Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.shn Win32.Agent.pz Win32.Zbot won't stay removed, Google searches also hijacked by searchlisted.com


  • This topic is locked This topic is locked
16 replies to this topic

#1 camlto

camlto

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 13 April 2009 - 11:37 AM

I noticed a little sluggishness on my lap top the other day. After I updated and ran Spybot, I appeared to be infected. I attached a screen shot of the results. The first couple of times I ran it, it wouldn't clear everything up, saying one of the items was currently being used in memory and could not be deleted. Now it's allowing me to delete the viruses found but they seem to be replicating after cleaning and rebooting.


Here's the DDS report and the "Attach.txt" and SpyBot screen shot are atttached.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Alibaba at 21:26:15.79 on Sun 04/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1556 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alibaba\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {6d1b3f9e-b0f2-8ff5-e453-aded2084adf8} - c:\windows\asojabiv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Burn4Free Toolbar Helper: {d187a56b-a33f-4cbe-9d77-459fc0bae012} - c:\program files\burn4free toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Burn4Free Toolbar: {4f11acbb-393f-4c86-a214-ff3d0d155cc3} - c:\program files\burn4free toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [autochk] rundll32.exe c:\docume~1\alibaba\protect.dll,_IWMPEvents@16
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Iyavepukog] rundll32.exe "c:\windows\asojabiv.dll",e
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\alibaba\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\alibaba\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - hxxps://www.topproduceronline.com/downloads/msjavx86.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe
DPF: {6070B15F-C07C-463E-A345-FB25B252AAF0}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli quiowerk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alibaba\applic~1\mozilla\firefox\profiles\6f39t35a.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\alibaba\application data\mozilla\firefox\profiles\6f39t35a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: XUL Cache: {7D9C71A1-1806-4EC7-844F-3A3501BB8D75} - c:\documents and settings\alibaba\local settings\application data\{7D9C71A1-1806-4EC7-844F-3A3501BB8D75}
FF - HiddenExtension: XUL Cache: {33EF3168-9CD2-49E6-A62D-61333B7695DC} - c:\documents and settings\administrator\local settings\application data\{33EF3168-9CD2-49E6-A62D-61333B7695DC}

============= SERVICES / DRIVERS ===============

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-6-8 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-6-8 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2006-6-8 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2006-6-8 10368]

=============== Created Last 30 ================

2009-04-12 19:48 24,064 a--sh--- c:\documents and settings\alibaba\protect.dll
2009-04-12 18:35 <DIR> --d----- C:\Autoruns
2009-04-09 17:26 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-08 13:26 0 a------- c:\windows\Tlotujonafazeq.bin
2009-04-08 13:26 408 a------- c:\windows\Bhelecatevihep.dat
2009-04-07 20:04 <DIR> --d----- c:\docume~1\alibaba\applic~1\TrojanHunter
2009-04-07 17:25 <DIR> --d----- c:\program files\TrojanHunter 5.0
2009-04-06 19:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-06 19:13 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-06 19:13 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-06 19:13 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-06 19:13 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-31 20:33 <DIR> --d----- c:\documents and settings\alibaba\Tracing
2009-03-31 20:30 <DIR> --d----- c:\program files\Microsoft
2009-03-31 20:30 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-31 20:26 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-03-19 05:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-02 15:18 256 a------- c:\documents and settings\alibaba\pool.bin
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2005-07-29 16:24 472 ac-shr-- c:\windows\qwxpymfiyq\kqUDsAI2sk.vbs
2006-03-14 14:01 56 -c-shr-- c:\windows\system32\F85EAD8581.sys
2006-03-14 14:01 1,890 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-08 19:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100820081009\index.dat

============= FINISH: 21:27:20.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 13 April 2009 - 12:40 PM

Hi,

Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.
Read this article for more info: When a Bot master goes mad - Kill the OS

Also, I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 14 April 2009 - 07:47 AM

Sorry about that. I have always prided myself in safe surfing , so I didn't think I would need one. I forgot about the potential for others to jump on the laptop and have at the internet like a 12 year old.

