Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Again! Virtumonde and Smitfraud


  • Please log in to reply
10 replies to this topic

#1 CannibalZ3

CannibalZ3

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 04 January 2009 - 02:50 PM

Hey Everybody,
Despite taking precautions, I've somehow become infected with a virus (or several), yet again. When I brought up a popular website, Firefox somehow decided it was a PDF. My AVG Antivirus immidiately noted that I had contracted "Trojan horse Generic 12.AJIT" and "Trojan horse Adload_r.EQ", the latter was quarentined and the former infected. I ran AVG, which came back with two copies of "Trojan horse Downloader Generic 8.LEJ" and a changed registry key, all healed. I then ran AVG again, and it picked up nothing. After this I ran Spybot S&D (which updated to 160), which came back with multiple copies of Virtumonde, SmitfraudC, a few others, and cleaned them all. This morning, after a reboot, uncommanded popups came up on another (ad-free) popular site, so I ran S&D again and it still picked up copies of Virtumonde and Smitfraud, which it claims to have healed. After reading similar BleepingComputer problems I downloaded Malwarebytes, which has so far found 26 infections and is still scanning. I will post the log upon request. EDIT: Upon full scan (29 objects found) and cleansed, then a reboot and rescan, one object found: Trojan Vundo registry key. Please help!

Also, I'd like to say two things: this website is invaluable, the mods here having saved me from nasty infections on two previous occasions. For volunteering your time to help idiots like me, thank you, you guys rock. Second, despite following many of the precautions recommended on this site, I've managed to pick up 4 viruses within as many months - what the hell am I doing wrong?

Edited by CannibalZ3, 04 January 2009 - 03:10 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:04 PM

Posted 04 January 2009 - 03:43 PM

Hello and thank you for those kind words.
Please post the MBAM log.

Next run SmitFraudFix by S!Ri Options 1 and 2. Post that report back,thanks.
The report can be found at the root of the system drive, usually at C:\rapport.txt.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CannibalZ3

CannibalZ3
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 04 January 2009 - 04:23 PM

MOST RECENT MBAM LOG:

Malwarebytes' Anti-Malware 1.31
Database version: 1612
Windows 5.1.2600 Service Pack 3

1/4/2009 12:10:36 PM
mbam-log-2009-01-04 (12-10-36).txt

Scan type: Quick Scan
Objects scanned: 49813
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



PRE-RESTART MBAM LOG

Malwarebytes' Anti-Malware 1.31
Database version: 1612
Windows 5.1.2600 Service Pack 3

1/4/2009 12:00:43 PM
mbam-log-2009-01-04 (12-00-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83894
Time elapsed: 22 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXRLdax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wvUljJbx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qwktuv.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvuljjbx (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7a9cb513-3c00-44cd-ad99-72c9ff921d23} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7a9cb513-3c00-44cd-ad99-72c9ff921d23} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87daf04c-fa07-4bb6-a5b1-05367aa136a7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87daf04c-fa07-4bb6-a5b1-05367aa136a7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{87daf04c-fa07-4bb6-a5b1-05367aa136a7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxrldax -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxrldax -> Delete on reboot.

Folders Infected:
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wvUljJbx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cbXRLdax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xadLRXbc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xadLRXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qwktuv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2RD5SL5Z\load[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OO7J1OMH\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TFYA7G09\CAJI69VB (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TTLYA3MG\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6018D7E7-9CC7-4CC4-ABD5-7973CA0DB4C9}\RP35\A0007229.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6018D7E7-9CC7-4CC4-ABD5-7973CA0DB4C9}\RP36\A0007237.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6018D7E7-9CC7-4CC4-ABD5-7973CA0DB4C9}\RP36\A0007295.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv871229907565.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cnpvulbj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ywfelwtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 CannibalZ3

CannibalZ3
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 04 January 2009 - 04:40 PM

A couple developments upon SmitfraudFix and reboot, on which I will take no action until advised: 1)Windows Security Alerts advises me that automatic updates have been turned off 2)Spybot S&D advises me that the registry entry C:/WINDOWS/system32/blank.htm has been changed to C:/windows/system32/blank.htm. It asks me to allow or deny the change; I'll just let it sit there until you all get back to me. EDIT: Also, the Windows clock has reverted to 24-hour time and playing with the relevant control panel menu doesn't restore it, how can I change that?

SMITFRAUD LOG

SmitFraudFix v2.388

Scan done at 13:30:46.24, Sun 01/04/2009
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Edited by CannibalZ3, 04 January 2009 - 05:12 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:04 PM

Posted 04 January 2009 - 05:17 PM

OK yes, either disable teatimer prior to scans or you have to Yes it to death.
BTW did you reboot atfer that MBan scan as it asked?

Edited by boopme, 04 January 2009 - 05:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 CannibalZ3

CannibalZ3
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 04 January 2009 - 05:21 PM

I did indeed reboot immidiately after MBAM scan

Initial symptom is no longer in evidence. Malwarebytes and S&D Search and Destroy now coming up with nothing. Is this thing gone?

