of infection that I've noticed since running SAS and MBAM full scans.

I created and ran the fix.reg file and it said "registry updated" or something to that effect. It appeared to work ok.

I ran a full scan with the Avira Antivir free product, found 11 unwanted files, 1 was smitfraudfix so I ignored this and quarantined all the others. Here the report. Thanks again!

Avira AntiVir Personal
Report file date: Friday, January 02, 2009 18:56

Scanning for 1143372 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MARKSOFFICE

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 12/24/2008 00:55:24
ANTIVIR2.VDF : 7.1.1.60 318976 Bytes 1/2/2009 00:55:28
ANTIVIR3.VDF : 7.1.1.65 20480 Bytes 1/2/2009 00:55:29
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 1/3/2009 00:55:43
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/3/2009 00:55:41
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 1/3/2009 00:55:40
AEHELP.DLL : 8.1.2.0 119159 Bytes 1/3/2009 00:55:33
AEGEN.DLL : 8.1.1.8 323956 Bytes 1/3/2009 00:55:32
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 1/3/2009 00:55:30
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, January 02, 2009 18:56

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'VAIOUpdt.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'lxcgcoms.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'RM_SV.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'VzFw.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'VzCdbSvc.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned
Scan process 'VCSW.exe' - '1' Module(s) have been scanned
Scan process 'VESMgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMceMan.exe' - '1' Module(s) have been scanned
Scan process 'SonicStageMonitoring.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'wdsvc.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'CTSyncU.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'CTCheck.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtection.exe' - '1' Module(s) have been scanned
Scan process 'SansaDispatch.exe' - '1' Module(s) have been scanned
Scan process 'retrorun.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'CFD.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'PDUiP6600DMon.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'SetIcon.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'WDBtnMgr.exe' - '1' Module(s) have been scanned
Scan process 'exshow95.exe' - '1' Module(s) have been scanned
Scan process 'IAANTMon.exe' - '1' Module(s) have been scanned
Scan process 'ezprint.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lxcgmon.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'DISCUpdateMgr.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'DISCover.exe' - '1' Module(s) have been scanned
Scan process 'LgWDskTp.exe' - '1' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
75 processes with 75 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '80' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Mark\Desktop\SmitfraudFix.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\Agent.OMZ.Fix.exe
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[WARNING] The file was ignored!
C:\Documents and Settings\Mark\Desktop\SmitfraudFix\Agent.OMZ.Fix.exe
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '49c3b8e6.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084170.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498ebd9d.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084171.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498ebda2.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084173.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498ebda4.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084175.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498ebda9.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084177.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480533da.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084268.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '498ebdab.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084270.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '480533dc.qua'!
C:\System Volume Information\_restore{4F6DA3DD-0BBF-466B-9837-853CA09C0B4E}\RP651\A0084282.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\Agent.OMZ.Fix.exe
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '498ebdac.qua'!
C:\WINDOWS\system32\bgl.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49cabfe1.qua'!


End of the scan: Friday, January 02, 2009 19:31
Used time: 34:06 Minute(s)

The scan has been done completely.

8974 Scanning directories
319453 Files were scanned
11 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
10 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
319440 Files not concerned
7547 Archives were scanned
7 Warnings
10 Notes

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 03 January 2009 - 08:34 AM

Hello.

That looks clean of malware :thumbsup: . Let's get some updating done.

Update Windows Installation
Your Microsoft Windows installation is out of date. Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Please click here to check for and install updates to Windows, and Microsoft applications. If you encounter any problems during the installation, please feel free to ask for help.

The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Reboot and repeat the update process until there are no more updates to install.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, Java SE Runtime Environment (JRE) 6 Update 11 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" to download the installer. Double click the installer to run. Delete the installer after use.

F-Secure Online Scan
If this computer can spare some time, please run F-Secure Online Scanner. If not, then at is not a problem.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#13 mark5767

mark5767
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 03 January 2009 - 02:17 PM

Thanks for your help Panda!

I updated Windows with XP SP3 and all other hi priorties and I uninstalled/reinstalled Java as instructed. Here's the report from F-Secure. Found a virus but I'm still not experiencing any noticeable symptoms. Thanks again!!

Scanning Report
Saturday, January 03, 2009 12:18:35 - 13:09:55

Computer name: MARKSOFFICE
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 9 malware found
TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Adrevolver (spyware)

* System

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Revsci (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Vundo.FBW (virus)

* C:\WINDOWS\SYSTEM32\GYUDBVKH.INI (Submitted)

Statistics
Scanned:

* Files: 47696
* System: 3891
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 9
* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_3020785925_131072_26215

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-03
* F-Secure AVP: 7.0.171, 2009-01-02
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 03 January 2009 - 02:28 PM

Hello Mark.

F-Secure just found a leftover file. It is not active.

Click on your start menu - > Run -> Type:
attrib -r -s -h "C:\WINDOWS\SYSTEM32\GYUDBVKH.INI"
You will see a black command prompt window flash open.
Repeat with:
del /q /f "C:\WINDOWS\SYSTEM32\GYUDBVKH.INI"

That should take care of it.

Unless you have other problems at this point, we can wrap up.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#15 mark5767

mark5767
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 03 January 2009 - 04:28 PM

Panda, I can't thank you enough for all your help, I am so grateful for you guys!!

I am in pretty good shape now all things considered thanks to the BC crew.

I did get an error message on the second code item you wanted me to run to delete the remnant virus file... "windows cannot find 'del'. Make sure you typed correctly..."

Also my sound card seems to have been disabled which is definitely a problem for me since I use the machine to run Rhapsody more than anything! It won't play any sound file.

The IDT High Definition Audio CODEC cannot start. It searches for hardware and tries to install but eventually errors after seeming to make progress.

It's a sony vaio desktop so I think it's just searching for the internal sound card?

Anyway, the whole virus and cleaning process must have mucked it up somehow.

Other than these two items, things seem to be working perfectly. Thank you!

Mark

Edited by mark5767, 03 January 2009 - 04:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users