I have learned my lesson and went ahead and bought the premium version.


Attched is the report from Avira.



Avira AntiVir Premium
Report file date: Monday, April 13, 2009 14:36

Scanning for 1347764 virus strains and unwanted programs.

Licensee : Mike Huntertz
Serial number : 2201694095-PEPWE-0001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHRISNOTEBOOK

Version information:
BUILD.DAT : 9.0.0.421 21382 Bytes 3/24/2009 11:03:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26
ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 18:34:33
ANTIVIR3.VDF : 7.1.3.43 178688 Bytes 4/13/2009 18:34:35
Engineversion : 8.2.0.138
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42
AESCRIPT.DLL : 8.1.1.73 373114 Bytes 4/13/2009 18:34:48
AESCN.DLL : 8.1.1.10 127348 Bytes 4/13/2009 18:34:47
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41
AEPACK.DLL : 8.1.3.12 397687 Bytes 4/13/2009 18:34:46
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56
AEHEUR.DLL : 8.1.0.114 1700214 Bytes 4/13/2009 18:34:44
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56
AEGEN.DLL : 8.1.1.33 340340 Bytes 4/13/2009 18:34:38
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40
AECORE.DLL : 8.1.6.7 176502 Bytes 4/13/2009 18:34:36
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2622721 Bytes 2/9/2009 15:19:34
RCTEXT.DLL : 9.0.35.0 90369 Bytes 3/11/2009 19:37:37

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Monday, April 13, 2009 14:36

Starting search for hidden objects.
'64368' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
C:\WINDOWS\system32\autochk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\Documents and Settings\Alibaba\Start Menu\Programs\Startup\ChkDisk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan

The registry was scanned ( '66' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
C:\Documents and Settings\Alibaba\protect.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\Documents and Settings\Alibaba\Start Menu\Programs\Startup\ChkDisk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\Documents and Settings\Guest\Local Settings\Temp\vspscsfh.exe
[DETECTION] Contains recognition pattern of the ADSPY/VSAddinDLL.A adware or spyware
C:\Documents and Settings\LocalService\protect.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\Documents and Settings\bleep\Adobe Illustrator CS2 12.0\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
C:\Program Files\Adobe\Acrobat 7.0\Adobe Acrobat 7.0 Professional\setup.exe
[DETECTION] Is the TR/Dldr.2667.B Trojan
C:\Program Files\Adobe\Acrobat 7.0\Adobe_Acrobat_7.0_Professional_Keygen\pdx-ac7p.exe
[DETECTION] Is the TR/Dldr.2667.E Trojan
C:\Program Files\SoftPro\SP_REG.EXE
[DETECTION] Contains recognition pattern of the W95/CIH Windows virus
C:\Spyware Tools\OldVirusFiles\InstallPREVX102000223.exe
[0] Archive type: ACE SFX (self extracting)
--> img\bins\2k_2k3_xp\rksig.bin
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Spyware Tools\OldVirusFiles\VirtumundoBeGone.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0024318.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0024352.exe
[DETECTION] Contains recognition pattern of the DR/Webdir.B.14 dropper
--> [ProgramFilesDir]/Azureus/pxwma.dll
[DETECTION] Is the TR/BHO.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0024353.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.cxl worm
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0024354.exe
[DETECTION] Is the TR/Spy.VB.aho Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0025569.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0025595.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0025636.dll
[DETECTION] Contains recognition pattern of the W95/Blumblebee.1738 Windows virus
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP365\A0025763.exe
[DETECTION] Contains recognition pattern of the ADSPY/SearchAssistant.G.8 adware or spyware
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP367\A0025788.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP367\A0025789.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP368\A0025843.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP368\A0025844.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025845.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025848.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025861.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025904.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025905.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025910.exe
[DETECTION] Is the TR/Spy.VB.aho Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025912.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0025931.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\VundoFix Backups\awvtq.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32drei.exe
[DETECTION] Contains recognition pattern of the ADSPY/SearchAssistant.G.8 adware or spyware
C:\WINDOWS\QWxpYmFiYQ\kqUDsAI2sk.vbs
[DETECTION] Contains recognition pattern of the ADSPY/Isearch adware or spyware
C:\WINDOWS\system32\autochk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\WINDOWS\system32\btasfalw.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\WINDOWS\system32\drei.exe
[DETECTION] Contains recognition pattern of the ADSPY/SearchAssistant.G.8 adware or spyware
C:\WINDOWS\system32\nkyhwsws.exe
[DETECTION] Contains recognition pattern of the ADSPY/VSAddinDLL.A adware or spyware
C:\WINDOWS\system32\config\systemprofile\protect.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
C:\WINDOWS\system32\drivers\etc\hosts.20090406-192819.backup
[DETECTION] Is the TR/AntiHosts.Gen Trojan
C:\WINDOWS\Temp\10B.tmp
[DETECTION] Is the TR/Spy.Agent.alfd Trojan
C:\WINDOWS\Temp\msb.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan

