Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My fathers pc is infected


  • This topic is locked This topic is locked
6 replies to this topic

#1 justplaindave

justplaindave

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 January 2009 - 03:04 AM

Hey all, My Fathers pc has major infection, tried tonight to get him into the forum but he was unable to. Going there next weekend. Any one have ideas on how to get his pc running good enough to post a hjt log here? this is the log from his malwarebytes log.
Malwarebytes' Anti-Malware 1.31
Database version: 1599
Windows 5.0.2195 Service Pack 4

1/1/2009 10:13:51 PM
mbam-log-2009-01-01 (22-13-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 68704
Time elapsed: 38 minute(s), 10 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 9
Registry Data Items Infected: 43
Folders Infected: 9
Files Infected: 108

Memory Processes Infected:
C:\WINNT\system32\ubpr01.exe (Trojan.Zlob) -> No action taken.

Memory Modules Infected:
C:\WINNT\system32\MSx.cpl (Rogue.MSAntivirus) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\x123.x123mgr (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{157bef24-1400-4e89-946a-f29f97d703d3} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{157bef24-1400-4e89-946a-f29f97d703d3} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\x123.x123mgr.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69b98c68-d2b8-4a4e-9cb7-e85b6f3a7014} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Drivers (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Adsl Software Limited (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Live.com (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\qiawpbjj.msdn_hlp (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MSx (Rogue.MSAntivirus) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{e31f5c72-8e0d-4921-8375-9573746c170c} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdert.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24 85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1407fc09-5c6f-4fa5-8ad7-fc2b9dee9fc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{573b3d6d-e5dc-441e-abab-59df3158e52c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{908f25f4-1112-4b1a-9cb5-eb6262dd3cc4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24 85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1407fc09-5c6f-4fa5-8ad7-fc2b9dee9fc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{573b3d6d-e5dc-441e-abab-59df3158e52c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{908f25f4-1112-4b1a-9cb5-eb6262dd3cc4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24 85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1407fc09-5c6f-4fa5-8ad7-fc2b9dee9fc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{573b3d6d-e5dc-441e-abab-59df3158e52c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{908f25f4-1112-4b1a-9cb5-eb6262dd3cc4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24 85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{1407fc09-5c6f-4fa5-8ad7-fc2b9dee9fc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{573b3d6d-e5dc-441e-abab-59df3158e52c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{70bdea9a-3102-438a-af0b-972486506991}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{908f25f4-1112-4b1a-9cb5-eb6262dd3cc4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{ac6ff00a-8306-4bd5-bfd2-3122c36f9654}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{e7853698-e718-4b0c-ba0e-6c0b092e3ba3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.24,85.255.112.139 -> No action taken.

Folders Infected:
C:\WINNT\system32\acespy (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\968070 (Trojan.BHO) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007 (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\SAVED (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\DELETED (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\BASE (Rogue.MalWarrior) -> No action taken.

