Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OK, Please Help!


  • Please log in to reply
18 replies to this topic

#1 lh7788

lh7788

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 21 February 2009 - 11:11 PM

Hello, I am new here. I apologize if this is a very simple task to get rid of what I have, but please help me. I have the following programs

Mcafee
Spyware Doc
Windows Defender
Spybot S&Destroy
AVG Anti-virus
Malware bytes
xoftspySX

Now, I prefer to go in safe mode and run all these programs individually. Most of them catch some problems and say they fix them but when I go into normal mode and go to yahoo, the pop-ups start. The pop-ups are less frequent, but are still there.

I just did a hijack this, just in case someone wants to help me out. Anyway, I am not sure what to say about this, some pop-ups are porn, some are hotjobs by yahoo, some my firefox browser can't even load. It says error. It's not doing it now though, hmm.


Ok just popped up:

<http://67.201.36.16/nolink.html>

<http://url.adtrgt.com/cpv.jsp?p=113099&ip=216.164.30.202&url=video-stats.video.google.com%2Fs%3Fns%3Dyt%26docid%3DrYcI-VW7b9Y%26fmt%3D34%26el%3Ddetailpage%26sourceid%3Dys%26sdetail%3Df%3APlayList%2C%26q%3Davg+for+free%26vid%3D9CfzBx-aEQRRbLVLkvGK2vkU6uD1CLwzU%26fexp%3D900058%26hl%3Den%26cr%3DUS%26hbd%3D4373340%26hbt%3D48.133%26rt%3D35.647%26plid%3DAARjeh7u27OSgsSZAAACgAAQCAA%26w%3D640%26h%3D360%26nbe%3D1%26len%3D34%26st%3D0.033%26et%3D0.033%26fv%3DWIN+9%2C0%2C115%2C0&aid=889&default=http%3A%2F%2F85.12.43.105%2Fgo%2Frfe.php%3Fcmp%3Dmg_fails_099%26uid%3DF66AB9A22A0C11DDA406151967CFFFFF%26guid%3DC16D078783D149F7B5240A88A7A6CB8A%26lid%3Davg%252Bfor%252Bfree%26url%3Dvideo-stats.video.google.com%252Fs%253Fns%253Dyt%2526docid%253DrYcI-VW7b9Y%2526fmt%253D34%2526el%253Ddetailpage%2526sourceid%253Dys%2526sdetail%253Df%253APlayList%252C%2526q%253Davg%2Bfor%2Bfree%2526vid%253D9CfzBx-aEQRRbLVLkvGK2vkU6uD1CLwzU%2526fexp%253D900058%2526hl%253Den%2526cr%253DUS%2526hbd%253D4373340%2526hbt%253D48.133%2526rt%253D35.647%2526plid%253DAARjeh7u27OSgsSZAAACgAAQCAA%2526w%253D640%2526h%253D360%2526nbe%253D1%2526len%253D34%2526st%253D0.033%2526et%253D0.033%2526fv%253DWIN%2B9%252C0%252C115%252C0%26affid%3D168440&context=avg+for+free&partnermin=0.002&ronmin=0.002&selectedKeyword=avg>

This was the loading error.

Anyway any suggestions? What are the recommended scanners for every bad thing out there?

Edited by Orange Blossom, 01 March 2009 - 04:54 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 22 February 2009 - 12:09 AM

Hello and welcome.
First DO NOT use HJT on your own it can render your PC unbootable.
Second Do you have 2 AV' activly running? ( AVG Anti-virus & Mcafee) This will be a problem. If so one has to go.
It's up to you but I don't think Xoftspy is to good.

Now What are you finding? Post the los from these scans please.
Please run MBAM again.. From Normal mode MBAM is actually stronger that way.

MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Now these:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 02:35 AM

Hello, thank you. My log from MBAM:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/22/2009 6:46:29 AM
mbam-log-2009-02-22 (06-46-29).txt

Scan type: Quick Scan
Objects scanned: 85391
Time elapsed: 14 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8d2ab1ae-7b3e-4d09-8afa-a72cc700e191} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8d2ab1ae-7b3e-4d09-8afa-a72cc700e191} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bydnvu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gimdpccd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4b2505bf.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4b2505bf.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccbATjh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Also Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:09 PM, on 2/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

{EDIT: removed HJT log ~~boopme}

Edited by boopme, 22 February 2009 - 02:39 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 22 February 2009 - 02:43 PM

Hi, I removed the log as forum rules say they have to be posted in the HJT forum. Perhaps we will but I want to do these nexy and see if we cannot fet this here.