Beginning disinfection:
C:\WINDOWS\system32\autochk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4a57f75b.qua'!
C:\Documents and Settings\Alibaba\Start Menu\Programs\Startup\ChkDisk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a4ef750.qua'!
C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
[NOTE] The file was moved to '4a55f752.qua'!
C:\Documents and Settings\Alibaba\protect.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a52f75b.qua'!
C:\Documents and Settings\Alibaba\Start Menu\Programs\Startup\ChkDisk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\Documents and Settings\Guest\Local Settings\Temp\vspscsfh.exe
[DETECTION] Contains recognition pattern of the ADSPY/VSAddinDLL.A adware or spyware
[NOTE] The file was moved to '4a53f773.qua'!
C:\Documents and Settings\LocalService\protect.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a52f772.qua'!
C:\Documents and Settings\bleep\Adobe Illustrator CS2 12.0\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '4a5cf765.qua'!
C:\Program Files\Adobe\Acrobat 7.0\Adobe Acrobat 7.0 Professional\setup.exe
[DETECTION] Is the TR/Dldr.2667.B Trojan
[NOTE] The file was moved to '4a57f766.qua'!
C:\Program Files\Adobe\Acrobat 7.0\Adobe_Acrobat_7.0_Professional_Keygen\pdx-ac7p.exe
[DETECTION] Is the TR/Dldr.2667.E Trojan
[NOTE] The file was moved to '4a5bf765.qua'!
C:\Program Files\SoftPro\SP_REG.EXE
[DETECTION] Contains recognition pattern of the W95/CIH Windows virus
[NOTE] The file was moved to '4a42f751.qua'!
C:\Spyware Tools\OldVirusFiles\VirtumundoBeGone.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
[NOTE] The file was moved to '4a55f76b.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0024318.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a13f732.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0024352.exe
[DETECTION] Contains recognition pattern of the DR/Webdir.B.14 dropper
[NOTE] The file was moved to '4b776dfb.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0024353.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.cxl worm
[NOTE] The file was moved to '4a13f769.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0024354.exe
[DETECTION] Is the TR/Spy.VB.aho Trojan
[NOTE] The file was moved to '4b7a36da.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0025569.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4921d312.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0025595.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
[NOTE] The file was moved to '4a13f76a.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0025636.dll
[DETECTION] Contains recognition pattern of the W95/Blumblebee.1738 Windows virus
[NOTE] The file was moved to '4922ebdb.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP365\A0025763.exe
[DETECTION] Contains recognition pattern of the ADSPY/SearchAssistant.G.8 adware or spyware
[NOTE] The file was moved to '4927c363.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP367\A0025788.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4e3a36ab.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP367\A0025789.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4b7826bb.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP368\A0025843.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4925ccb3.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP368\A0025844.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a13f76b.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025845.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '492bbc04.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025848.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '492aa45c.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025861.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a13f76f.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025904.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '492895b0.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025905.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '49391970.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025910.exe
[DETECTION] Is the TR/Spy.VB.aho Trojan
[NOTE] The file was moved to '492e8520.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0025912.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a13f770.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0025931.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '492c7691.qua'!
C:\VundoFix Backups\awvtq.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a59f7b7.qua'!
C:\WINDOWS\system32drei.exe
[DETECTION] Contains recognition pattern of the ADSPY/SearchAssistant.G.8 adware or spyware
[NOTE] The file was moved to '4a56f7bd.qua'!
C:\WINDOWS\QWxpYmFiYQ\kqUDsAI2sk.vbs
[DETECTION] Contains recognition pattern of the ADSPY/Isearch adware or spyware
[NOTE] The file was moved to '4a38f7b9.qua'!
C:\WINDOWS\system32\autochk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\WINDOWS\system32\btasfalw.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4a44f9b2.qua'!
C:\WINDOWS\system32\drei.exe
[DETECTION] Contains recognition pattern of the ADSPY/SearchAssistant.G.8 adware or spyware
[NOTE] The file was moved to '4a48f9b1.qua'!
C:\WINDOWS\system32\nkyhwsws.exe
[DETECTION] Contains recognition pattern of the ADSPY/VSAddinDLL.A adware or spyware
[NOTE] The file was moved to '4a5cf9aa.qua'!
C:\WINDOWS\system32\config\systemprofile\protect.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a52f9b1.qua'!
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a4ef9a7.qua'!
C:\WINDOWS\system32\drivers\etc\hosts.20090406-192819.backup
[DETECTION] Is the TR/AntiHosts.Gen Trojan
[NOTE] The file was moved to '4a56f9ae.qua'!
C:\WINDOWS\Temp\10B.tmp
[DETECTION] Is the TR/Spy.Agent.alfd Trojan
[NOTE] The file was moved to '4a25f96f.qua'!
C:\WINDOWS\Temp\msb.dll
[DETECTION] Is the TR/Crypt.IL.1 Trojan
[NOTE] The file was moved to '4a45f9b2.qua'!


