Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Bot Virus?


  • Please log in to reply
9 replies to this topic

#1 peter89

peter89

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 22 February 2009 - 12:36 AM

Well, i was going to post this yesterday, however I had the EXACT same symptoms and Antimalware log as this guy had http://www.bleepingcomputer.com/forums/t/205080/i-believe-mah-computer-has-teh-interwebs-aids/

So i waited to see what was the go for him.

Yesterday i got the MS Antispyware 2009 program somehow, realised it was a fake, downloaded Malwarebytes Antimalware, ran it and it deleted it, aswell as the false threats that were coming up.

Now everytime i run Malwarebytes i get the same message log and exactly the same registry data items infected as the guy in the post i've linked to above.

I also had google redirecting my sites, and then IE wouldnt even connect and always stopped at the "Page can not be connected" page, (Im using Mozilla now).

I read in his thread that it is a serious threat, and I'm about to go change all my passwords on another computer once I've typed this.

I have no problem reinstalling XP if it is what is needed to be done, however i am not sure about what can be done in regards to my data on the Infected hard drive, mainly my music, pictures, old uni work and movies.

I was about to print the instructions and run SDFix, but thought i'd better just check here first.

I can post the Antimalware logs from before MS Antispyware 2009 was deleted and also the latest ones with the 2 trojans that keep coming up if need be.

Thankyou very much for and help or words of advice,

Peter.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 22 February 2009 - 12:40 AM

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply

If your log contained TDSS files run SDFix and post the logs.

EDIt... Hello, I'm tired now and will look back in the morning.

Edited by boopme, 23 February 2009 - 01:36 AM.
cleaned tags

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 peter89

peter89
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 22 February 2009 - 01:18 AM

No worries,

Here is the first Malwarebytes scan that i did before MS Antispyware 2009 was deleted

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 3, v.3264

21/02/2009 12:37:11 PM
mbam-log-2009-02-21 (12-37-11).txt

Scan type: Quick Scan
Objects scanned: 65093
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 6
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48e92754-2daf-4de4-8385-34f631580e9b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1c23ba2-8f20-4c01-b663-7ff2b3421194} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d37d6c1a-7ba4-47f4-9bf2-75031e257df6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{84562fca-ee8b-4585-a1d1-eae97b23370e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f4406238-983a-4845-9053-f1d0007fd135} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090221120538468.log (Rogue.Multiple) -> Quarantined and deleted successfully.


and here is the most recent scan with the 2 items that keep appearing in scans

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 3, v.3264

22/02/2009 12:33:28 AM
mbam-log-2009-02-22 (00-33-28).txt

Scan type: Quick Scan
Objects scanned: 66707
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks.

Edited by peter89, 22 February 2009 - 01:19 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 22 February 2009 - 02:17 PM

Hello again, Well we need to run SDFix now anyways. Post bak it;s log and the next SAS and MBAM logs,thanks.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Now run these
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Then Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 peter89

peter89
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 23 February 2009 - 01:32 AM

OK, i did all three scans and the ATF cleanup and the results are below.

SDFix Scan Results

SDFix: Version 1.240
Run by Pete on Mon 23/02/2009 at 01:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Infected userinit.exe Found!

userinit.exe File Locations:

"C:\WINDOWS\$NtServicePackUninstall$\userinit.exe" 24576 04/08/2004 12:56 AM
"C:\WINDOWS\ServicePackFiles\i386\userinit.exe" 26112 01/12/2007 12:26 AM
"C:\WINDOWS\system32\userinit.exe" 8704 21/02/2009 12:04 PM

LDPinch Infected File Listed Below:

C:\WINDOWS\SYSTEM32\USERINIT.EXE

File copied to Backups Folder
Attempting to replace userinit.exe with original version

Unable To Replace Infected File!

"C:\WINDOWS\$NtServicePackUninstall$\userinit.exe" 24576 04/08/2004 12:56 AM
"C:\WINDOWS\ServicePackFiles\i386\userinit.exe" 26112 01/12/2007 12:26 AM
"C:\WINDOWS\system32\userinit.exe" 8704 21/02/2009 12:04 PM


