Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have the flash virus


  • Please log in to reply
9 replies to this topic

#1 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 05 February 2009 - 10:31 PM

I have all the symptoms this gentleman does:
http://www.bleepingcomputer.com/forums/ind...p;#entry1114596
right down to my links in my "my computer" folder have been changed to the weird RECYCCLER .....com thing
Heres a pic of what I get:
Posted Image
I know everyones computer is diffrent and I want to make sure I get this done right.
Please help, and thanks in advance.
Edit: also this virus seems to block me from going to certain websites, like download.mcafee.com and safer-networking

Edited by RavenPhoenix, 05 February 2009 - 10:39 PM.

Forum Skulker. Preventing Comp Nukes everywhere. :-)

BC AdBot (Login to Remove)

 


#2 RavenPhoenix

RavenPhoenix
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 05 February 2009 - 11:03 PM

Ran FlashDisinfector & OTMoveIt3
Here is my results from OTMoveIt3:
========== FILES ==========
c:\RECYCLER\S-1-5-21-1177238915-1637723038-725345543-1003 moved successfully.
c:\RECYCLER moved successfully.
Folder d:\recycler not found.
Folder e:\recycler not found.
Folder f:\recycler not found.
Folder g:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02052009_200212

Edited by RavenPhoenix, 05 February 2009 - 11:04 PM.

Forum Skulker. Preventing Comp Nukes everywhere. :-)

#3 RavenPhoenix

RavenPhoenix
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 06 February 2009 - 06:16 AM

Malwarebytes log:
Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 3

2/6/2009 3:14:14 AM
mbam-log-2009-02-06 (03-14-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170432
Time elapsed: 51 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\youtube downloader app (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videora ipod touch converter (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Aestivalis\Desktop\videora-ipodtouch-404-setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Red Kawa\Downloader App\uninstaller.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Red Kawa\Video Converter App\uninstaller.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\gaopdxedbwdrus.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxtnnuqfds.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:39 AM

Posted 06 February 2009 - 08:21 AM

Malwarebytes log:
Malwarebytes' Anti-Malware 1.33
Database version: 1714


The database is up to 1733 now, can you connect the program and update and run a quick scan please?
Chewy

No. Try not. Do... or do not. There is no try.

#5 RavenPhoenix

RavenPhoenix
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 06 February 2009 - 12:36 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1735
Windows 5.1.2600 Service Pack 3

2/6/2009 9:30:16 AM
mbam-log-2009-02-06 (09-30-16).txt

Scan type: Quick Scan
Objects scanned: 50987
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

thanks dachew its actually upto 1735 :-)
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:39 AM

Posted 06 February 2009 - 04:24 PM

Are the symptoms of the infection clearing up?

I like to run ATFCleaner and SAS as a doublecheck?

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894
Chewy

No. Try not. Do... or do not. There is no try.

#7 RavenPhoenix

RavenPhoenix
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 06 February 2009 - 05:08 PM

Yes the symptoms are clearing up, I have access to my C: drive again, and after that one malware was removed in the last Malware bytes scan I could change the DNS back to opendns and I can now browse to safer-networking. I just want to make sure I do everything I can do get rid of this nonsense. I will run your tests from the link you provided when I get home.
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#8 RavenPhoenix

RavenPhoenix
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 07 February 2009 - 03:58 AM

Ran ATFCleaner and SAS

SAS logfile:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/06/2009 at 09:32 PM

Application Version : 4.25.1012

Core Rules Database Version : 3746
Trace Rules Database Version: 1714

Scan type : Complete Scan
Total Scan Time : 01:03:48

Memory items scanned : 224
Memory threats detected : 0
Registry items scanned : 4640
Registry threats detected : 0
File items scanned : 121399
File threats detected : 22

Adware.Tracking Cookie
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@adlegend[2].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@revsci[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@myroitracking[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@media.warrock[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@ad.yieldmanager[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@questionmarket[2].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@ad2.yieldmanager[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@rotator.adjuggler[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@msnportal.112.2o7[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@ads.pointroll[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@adserver.adtechus[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@atdmt[2].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@tribalfusion[2].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@insightexpressai[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@content.yieldmanager[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@azjmp[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@serw.clicksor[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@advertising[1].txt
C:\Documents and Settings\Aestivalis\Cookies\aestivalis@media6degrees[1].txt

Trojan.Dropper/Gen
C:\DOCUMENTS AND SETTINGS\AESTIVALIS\LOCAL SETTINGS\APPLICATION DATA\SUPPORTSOFT\PCCHECKUPONLINE\AESTIVALIS\TEMPFILES\SETUP_ACTIVEX.EXE
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#9 RavenPhoenix

RavenPhoenix
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:10:39 PM

Posted 07 February 2009 - 01:21 PM

Just seeing if any of the other helpers have an opinion?
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:39 AM

Posted 07 February 2009 - 01:34 PM

Ok let's do this please.
==============
Please click
http://ftp.kaspersky.com/devbuilds/AVPTool/
to download AVP Tool by Kaspersky.

Save it to your desktop.


Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.

It will then open a box There will be a tab that says Automatic scan.

Under Automatic scan make sure these are checked.


System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

Note: This tool will self uninstall when you close it so please save the log before closing it.

this will take a while but is one of the best standalone scanners
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users