Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj/Agent-IOV/PDFJs-G/Virutmonde Gen.


  • Please log in to reply
15 replies to this topic

#1 tjdavis

tjdavis

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 January 2009 - 02:02 AM

Troja/Agent-IOV
PDFJs-G
Virutmonde Generic

My computer hasn't shown really any problems due to these viruses yet, except for maybe being a little slower than normal. I've run Webroot SpySweeper a couple of times trying to get rid of these, but it says the quarantine fails. Spybot S&D doesn't even seem to pick them up. I've had a problem with Virtumonde in the past, and thankfully, someone on this website managed to help me get rid of this problem before it go too bad. Thanks for your time in advance.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 04:30 AM

Hi,

Welcome here. :thumbsup:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  

Posted 17 January 2009 - 02:58 PM

Thanks!

Malwarebytes' Anti-Malware 1.33
Database version: 1663
Windows 5.1.2600 Service Pack 2

1/17/2009 11:58:11 AM
mbam-log-2009-01-17 (11-58-11).txt

Scan type: Quick Scan
Objects scanned: 65583
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Tiffany\Local Settings\Temporary Internet Files\Content.IE5\41QN0PY3\load[1].exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tiffany\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\load[1].exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tiffany\Local Settings\Temporary Internet Files\Content.IE5\8DOTYBKX\load[1].exe (Trojan.Waledac) -> Quarantined and deleted successfully.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 02:59 PM

Hi,

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#5 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 January 2009 - 03:47 PM

I tried to download it, but it took a very long time. When it finally finished, it wouldn't let me scan and it didn't put an icon on my desktop or anything like that.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 03:51 PM

Hi,

Download: zoek.exe
Start it, a logfile will open after a while
Post the contents of that logfile in your next reply. :thumbsup:

#7 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  

Posted 17 January 2009 - 03:54 PM

======C:\WINDOWS====
----a-w 0 2009-01-17 19:30:46 C:\WINDOWS\0.log
--s-a-w 2,048 2009-01-17 19:29:02 C:\WINDOWS\bootstat.dat
----a-w 641 2008-12-17 09:25:03 C:\WINDOWS\DtcInstall.log
----a-w 519,919 2008-12-17 09:25:07 C:\WINDOWS\iis6.log
----a-w 2,838 2008-12-25 07:45:58 C:\WINDOWS\machine.ver
----a-w 4,050 2009-01-17 19:30:39 C:\WINDOWS\ModemLog_TOSHIBA Software Modem.txt
----a-w 426,226 2009-01-16 18:02:57 C:\WINDOWS\ntbtlog.txt
----a-w 1,868 2009-01-03 20:42:38 C:\WINDOWS\OEWABLog.txt
----a-w 1,409 2008-12-29 06:43:00 C:\WINDOWS\QTFont.for
---ha-w 54,156 2008-12-29 06:43:00 C:\WINDOWS\QTFont.qfn
----a-w 4,804 2008-12-17 09:23:41 C:\WINDOWS\regopt.log
----a-w 22,862 2009-01-17 07:12:04 C:\WINDOWS\SchedLgU.Txt
----a-w 3,939 2008-12-17 09:25:11 C:\WINDOWS\sessmgr.setup.log
----a-w 350,030 2008-12-17 09:28:53 C:\WINDOWS\setupact.log
----a-w 569,312 2009-01-15 03:35:52 C:\WINDOWS\setupapi.log
----a-w 1,062,502 2008-12-20 06:13:07 C:\WINDOWS\setuplog.txt
----a-w 231 2008-12-17 09:23:01 C:\WINDOWS\system.ini
----a-w 210,892 2008-12-17 09:25:11 C:\WINDOWS\tsoc.log
----a-w 159 2009-01-17 19:30:17 C:\WINDOWS\wiadebug.log
----a-w 49 2009-01-17 19:30:15 C:\WINDOWS\wiaservc.log
----a-w 28 2009-01-16 03:25:08 C:\WINDOWS\wiaserviv.log
----a-w 689 2008-12-18 06:27:05 C:\WINDOWS\win.ini
----a-w 945,451 2009-01-17 19:32:11 C:\WINDOWS\WindowsUpdate.log
----a-w 34,244 2009-01-03 20:42:38 C:\WINDOWS\wmsetup.log
----a-w 238 2008-12-23 06:11:34 C:\WINDOWS\wmsetup10.log

