Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

v1.adwarefeed.com?


  • Please log in to reply
7 replies to this topic

#1 Sanitarium

Sanitarium

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 04 April 2009 - 01:12 PM

foremost, many thanks

I am being redirected to other sites when i click on links such as google's search results. My browser Firefox communicates with v1.adwarefeed.com when i get redirected. I tried to run AVG but i couldn't get it to update. "the control file is missing" was the popup i recieved. So i updated it manually from their site, ran it, and deleted what it found.
That did not fix my problem, i was still being redirected to other sites. So i looked around and ran SDfix in safe mode without any internet connection, it found some discrepancies, but did not fix my problem. Then i tried to install Malwarebytes and run that, but while i can install the program, the program fails to load even in safe mode.

here is the SDfix log (i hope i'm supposed to post it because it is the "steps i have already taken"
===================================
SDFix: Version 1.240
Run by Admin on Sat 04/04/2009 at 12:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp1.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp2.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp2D.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp2E.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 12:53:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Admin\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Steam\\steamapps\\alocis\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\alocis\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\alocis\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\alocis\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\alocis\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\alocis\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Steam\\steamapps\\alocis\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\alocis\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Documents and Settings\\Admin\\Desktop\\Disc Images\\Duke Nukem 3D\\eduke32.exe"="C:\\Documents and Settings\\Admin\\Desktop\\Disc Images\\Duke Nukem 3D\\eduke32.exe:*:Enabled:eduke32"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat:*:Enabled:The Battle for Middle-earth™ II"
"C:\\games\\C&C3\\RetailExe\\1.9\\cnc3game.dat"="C:\\games\\C&C3\\RetailExe\\1.9\\cnc3game.dat:*:Disabled:Command & Conquer 3 Tiberium Wars"
"C:\\Program Files\\Left4Dead\\hl2.exe"="C:\\Program Files\\Left4Dead\\hl2.exe:*:Disabled:hl2"
"C:\\games\\Dead Space\\Dead Space.exe"="C:\\games\\Dead Space\\Dead Space.exe:*:Disabled:Dead Space T"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\Documents and Settings\\Admin\\Desktop\\Disc Images\\Call.Of.Duty.5.World.At.War.FULLRip-KaOs\\CoDWaW.exe"="C:\\Documents and Settings\\Admin\\Desktop\\Disc Images\\Call.Of.Duty.5.World.At.War.FULLRip-KaOs\\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™ "
"C:\\Documents and Settings\\Admin\\Desktop\\Disc Images\\Call.Of.Duty.5.World.At.War.FULLRip-KaOs\\CoDWaWmp.exe"="C:\\Documents and Settings\\Admin\\Desktop\\Disc Images\\Call.Of.Duty.5.World.At.War.FULLRip-KaOs\\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™ "
"G:\\Games\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"="G:\\Games\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe:*:Enabled:S.T.A.L.K.E.R. - Clear Sky (CLI)"
"G:\\Games\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"="G:\\Games\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe:*:Enabled:S.T.A.L.K.E.R. - Clear Sky (SRV)"
"C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"="C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe:*:Enabled:Empire: Total War"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 10 Feb 2009 4,452 ...HR --- "C:\Documents and Settings\Admin\Application Data\SecuROM\UserData\securom_v7_01.bak"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Admin\Application Data\U3\temp\Launchpad Removal.exe"
Sun 5 Oct 2008 16 A.SH. --- "C:\Documents and Settings\Admin\Application Data\BDL+D\CHARARA.CC\000002277\____.sys"

Finished!
===========================================

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:22 PM

Posted 04 April 2009 - 04:22 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Cureit will take a while to run, I would try MBAM again if cureit finds anything
Chewy

No. Try not. Do... or do not. There is no try.