End of the scan: Monday, April 13, 2009 22:47
Used time: 4:03:04 Hour(s)

The scan has been done completely.

7626 Scanned directories
643151 Files were scanned
45 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
42 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
643104 Files not concerned
5622 Archives were scanned
7 Warnings
46 Notes
64368 Objects were scanned with rootkit scan
0 Hidden objects were found

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 14 April 2009 - 07:55 AM

Hi,

I have always prided myself in safe surfing , so I didn't think I would need one. I forgot about the potential for others to jump on the laptop and have at the internet like a 12 year old.

Things have changed. Even though I know perfectly what I'm doing online, you really cannot without an Antivirus nowadays. Also read this: http://miekiemoes.blogspot.com/2008/08/i-d...use-i-have.html

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 14 April 2009 - 08:52 AM

Nice blog with lots of useful info.


Here's the MBAM report, followed by a fresh HijackThis log


Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 3

4/14/2009 9:32:22 AM
mbam-log-2009-04-14 (09-32-22).txt

Scan type: Quick Scan
Objects scanned: 97405
Time elapsed: 21 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\quiowerk.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1daefcb9-06c8-47c6-8f20-3fb54b244daa} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6e00dda-feaf-4d28-adc4-055240e8f907} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyavepukog (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: quiowerk.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\quiowerk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\asojabiv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alibaba\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\tcb.pmw (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alibaba\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:19 AM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6d1b3f9e-b0f2-8ff5-e453-aded2084adf8} - C:\WINDOWS\asojabiv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {6070B15F-C07C-463E-A345-FB25B252AAF0} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5920 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 14 April 2009 - 09:08 AM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {6d1b3f9e-b0f2-8ff5-e453-aded2084adf8} - C:\WINDOWS\asojabiv.dll (file missing)
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O16 - DPF: {6070B15F-C07C-463E-A345-FB25B252AAF0} -