Entries: 25 (23)
Directories: 0 Files: 25
Bytes: 4,218,585 Blocks: 8,250
======C:\WINDOWS\system32=====
----a-w 451 2008-12-17 09:28:57 C:\WINDOWS\System32\$winnt$.inf
----a-w 0 2009-01-04 03:43:34 C:\WINDOWS\System32\0f463dd4-.txt
----a-w 92,696 2008-10-16 22:09:44 C:\WINDOWS\System32\cdm.dll
----a-w 410,984 2009-01-11 01:56:32 C:\WINDOWS\System32\deploytk.dll
----a-w 274,168 2008-12-19 03:12:03 C:\WINDOWS\System32\FNTCACHE.DAT
----a-w 144,792 2009-01-11 01:56:33 C:\WINDOWS\System32\java.exe
----a-w 73,728 2009-01-11 01:56:33 C:\WINDOWS\System32\javacpl.cpl
----a-w 144,792 2009-01-11 01:56:33 C:\WINDOWS\System32\javaw.exe
----a-w 148,888 2009-01-11 01:56:34 C:\WINDOWS\System32\javaws.exe
----a-w 77,410 2009-01-15 03:31:45 C:\WINDOWS\System32\LexFiles.ulf
----a-w 64,262 2009-01-01 05:53:45 C:\WINDOWS\System32\perfc009.dat
----a-w 405,878 2009-01-01 05:53:45 C:\WINDOWS\System32\perfh009.dat
----a-w 475,028 2009-01-01 05:53:44 C:\WINDOWS\System32\PerfStringBackup.INI
----a-w 308 2008-12-17 09:28:47 C:\WINDOWS\System32\results.txt
----a-w 101,824 2009-01-17 19:31:14 C:\WINDOWS\System32\Status.MPF
----a-w 1,158 2008-12-20 06:12:59 C:\WINDOWS\System32\wpa.dbl
----a-w 561,688 2008-10-16 22:12:20 C:\WINDOWS\System32\wuapi.dll
----a-w 23,576 2008-10-16 22:07:44 C:\WINDOWS\System32\wuapi.dll.mui
----a-w 51,224 2008-10-16 22:09:44 C:\WINDOWS\System32\wuauclt.exe
----a-w 213,528 2008-10-16 22:12:20 C:\WINDOWS\System32\wuaucpl.cpl
----a-w 23,576 2008-10-16 22:07:46 C:\WINDOWS\System32\wuaucpl.cpl.mui
----a-w 1,809,944 2008-10-16 22:13:40 C:\WINDOWS\System32\wuaueng.dll
----a-w 18,456 2008-10-16 22:07:14 C:\WINDOWS\System32\wuaueng.dll.mui
----a-w 323,608 2008-10-16 22:12:22 C:\WINDOWS\System32\wucltui.dll
----a-w 31,768 2008-10-16 22:09:40 C:\WINDOWS\System32\wucltui.dll.mui
----a-w 34,328 2008-10-16 22:08:58 C:\WINDOWS\System32\wups.dll
----a-w 43,544 2008-10-16 22:09:44 C:\WINDOWS\System32\wups2.dll
----a-w 202,776 2008-10-16 22:13:40 C:\WINDOWS\System32\wuweb.dll

Entries: 28 (28)
Directories: 0 Files: 28
Bytes: 5,754,383 Blocks: 11,256
======C:\WINDOWS\system32\drivers=====
----a-w 21,035 2008-12-17 09:28:43 C:\WINDOWS\System32\drivers\AegisP.sys
----a-w 15,504 2009-01-15 00:11:28 C:\WINDOWS\System32\drivers\mbam.sys
----a-w 38,496 2009-01-15 00:11:32 C:\WINDOWS\System32\drivers\mbamswissarmy.sys

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 75,035 Blocks: 149
======C:\WINDOWS\Tasks======
---ha-w 6 2009-01-17 19:29:13 C:\WINDOWS\Tasks\SA.DAT

Entries: 1 (0)
Directories: 0 Files: 1
Bytes: 6 Blocks: 1
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:=====
--sha-r 209 2008-12-17 09:28:27 C:\boot.ini
--sha-w 937,603,072 2009-01-17 19:28:55 C:\hiberfil.sys
--sha-w 1,409,286,144 2009-01-17 19:28:53 C:\pagefile.sys

Entries: 3 (0)
Directories: 0 Files: 3
Bytes: 2,346,889,425 Blocks: 4,583,769
======C:\Documents and Settings\Tiffany\Application Data======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======C:\Documents and Settings\Tiffany======
---ha-w 3,407,872 2009-01-17 07:12:10 C:\Documents and Settings\Tiffany\NTUSER.DAT
---ha-w 53,248 2009-01-17 20:53:48 C:\Documents and Settings\Tiffany\ntuser.dat.LOG
--sh--w 178 2009-01-16 19:12:19 C:\Documents and Settings\Tiffany\ntuser.ini

Entries: 3 (0)
Directories: 0 Files: 3
Bytes: 3,461,298 Blocks: 6,761
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 04:07 PM

Hi,

Please post the contents of the following two text-files in your next reply:
C:\WINDOWS\System32\0f463dd4-.txt
C:\WINDOWS\System32\results.txt

Tell me how things are going :thumbsup:

#9 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 January 2009 - 04:14 PM

I wasn't sure how to locate these so I just copy and pasted the location into the search bar from the start button. When I tried the first one there was nothing in the note pad document.

These are the results for the second one:

log=AegisP Protocol (C:\WINDOWS\inf\AegisP.inf): Created.
log=AegisP Protocol (C:\WINDOWS\system32\drivers\AegisP.sys): Created.
log=AegisP Protocol (network component): Installed.
message=Driver install was successful
reboot=0
log=AegisP Protocol (device driver): Started - now running.
code=0

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 04:27 PM

Hi,

Delete this file:
C:\WINDOWS\System32\0f463dd4-.txt

Do you still have problems? :thumbsup:

#11 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  

Posted 17 January 2009 - 04:45 PM

The only way I know to access this file is through the search tool and this merely opens it up. I can't seem to delete it from there. Is there anyway I can access this file to delete it?

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 04:47 PM

Hi,

Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\System32\0f463dd4-.txt) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

Edited by superbird, 17 January 2009 - 04:47 PM.


#13 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 January 2009 - 04:50 PM

Deleting files
C:\WINDOWS\System32\0f463dd4-.txt deleted

#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2009 - 04:51 PM

Hi,

Do you still have problems? :thumbsup:

#15 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  

Posted 17 January 2009 - 04:52 PM

Thanks! I don't have any problems currently, but I'm going to run Webroot Spysweeper to see if those viruses are still there, that's how I was able to tell the first time. My computer hadn't started acting up yet, but I wanted to go ahead and get rid of it as quickly as possibly before it got out of hand.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users