Files Infected:
C:\WINNT\system32\968070\968070.dll (Trojan.BHO) -> No action taken.
C:\Program Files\Applications\iebt.dll (Trojan.Zlob) -> No action taken.
C:\WINNT\system32\1024\ld23AE.tmp (Spyware.OnlineGames) -> No action taken.
C:\Program Files\MSX\MSx.exe (Rogue.MSAntivirus) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> No action taken.
C:\WINNT\system32\acespy\__acelog.ndx (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\acespy\systune.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\Malwarrior.exe (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\program.ini (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080526230304015.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080527215205640.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080528215451812.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080529133443781.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080529222150015.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080530214512812.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080531104936500.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080531224535437.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080601230551656.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080603214725171.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080604225007265.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080605211755437.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080606215516328.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080607205700296.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080610205935968.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080611064245093.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080612221657531.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080612234331906.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080613183433953.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080615224458953.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080616215727656.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080617220045625.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080619232628046.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\LOG\20080620214108343.log (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\Jim\Application Data\Adsl Software Limited\MalWarrior 2007\BASE\vbase.dat (Rogue.MalWarrior) -> No action taken.
C:\WINNT\default.htm (Trojan.Agent) -> No action taken.
C:\WINNT\system32\geebx.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\msole32.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\ESHOPEE.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\wml.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\vxddsk.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\avtmd.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\drivers\users_rating.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\spy_away_header_small.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\spy_away_header.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\spy_away_box_small.jpg (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\secuity_center_logo.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\protect.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\perfect_cleaner_header_small.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\perfect_cleaner_header.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\perfect_cleaner_box_small.jpg (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\logo_bg.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\icon_warning.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\header_bg.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\features.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\download_btn.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\close_icon.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\buy_btn.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\arrow.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\alert_icon.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\5_stars.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\4_stars.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\gtv_sd.bin (Malware.Trace) -> No action taken.
C:\WINNT\system32\fuamfu32.ini (Malware.Trace) -> No action taken.
C:\WINNT\system32\din.ip (Malware.Trace) -> No action taken.
C:\WINNT\system32\rwuwin32.drv (Malware.Trace) -> No action taken.
C:\WINNT\system32\prrbpgbr.sys (Malware.Trace) -> No action taken.
C:\WINNT\system32\jofstvyt.sbin (Malware.Trace) -> No action taken.
C:\WINNT\system32\faxwin32.bin (Malware.Trace) -> No action taken.
C:\WINNT\system32\kr_done1 (Malware.Trace) -> No action taken.
C:\WINNT\system32\ubpr01.exe (Trojan.Zlob) -> No action taken.
C:\Program Files\Applications\iebtm.exe (Trojan.Zlob) -> No action taken.
C:\Program Files\Applications\iebtmm.exe (Trojan.Zlob) -> No action taken.
C:\WINNT\system32\drivers\detect.htm (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\perfect_cleaner_box.jpg (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\pt.htm (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\s_detect.htm (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\spy_away_box.jpg (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\v.gif (Malware.Trace) -> No action taken.
C:\WINNT\system32\drivers\x.gif (Malware.Trace) -> No action taken.
C:\WINNT\764.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\7search.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\acontidialer.txt (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\adbar.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\daxtime.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\dp0.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\eventlowg.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\fhfmm-Uninstaller.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\flt.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\hotporn.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\ie_32.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\jd2002.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\kkcomp$.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\liqad$.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\liqui-Uninstaller.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\ngd.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\pbar.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\spredirect.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\wbeInst$.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\xadbrk_.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\xxxvideo.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\wml.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\vxddsk.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\windows (Rootkit.Agent) -> No action taken.
C:\Program Files\MSX\msx1.dat (Rogue.MSAntivirus) -> No action taken.
C:\Program Files\MSX\MSX.cpl (Rogue.MSAntivirus) -> No action taken.
C:\Program Files\MSX\msx.ooo (Rogue.MSAntivirus) -> No action taken.
C:\WINNT\system32\MSx.cpl (Rogue.MSAntivirus) -> No action taken.
C:\Documents and Settings\Jim\Favorites\Online Security Test.url (Rogue.Link) -> No action taken.

I understand that this is not proper procedure but I have no choice atm. He cannot log onto this website..cannot do anything with any browser. Any advise please? Also tried to download and install Kaspersky.. something stopped that from happening.
After having NMalwarebytes remove what it can my fathers browswers became useless. and unable to get on this site and post

Edited by justplaindave, 03 January 2009 - 03:10 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2009 - 07:47 AM

I recommend that all of those items get removed and his version of Windows to be repaired.

I will give this piece of information, and hope some others will back me up.

Run system file checker.
Put XP CD in the drive. Then click start then run, and in the address box type cmd then click OK. At the command window type:
sfc /scannow then hit enter.

Windows checks to see if any critical files are damaged. If so, SFC will replace them.

If you have any issues or get prompted to insert the XP Pro CD then go here or PM me.

Edited by Jay-P VIP, 03 January 2009 - 07:48 AM.


#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio

Posted 03 January 2009 - 09:14 AM

No Action Taken


Did you reboot the computer when the scan was finished? It needs to be done to finish the removal process
-------------------------------------


Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 justplaindave

justplaindave
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 January 2009 - 03:57 PM

Yes he rebooted his pc and from there was unable to figure out what was removed. He cannot send email now and his machine is running worse that it did before the Malwarebytes scan. Also I seemed to forget to mention that he is using Windows 2000, and he has no instalation cd. I am not real familiar with 2000. I hope that someone could give me some advise as to what Apps and or methods I can use once I am down there to at least get it somewhat functional again. Personaly I feel his pc may be beyond hope, but I have to give it a go since like I said he has no instalation cd.

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:12 PM

Posted 03 January 2009 - 06:18 PM

Well, he has a few trojans and a rootkit. Uninstall Mbam, and if you have a thumb driver or you're able to burn a disk try SAS and see if we can at least get him back online for a HJT log
Also check to see if he can get into safemode w/networking
------------------------------

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now SAS,may need an hour
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by garmanma, 03 January 2009 - 06:19 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 justplaindave

justplaindave
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 January 2009 - 07:11 PM

Will do sir. Now I will be going down to his place next weekend so it may not be until then before I can get back to folks with any "hopefully" good news. If I get her cleaned up I will post a hjt and SAS and any other relevant logs in the hjt forum from there. Thanks all of you for the great help !!! :thumbsup: I will get back to you asap.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:12 PM

Posted 11 January 2009 - 01:50 PM

Hello justplaindave,

I see that you have successfully posted your log here: http://www.bleepingcomputer.com/forums/t/194313/dads-hjt-log/ Now that it's posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users