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Also, I see you have the Burn4Free Toolbar installed. This is potentially unwanted, see this writeup: http://www.sophos.com/security/analyses/ad.../burn4free.html
So your choice whether you want to keep it or not.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 14 April 2009 - 10:08 AM

I went ahead and killed the Burn4Free toolbar, too. It came with the program and I told it not to "add-on" but I guess it did anyway.

Everything appears to be working fine, plus Google isn't redirecting anymore.

I ran SpyBot and it came back clean, as well.



THANKS!!! for getting me back on track and teaching me a lesson about having an Anti-Virus installed and running.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 14 April 2009 - 10:30 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 14 April 2009 - 10:55 AM

looks like i spoke too soon.


my google searches are still hijacked.


whenever i click a link from google, it redirects me to random search pages. if i hit the back button and go back to the google search results the links work correctly.


i'm not sure if you want to continue here...

Edited by camlto, 14 April 2009 - 10:57 AM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 14 April 2009 - 11:10 AM

Hi,

Ok, let's have a look...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 14 April 2009 - 11:54 AM

here you go.


thanks, again...



ComboFix 09-04-14.09 - Alibaba 04/14/2009 12:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1626 [GMT -4:00]
Running from: c:\documents and settings\Alibaba\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bang-006.ico
c:\windows\system32\MabryObj.dll
c:\windows\system32\uninstall.exe
c:\windows\system32\wapisvcc.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 13:04 . 2009-04-14 13:04 -------- d-----w c:\documents and settings\Alibaba\Application Data\Malwarebytes
2009-04-14 13:04 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 13:04 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 13:04 . 2009-04-14 13:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 13:04 . 2009-04-14 13:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 18:30 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-13 18:29 . 2009-04-13 18:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-13 18:29 . 2009-04-13 18:29 -------- d-----w c:\program files\Avira
2009-04-12 22:35 . 2009-04-12 22:36 -------- d-----w C:\Autoruns
2009-04-08 17:26 . 2009-04-13 15:22 0 ----a-w c:\windows\Tlotujonafazeq.bin
2009-04-08 17:26 . 2009-04-08 17:26 -------- d-----w c:\documents and settings\Alibaba\Local Settings\Application Data\{7D9C71A1-1806-4EC7-844F-3A3501BB8D75}
2009-04-08 17:26 . 2009-04-13 19:02 408 ----a-w c:\windows\Bhelecatevihep.dat
2009-04-08 00:04 . 2009-04-08 00:04 -------- d-----w c:\documents and settings\Alibaba\Application Data\TrojanHunter
2009-04-07 21:25 . 2009-04-08 00:05 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-07 18:55 . 2009-04-07 18:55 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{33EF3168-9CD2-49E6-A62D-61333B7695DC}
2009-04-07 03:48 . 2009-04-07 11:59 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-06 23:20 . 2009-04-06 23:24 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 23:13 . 2009-04-06 23:13 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-06 23:13 . 2009-04-06 23:13 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-06 23:13 . 2009-04-06 23:13 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-06 23:13 . 2009-04-06 23:13 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-06 23:09 . 2009-04-06 23:14 37452296 ----a-w c:\documents and settings\bleep\Ad-AwareAE.exe
2009-04-01 00:33 . 2009-04-09 01:01 -------- d-----w c:\documents and settings\Alibaba\Tracing