#3 Sanitarium

Sanitarium
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 06 April 2009 - 07:34 PM

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Admin\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Admin\Desktop;Archive contains infected objects;Moved.;
10-plain_white_ts-someday.mp3;C:\Documents and Settings\Admin\My Documents\games\Plain White Ts - Big Bad World [2008];Trojan.WMALoader;Cured.;
CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Incurable.Deleted.;
HTV.003;C:\Program Files\HTV;Program.Ardamax.169;Incurable.Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Deleted.;
nDler2.exe;C:\WINDOWS\system32;Trojan.MulDrop.30811;Deleted.;
Install.exe;G:\Torrents\Call.Of.Duty.5.World.At.War.FULLRip-KaOs;BackDoor.Haslo.12;Deleted.;

After the scan i have more symptoms
a new background that saying i am at risk, and a antivirus toolbar
will be back with specific quotes on those

---- it is "anti-virus xp pro 2009
"

Another thing, i cannot use task manager, the button is not colored in and isn't clickable.

But i would love to just wipe my whole computer, nothing on it is personal and can be disposed of.
I just want use of my computer back

thank you much

Edited by Sanitarium, 06 April 2009 - 07:38 PM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:22 PM

Posted 06 April 2009 - 09:23 PM

Rename the MBAM installer, after renaming and installing try this randomizer for the program.

http://kixhelp.com/wr/files/mb/randmbam.exe
Chewy

No. Try not. Do... or do not. There is no try.

#5 Sanitarium

Sanitarium
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 08 April 2009 - 07:42 PM

renamed the installer, and used the randomizer
ran a full scan the first time, then restarted computer but didn't hit f8 enough so it started normally, and froze (first freeze, ever)
restarted it in safe mode with networking, updated malwarebytes (couldn't update for the first scan), then ran it again
so i have two logs

now i can use task manager, but i still get some antivirus ads in my browser, like for the log in page for this site

log 1
=====
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/8/2009 7:46:38 PM
mbam-log-2009-04-08 (19-46-38).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 232295
Time elapsed: 31 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 17
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6eb57e49-5a3b-4b44-b34c-1199da140f79} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6eb57e49-5a3b-4b44-b34c-1199da140f79} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6eb57e49-5a3b-4b44-b34c-1199da140f79} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b96f67e-f158-4084-a7d9-762e0ec620e6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57fcd1a2-97a2-481b-b74e-cf2d82aadf4e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b96f67e-f158-4084-a7d9-762e0ec620e6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{57fcd1a2-97a2-481b-b74e-cf2d82aadf4e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0b96f67e-f158-4084-a7d9-762e0ec620e6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{57fcd1a2-97a2-481b-b74e-cf2d82aadf4e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.61,85.255.112.172 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Amdcald.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\mousehook.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.


log 2
=====

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 2

4/8/2009 8:31:26 PM
mbam-log-2009-04-08 (20-31-26).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 232521
Time elapsed: 29 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6eb57e49-5a3b-4b44-b34c-1199da140f79} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6eb57e49-5a3b-4b44-b34c-1199da140f79} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Admin\Local Settings\Application Data\CheckForUpdates.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Application Data\codecsetup1396.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Application Data\codecsetup296.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Amdcald.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:22 PM

Posted 08 April 2009 - 08:31 PM

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

This is a very nasty infection, it will require advanced tools and training to remove also

One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#7 Sanitarium

Sanitarium
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 09 April 2009 - 10:45 AM

I think im going to format and reinstall, because its not really anything new to me because i built this computer which is now all butt-hurt with malware. If anything, this happened because i was trying to allow my ipod to control my computer, so i took off all the firewalls on my router and comp for a while to make sure i wasn't screwing something up there. Then at the same time i tried to use a program to change .avi files to a dvd image. Mistake

if there is any special way to go about doing so with what i have, please elaborate, actually please send me a link for instructions because i want to do this right the first time.

if not im putting my music and some saved game files on a dvd and wiping it, but i also wonder if doing that can transfer any of the files.
I have a flashdrive as well that i have not been able to use because my computer does not recognize it in the My Computer window, despite the usb's active light being on almost constantly immediatley after plugging it in. Yep, the flash drive is definitely FUBAR, it is not recognized so i can't reformat it and the malware has spread onto it.
now i have everything back again :thumbsup:. The only thing keeping me from reformating ASAP is trying to save my flashdrive now, before i risk ruining my computer again later trying to fix it.



many thanks bro

Edited by Sanitarium, 09 April 2009 - 11:15 AM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:22 PM

Posted 09 April 2009 - 12:08 PM

You need to learn how to use this program and the shift key

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users