Run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



Now Rerun MBAM like this.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 06:33 PM

Hello, ok I ran the SuperAntiSpyware here are the results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/22/2009 at 12:50 PM

Application Version : 4.25.1012

Core Rules Database Version : 3769
Trace Rules Database Version: 1729

Scan type : Complete Scan
Total Scan Time : 03:53:32

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 6302
Registry threats detected : 8
File items scanned : 131222
File threats detected : 1

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6584C510-924B-486A-A1A0-E380DE08C2DB}
HKU\S-1-5-21-1708537768-746137067-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6584C510-924B-486A-A1A0-E380DE08C2DB}

Rogue.Component/Trace
HKLM\Software\Microsoft\481624AD
HKLM\Software\Microsoft\481624AD#481624ad
HKLM\Software\Microsoft\481624AD#rid
HKLM\Software\Microsoft\481624AD#aid
HKLM\Software\Microsoft\481624AD#Version
HKU\S-1-5-21-1708537768-746137067-1343024091-1004\Software\Microsoft\CS41275

Adware.Vundo/Variant-S129
C:\WINDOWS\SYSTEM32\DSDTVGKE.DLL

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 22 February 2009 - 06:39 PM

Thats good now Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 06:45 PM

Hi, well smitfraudfix is done:

SmitFraudFix v2.398

Scan done at 15:38:38.42, Sun 02/22/2009
Run from C:\Documents and Settings\Joseph Valenti\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Joseph Valenti\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
127.0.0.1 spywareinfo.com
127.0.0.1 www.spywareinfo.com

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Joseph Valenti


C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp


C:\Documents and Settings\Joseph Valenti\Application Data


Start Menu


C:\DOCUME~1\JOSEPH~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="cru629.dat bydnvu.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Linksys NC100 Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 208.59.247.45
DNS Server Search Order: 208.59.247.46

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2450FD3-E8A6-41E1-8B3D-1D229417C19A}: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2450FD3-E8A6-41E1-8B3D-1D229417C19A}: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F2450FD3-E8A6-41E1-8B3D-1D229417C19A}: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.59.247.45 208.59.247.46


Scanning for wininet.dll infection


End




I don't want to jinx anything, but so far no pop-ups.. I will redownload MBAM now.

Edited by lh7788, 22 February 2009 - 06:47 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 22 February 2009 - 06:58 PM

OK looking good, SMiy has found something too so let's run the cleaner.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 07:24 PM

results from MBAM:

Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 5.1.2600 Service Pack 2

2/22/2009 4:22:50 PM
mbam-log-2009-02-22 (16-22-50).txt

Scan type: Quick Scan
Objects scanned: 85650
Time elapsed: 11 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\osobohaqiteji (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfudorukemo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fccaXPih.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\owisogologiwab.dll (Trojan.Agent) -> Delete on reboot.


SO I am still infected. I will do what you instructed now. Then reply if updates. Still no pop-ups though...hmm..

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 22 February 2009 - 07:28 PM

Ok so run the Smit Cleaner and then another MBAM quick scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 10:26 PM

Ok, didn't get that last reply so here are the results from the smitfraus...though I did it twice because it never mentioned about cleaning the wininet.dll.

SmitFraudFix v2.398

Scan done at 18:59:26.91, Sun 02/22/2009
Run from C:\Documents and Settings\Joseph Valenti\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2450FD3-E8A6-41E1-8B3D-1D229417C19A}: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2450FD3-E8A6-41E1-8B3D-1D229417C19A}: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F2450FD3-E8A6-41E1-8B3D-1D229417C19A}: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.59.247.45 208.59.247.46
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.59.247.45 208.59.247.46


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#12 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 10:37 PM

Ok, big update:

Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 5.1.2600 Service Pack 2

2/22/2009 7:47:21 PM
mbam-log-2009-02-22 (19-47-21).txt

Scan type: Quick Scan
Objects scanned: 85237
Time elapsed: 14 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I did this in normal mode...does this mean I am free?!

Oh, and some other questions...I have another little hard drive (for storing memory and such, it's I think 180GB) could that be infected as well? How would I know? I am afraid to turn it on and transfer files because I don't want my computer to get infected this bad again. Also my computer is running slow, like it takes longer now starting up...probably with all the scanners I downloaded. Any way I can pick and choose what programs I really need to start up when windows starts?

Edited by lh7788, 22 February 2009 - 10:48 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 22 February 2009 - 11:07 PM

OK this looks clean, you did OK. if you want to scan the other drive then with MBAM run a full scan it will check all drives. Then scan it with SUPER.


Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

For SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check THAT DRIVE.

Edited by boopme, 22 February 2009 - 11:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 lh7788

lh7788
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 February 2009 - 11:24 PM

Thank You! By any chance is there a program that lets me see how many programs are starting up when I start windows? And what programs would you recommend keeping at start up?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:08 PM

Posted 23 February 2009 - 01:20 AM

The best program for this isAutoruns for Windows

From Sysinternals
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users