Edited by CannibalZ3, 04 January 2009 - 07:21 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:04 PM

Posted 04 January 2009 - 07:48 PM

Hello I think we got it but let's get it's remnants so it don't come back. I know that this isn't much fun but neither is a dead PC.. So we'll do these, Need about an hour.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Now SAS:
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 CannibalZ3

CannibalZ3
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 05 January 2009 - 03:53 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2009 at 00:20 AM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type : Complete Scan
Total Scan Time : 00:30:07

Memory items scanned : 341
Memory threats detected : 0
Registry items scanned : 4764
Registry threats detected : 7
File items scanned : 34735
File threats detected : 1

Rogue.Component/Trace
HKLM\Software\Microsoft\84DB7C17
HKLM\Software\Microsoft\84DB7C17#84db7c17
HKLM\Software\Microsoft\84DB7C17#Version
HKLM\Software\Microsoft\84DB7C17#84dbd197
HKLM\Software\Microsoft\84DB7C17#84dbb872
HKU\S-1-5-21-1202660629-436374069-839522115-500\Software\Microsoft\CS41275
HKU\S-1-5-21-1202660629-436374069-839522115-500\Software\Microsoft\FIAS4018

Trojan.Fake-Alert/Trace
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:04 PM

Posted 05 January 2009 - 12:11 PM

Hah, Thar she blows. I knew it was still there.
Now..that we've got em on the run


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.



Follow with this...in regular mode.
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.

Post back the 2 logs and tell me how it's running now,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 CannibalZ3

CannibalZ3
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 05 January 2009 - 01:36 PM

SDFIX log
SDFix: Version 1.240
Run by Administrator on Mon 01/05/2009 at 09:36

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 09:39:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:50,31,eb,75,e6,cb,2b,a6,e8,60,c3,b9,d8,c8,cf,76,42,53,d6,e9,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a1,42,51,2b,2e,83,07,03,49,90,e3,0f,bf,83,c6,98,27,..
"khjeh"=hex:ad,e5,6a,3e,7d,82,3f,b9,da,7b,5e,ee,70,39,d2,85,26,d5,e4,e7,99,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ad,23,88,63,8e,8c,c0,a9,36,16,fd,c4,0d,a6,46,a7,e1,ad,92,29,a8,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:50,31,eb,75,e6,cb,2b,a6,e8,60,c3,b9,d8,c8,cf,76,42,53,d6,e9,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a1,42,51,2b,2e,83,07,03,49,90,e3,0f,bf,83,c6,98,27,..
"khjeh"=hex:ad,e5,6a,3e,7d,82,3f,b9,da,7b,5e,ee,70,39,d2,85,26,d5,e4,e7,99,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ad,23,88,63,8e,8c,c0,a9,36,16,fd,c4,0d,a6,46,a7,e1,ad,92,29,a8,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"

Finished!



MBAM log
Malwarebytes' Anti-Malware 1.32
Database version: 1618
Windows 5.1.2600 Service Pack 3

1/5/2009 10:16:15 AM
mbam-log-2009-01-05 (10-16-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83098
Time elapsed: 27 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The scans look good to my inexperienced eyes, but that's why you're the experts - I'll not do anything sensitive until I get your OK. Just let me know the next step and I'll run it.

I've got some future-reference and curiosity questions as well if you've got the chance:
1) Why so many anti-virus programs? Why not use the ultimate weapon (SDFix?) first, or run them all one right after the other?
2) If the viruses are all using known mechanisms, why does one reputable antivirus program pick up these things when others do not?
3) What percentage of viruses are user-passive (just sit there so the user never notices) versus user-active (in which Google redirects, antivirus programs are blocked, etc)?
4) Where do most of these things come from - who writes them, and are they all dedicated to taking information?
5) How often do virus breakthroughs happen - somebody writes something really clever - and how long does it take before they're usually found out?
6) I have Windows Firewall, AVG 8 and Spybot S&D enabled, plus running some other programs from time to time. I avoid infected websites and practice safe email behavior. I download torrents from time to time, and I do my best to make sure they're reputable. What additional steps should I be taking?
7) Your signature mentions one of those programs that uses stray computer cycles for good cause - is there a comprehensive list of reputable ones? How useful are they as compared to, say, time on a supercomputer? Is the process fully utilized - is every project that can really use computational power this way getting it?


Beer is on me if you find yourself in Oregon (EDIT: Pending employment. FŽ*king economy). Your services and answers are much appreciated. Happy New Year, gents.

Edited by CannibalZ3, 05 January 2009 - 01:41 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:04 PM

Posted 05 January 2009 - 02:50 PM

BEER!!?? It's fixed :thumbsup:
Kidding but It looks clean now. Any more signs? If not ...

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


1&2) Not all AV's get all 100%. Like specific tools they have a virus signature,database or are geared toward a specific type of infection. running specific tools on a machine that's not infected by it's specialized function can cayse more harm. That's why they not all bundled.
3) Good question, no answer. Only that this type is growing fast.
4 &5)Foreign countries for the most part,Russia and China perhaps the largest producers. Malware writers are after $$. Whether by stealing info or fooling one to buying rogue security applications. Most arrive in the form of attachments and email. P@P and torent dounloads carry bundled malware.
Types of Malware
15 million new malware types discovered in 2008
6) You got it mostly right. I want you to read our Malware chief,quietman7, tips here to answer this. See post #8. P@P and Torrents are extremely hazardous.
http://www.bleepingcomputer.com/forums/t/162087/winprotector-38/
I would add abetter firewall ,say Comodo or ZoneAlarm.. as they provide in and out bound protection,Windows XP wall only monitors in.
7)Known as Distributed computing, it is a method of getting many many PC's to do a job. We at BC use
Folding@home thru stanford University. The BC link.. Folding@home, Distributed Computing At It's Best . We have a very effective team. We become a supercomputer. I don't know if every project is succesful or using it. Our's is fully utilized. we actually have the number1 folder as a BC Advisor!! Thanks for asking about it. If you have more questions on it ask in the Chat forum in the pinned topic.. see Part Deux.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users