2009-04-01 00:30 . 2009-04-01 00:30 -------- d-----w c:\program files\Microsoft
2009-04-01 00:30 . 2009-04-01 00:30 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-01 00:26 . 2009-04-01 00:26 -------- d-----w c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 23:06 . 2005-12-28 20:44 -------- d-----w c:\documents and settings\Alibaba\Application Data\Lavasoft
2009-04-10 18:46 . 2008-07-22 03:13 -------- d-----w c:\program files\SG2
2009-04-09 14:58 . 2009-01-14 05:18 -------- d-----w c:\documents and settings\Alibaba\Application Data\Move Networks
2009-04-07 15:46 . 2007-04-25 14:42 -------- d-----w c:\program files\Yahoo!
2009-04-07 11:51 . 2009-04-07 04:14 769 ----a-w C:\aaw7boot.log
2009-04-06 23:23 . 2005-12-28 21:06 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 16:05 . 2005-09-25 16:32 -------- d-----w c:\program files\Soulseek
2009-04-02 13:27 . 2005-09-15 01:33 -------- d-----w c:\documents and settings\Alibaba\Application Data\Azureus
2009-04-01 00:32 . 2005-08-23 02:58 57880 -c--a-w c:\documents and settings\Alibaba\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 00:29 . 2008-07-21 13:19 -------- d-----w c:\program files\Windows Live
2009-03-26 15:01 . 2005-09-03 00:29 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 05:28 . 2008-11-11 13:27 -------- d-----w c:\program files\Burn4Free
2009-03-19 09:30 . 2008-12-13 18:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-19 09:30 . 2005-08-16 05:59 -------- d-----w c:\program files\Java
2009-02-27 20:41 . 2005-09-15 01:32 -------- d-----w c:\program files\Azureus
2009-02-21 04:42 . 2009-02-21 04:42 -------- d-----w c:\documents and settings\Alibaba\Application Data\Research In Motion
2009-02-17 03:44 . 2009-01-16 13:16 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-02-17 03:44 . 2009-01-16 13:16 -------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-02-17 03:44 . 2005-08-16 06:08 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-17 03:34 . 2006-07-15 14:30 -------- d-----w c:\program files\Common Files\Research In Motion
2009-02-09 11:13 . 2008-10-16 17:06 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-03 04:31 . 2006-10-19 19:04 292 ---ha-w C:\sqmdata10.sqm
2009-02-03 04:31 . 2006-10-19 19:04 244 ---ha-w C:\sqmnoopt09.sqm
2009-02-02 19:18 . 2009-01-28 21:54 256 ----a-w c:\documents and settings\Alibaba\pool.bin
2009-01-19 02:17 . 2006-10-19 19:04 292 ---ha-w C:\sqmdata09.sqm
2009-01-19 02:17 . 2006-10-19 19:04 244 ---ha-w C:\sqmnoopt08.sqm
2009-01-17 02:35 . 2006-07-28 11:30 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-11 13:26 . 2008-11-11 13:25 4329014 ----a-w c:\documents and settings\bleep\burn4free_setup.exe
2008-11-07 23:14 . 2008-05-14 02:48 57296 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-08 22:14 . 2008-10-08 22:14 7508608 ----a-w c:\documents and settings\bleep\Firefox Setup 3.0.3.exe
2007-04-25 14:41 . 2007-04-25 14:41 530496 -c--a-w c:\documents and settings\bleep\yahoo_installer.exe
2007-02-02 16:21 . 2005-09-25 16:31 842672 -c--a-w c:\documents and settings\bleep\slsk156c.exe
2006-11-06 17:02 . 2006-11-06 17:02 130 -c--a-w c:\documents and settings\Alibaba\Local Settings\Application Data\fusioncache.dat
2006-10-20 15:52 . 2006-10-20 15:52 127378 ----a-w c:\documents and settings\bleep\avenger.zip
2006-08-10 20:37 . 2006-08-10 20:37 1672336 -c--a-w c:\documents and settings\bleep\install_easyshare.exe
2006-07-10 16:14 . 2006-07-10 16:14 2230984 -c--a-w c:\documents and settings\bleep\sp2_patch.exe
2006-07-10 16:12 . 2006-07-10 16:12 2361391 -c--a-w c:\documents and settings\bleep\hpma_mls_photo_update.exe
2006-07-04 20:51 . 2006-07-04 20:47 4730740 -c--a-w c:\documents and settings\bleep\ratDVDSetup-0.78.1444.exe