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 13:35:39
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\\Programs\\Maya\\bin\\maya.exe"="E:\\Programs\\Maya\\bin\\maya.exe:*:Enabled:Maya"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"E:\\Programs\\Limewire\\LimeWire.exe"="E:\\Programs\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"E:\\Media\\Games\\Drift\\racer.exe"="E:\\Media\\Games\\Drift\\racer.exe:*:Disabled:racer"
"E:\\Programs\\bitcomet\\BitComet.exe"="E:\\Programs\\bitcomet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"E:\\Programs\\LFS\\s2\\LFS.exe"="E:\\Programs\\LFS\\s2\\LFS.exe:*:Enabled:LFS.exe"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"E:\\Programs\\XFIRE\\xfire.exe"="E:\\Programs\\XFIRE\\xfire.exe:*:Enabled:Xfire"
"E:\\Programs\\COD4\\iw3mp.exe"="E:\\Programs\\COD4\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\WINDOWS\\system32\\dlcfcoms.exe"="C:\\WINDOWS\\system32\\dlcfcoms.exe:*:Enabled:Dell 725 Server"
"G:\\MysticMazeSafe\\GlyphServer\\ISGlyphServer.EXE"="G:\\MysticMazeSafe\\GlyphServer\\ISGlyphServer.EXE:*:Enabled:ISGlyphServer"
"G:\\MysticMazeSafe\\mm.exe"="G:\\MysticMazeSafe\\mm.exe:*:Enabled:mm"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\\Programs\\iTunes\\iTunes.exe"="E:\\Programs\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sat 21 Feb 2009 8,704 A..H. --- "C:\WINDOWS\system32\userinit.exe"
Sun 8 Feb 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 21 Jan 2009 49,152 A.SHR --- "C:\Program Files\Common Files\System\msrc msrc.dll"
Fri 25 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Pete\Application Data\U3\temp\Launchpad Removal.exe"

Finished!


SUPERAntispyware Scan Results

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2009 at 04:47 PM

Application Version : 4.25.1012

Core Rules Database Version : 3755
Trace Rules Database Version: 1719

Scan type : Complete Scan
Total Scan Time : 02:43:55

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 5991
Registry threats detected : 4
File items scanned : 130570
File threats detected : 1

Adware.Vundo/Variant
HKU\S-1-5-21-1659004503-842925246-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85213274-4208-7004-6472-5599CA323026}
HKCR\CLSID\{85213274-4208-7004-6472-5599CA323026}
HKCR\CLSID\{85213274-4208-7004-6472-5599CA323026}\InProcServer32
HKCR\CLSID\{85213274-4208-7004-6472-5599CA323026}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MSRC MSRC.DLL


MBAM Scan Results

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 3, v.3264

23/02/2009 4:59:19 PM
mbam-log-2009-02-23 (16-59-19).txt

Scan type: Quick Scan
Objects scanned: 64011
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Pete\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


Thankyou,
Peter.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 23 February 2009 - 01:41 AM

This looks real good. Now please run a full scan. Also let me know how it's running now.
I'll look back tomorrow.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 peter89

peter89
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 23 February 2009 - 04:07 AM

I'm hoping that wasnt sarcasm and that it really does look good lol

Ok, so here are the latest MBAM Scan results:

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 3, v.3264

23/02/2009 7:31:21 PM
mbam-log-2009-02-23 (19-31-21).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 208705
Time elapsed: 31 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


While doing the scan, an AVG resident shield alert came up showing the following:

FILE INFECTION RESULT
"C:\WINDOWS\system32\userinit.exe" "Trojan horse Generic12.BTJO" "Object is in whitelist"
"C:\WINDOWS\system32\userinit.exe" "Trojan horse Generic12.BTJO" "Object is in whitelist"


One thing i should mention is that when i try to update MBAM, a message box pops up saying;
"Update failed. Make sure you are connected to the internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the internet"

My computer has been running like normal right from before i first realised something was wrong and even did the first scan, i havnt noticed it to be any slower.

The only difference i have ever noticed since i realised it was infected is that Internet Explorer stops on the "Page can not be connected" page. It is still doing this and as such, i am unable to tell if it is still redirecting my google search results to spam pages.

Mozilla Firefox works fine, and any google searches i do using it work fine and are not redirected.

Thanks for your help so far mate. :thumbsup:

Pete.

P.S. just then i tried to open COD4 game, and a message box came up saying "DirectX encountered an unrecoverable error, click the readme for possible solutions"

not sure if its related, just thought i'd let you know

Edited by peter89, 23 February 2009 - 05:48 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 23 February 2009 - 03:26 PM

Hi, we still have some infections and need to run some specialized tools. We do not use them here but instead in the HJT removal forum so,...
We need to run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if you were successful in posting.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 peter89

peter89
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 23 February 2009 - 06:48 PM

OK, will do. Wont be able to do it immediately as i have to go buy a new hard drive for my external hard drive. That is unless backing my info up to a DVD is equivalent?

Also, it says to put the type of infection in the title of the hijack this thread, any idea what type of infection i have?

Thanks.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 23 February 2009 - 06:54 PM

Use this Generic12.BTJO

Good luck!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users