2006-06-12 14:58 . 2006-06-12 14:57 2170054 -c--a-w c:\documents and settings\bleep\audioconverter.exe
2006-06-12 14:58 . 2006-06-12 14:57 27648 -c--a-w c:\documents and settings\bleep\audioconverterkeygen.exe
2006-04-28 01:00 . 2006-04-28 01:00 2003716 -c--a-w c:\documents and settings\bleep\converter_setup.exe
2006-04-26 02:15 . 2006-04-26 02:15 1621482 -c--a-w c:\documents and settings\bleep\fdminst.exe
2006-04-22 01:17 . 2006-04-22 01:17 2521157 -c--a-w c:\documents and settings\bleep\RevConnect-0.674k.exe
2006-04-19 15:01 . 2006-04-19 15:01 5352752 -c--a-w c:\documents and settings\bleep\Setup_FreeConverter.exe
2006-04-06 21:44 . 2006-04-06 21:44 5327965 -c--a-w c:\documents and settings\bleep\realtime.exe
2006-04-06 21:41 . 2006-04-06 21:41 8285064 -c--a-w c:\documents and settings\bleep\ICMSetup2L.exe
2006-03-18 06:06 . 2006-03-18 06:06 2234655 -c--a-w c:\documents and settings\bleep\ocaconv311.exe
2006-03-17 23:23 . 2006-03-17 23:23 684762 -c--a-w c:\documents and settings\bleep\PowerISO29.exe
2006-01-22 01:32 . 2006-01-22 01:32 3507488 -c--a-w c:\documents and settings\bleep\dap75.exe
2005-12-28 20:43 . 2005-12-28 20:42 2855080 -c--a-w c:\documents and settings\bleep\aawsepersonal.exe
2005-12-18 06:47 . 2005-12-18 06:47 1129122 -c--a-w c:\documents and settings\bleep\mkwACT097b1.exe
2005-11-24 02:10 . 2005-11-24 02:10 4763648 -c--a-w c:\documents and settings\bleep\irfanview_plugins_397.exe
2005-11-24 02:06 . 2005-11-24 02:06 894976 -c--a-w c:\documents and settings\bleep\iview397.exe
2005-09-19 20:38 . 2005-09-19 20:38 1079033 -c--a-w c:\documents and settings\bleep\icscfginst15.exe
2005-09-18 22:19 . 2005-09-18 22:19 8274695 -c--a-w c:\documents and settings\bleep\vlc-0.8.2-win32.exe
2005-09-18 17:35 . 2005-09-18 17:35 217300 -c--a-w c:\documents and settings\bleep\gspot221.exe
2005-09-16 23:39 . 2005-09-16 23:39 1013627 -c--a-w c:\documents and settings\bleep\wrar350.exe
2005-09-09 19:00 . 2005-09-09 19:00 1336933 ----a-w c:\documents and settings\bleep\EMpgDec20.zip
2005-09-05 19:20 . 2005-09-05 19:20 9657389 -c--a-w c:\documents and settings\bleep\Codecs6027_allin1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2008-11-11 13:27 806912 ----a-w c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2008-11-11 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-10 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-03-04 606208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-4-11 25214]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12 483328 -c--a-w c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-03-04 16:26 606208 ----a-w c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 -c--a-w c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 -c----w c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-02-15 20:02 155648 -c--a-w c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OCAudioIni]
2006-01-24 01:13 57344 ----a-w c:\program files\One-click Audio Converter\OCAudioIni.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 -c----w c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-02-10 02:39 155648 ----a-w c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-10-12 08:10 49263 -c--a-w c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Alibaba\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Open Ports
"6882:TCP"= 6882:TCP:Open Port
"6883:TCP"= 6883:TCP:Open Port
"6884:TCP"= 6884:TCP:Open Port
"6885:TCP"= 6885:TCP:Open Port
"6886:TCP"= 6886:TCP:Open Port
"6887:TCP"= 6887:TCP:Open Port
"6888:TCP"= 6888:TCP:Open Port
"6889:TCP"= 6889:TCP:Open Port
"63636:TCP"= 63636:TCP:Torrent
"63636:UDP"= 63636:UDP:Torrent
"16881:TCP"= 16881:TCP:Torrent
"16882:TCP"= 16882:TCP:Torrent
"16883:TCP"= 16883:TCP:Torrent
"16884:TCP"= 16884:TCP:Torrent
"16885:TCP"= 16885:TCP:Torrent

R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2001-08-17 10368]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-02-24 186625]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-02-12 432897]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b86ad121-95ba-11db-903b-00123fe3963c}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4251647-1af6-11de-913b-00123fe3963c}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alibaba\Application Data\Mozilla\Firefox\Profiles\6f39t35a.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\Alibaba\Application Data\Mozilla\Firefox\Profiles\6f39t35a.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 12:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1301124383-2476061852-3871969035-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E18C3129-5240-CD58-7F68-529F105CAD5F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iapagofihibpdcefec"=hex:64,61,6f,67,64,65,70,6f,00,60
"iadagkelenblgcibmo"=hex:6a,61,70,67,67,65,65,6b,65,64,66,6a,61,6f,6c,6e,64,65,
6a,6c,00,fd
"habaimadibffiaok"=hex:6a,61,6f,67,67,65,6d,70,63,70,6b,6e,6f,63,63,61,68,61,
67,67,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(956)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 16:45
ComboFix2.txt 2006-11-01 22:20

Pre-Run: 1,640,366,080 bytes free
Post-Run: 2,231,599,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-03-20 15:18

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 14 April 2009 - 01:10 PM

Hi,

The BurnForFree toolbar is still present though..

Navigate to and delete the following leftovers:

c:\windows\Bhelecatevihep.dat
c:\windows\Tlotujonafazeq.bin

Then, 1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 14 April 2009 - 02:58 PM

I noticed the Bur4Free Toolbar stuff was still floating around, too. Can I just go in and delete those remaining instances of it?



Here's the GooredFix log.




GooredFix v1.92 by jpshortstuff
Log created at 15:52 on 14/04/2009 running Option #2 (Alibaba)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{33EF3168-9CD2-49E6-A62D-61333B7695DC}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{33EF3168-9CD2-49E6-A62D-61333B7695DC}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Administrator\Local Settings\Application Data\{33EF3168-9CD2-49E6-A62D-61333B7695DC}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{7D9C71A1-1806-4EC7-844F-3A3501BB8D75}"="C:\Documents and Settings\Alibaba\Local Settings\Application Data\{7D9C71A1-1806-4EC7-844F-3A3501BB8D75}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Alibaba\Local Settings\Application Data\{7D9C71A1-1806-4EC7-844F-3A3501BB8D75}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:32 PM

Posted 15 April 2009 - 01:01 AM

Hi,

For the Toolbar, if it's still present, just check and fix next entries in HijackThis:

O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

Make sure your Internet Explorer is closed when you click the Fix checked button.
Then navigate to and delete the C:\Program Files\Burn4Free Toolbar folder

It looks like your redirection issue should be resolved as well now, so Let me know in your next reply how things are now.

Also, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 camlto

camlto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 15 April 2009 - 03:15 PM

done and done.


looks like my redirection problems are fixed, too.



thanks for all of your help.

thanks for the blog link, too. you've got some really informative articles there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users