Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infectd with viruses what do i do some please help?


  • Please log in to reply
30 replies to this topic

#1 Collo

Collo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 April 2009 - 04:53 AM

I run AVG free addition and ran a scan, it said I have 28 virsus, I also ran spybot and it also said I have numerous problems but no matter how many times I run a scan and click fix the same problems arise. My computer recently said it had recovered from a critcal error and I get numerous pop up errors saying applications have encountered an error and need to close, secifically internet explorer. My browser has also ben running slow and I get pop ups every now and then that i cant get rid of. Ever since the critical error all the applications in the task bar in th bottom right hand corner have dissapeared.

AVG said I have the following infections if that helps:
"C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\Content.IE5\2E3Y8J9Z\liscpqzaw[1].htm";"Trojan horse Agent2.ERA";"Moved to Virus Vault"
"C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\Content.IE5\9AZM2ZZJ\ddsuper0[1].htm";"Trojan horse Generic13.ABWK";"Moved to Virus Vault"
"c:\program Files\ThunMail\testabd.exe";"Trojan horse PSW.OnlineGames_r.DA";"Moved to Virus Vault"
"C:\WINDOWS\system32\babetafu.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\bejowaku.dll";"Trojan horse Generic13.ACEK";"Moved to Virus Vault"
"C:\WINDOWS\system32\danuvugi.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\dpcxool64.sys";"Trojan horse Downloader.Delf.CJG";"Moved to Virus Vault"
"C:\WINDOWS\system32\galidode.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\huyipube.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\jabisofe.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\mubajovi.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\norolija.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\pidarado.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\pihakeda.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\raritazu.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\rasojoge.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\roniviha.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\rowirisa.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\sekanawo.exe";"Trojan horse Vundo.GF";"Moved to Virus Vault"
"C:\WINDOWS\system32\sopidkc.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\WINDOWS\system32\vigijene.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\vowikiho.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\witiwegu.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\wizisepu.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"
"C:\WINDOWS\system32\wuhahate.dll";"Trojan horse Generic13.ABSJ";"Moved to Virus Vault"
"C:\WINDOWS\system32\zewofeha.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\zipowapu.dll";"Trojan horse Generic13.ABSX";"Moved to Virus Vault"
"C:\WINDOWS\system32\ziyoyide.dll";"Trojan horse Generic13.ABVZ";"Moved to Virus Vault"

Spy Bot found 65 problems:

DNS Flush.cws; 22 trojan entries
Fraud.Virusdoctor; 2 malware entries
Microsoft.Windows.Explorer; 3 security entries
Microsoft.WindwsSecurityCenter.Registrytoo; 3 securityC entries
PWS.LDPinchIE; 3 trojan entries
Virtumonde; 2 TrojanC entries
Virtumonde.Dll; 8 trojanC entries
Virtumonde.prx; 6 TrojanC entries
Virtumonde.sdn; 5 TrojanC entries
Win32.Agent.jg; 4 Trojan entries
Win32.Agent.pz; 3 Malware Entries
Win32.Delf.rtk; 1 trojan entrie
Win32.Delf.uc; 1 Trojan entrie
Win32.TDSS.rtk; 1 trojan entrie

Can someone please help me??

Edited by Collo, 25 April 2009 - 05:27 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 PM

Posted 25 April 2009 - 09:45 AM

hello and welcome.. The quarantined items can no longer harm your PC. Let's see if there are more as usually a PC with this much does.

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 April 2009 - 07:28 PM

I Hope this is what you wanted: Thanks heaps

Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 3

26/04/2009 10:26:30 AM
mbam-log-2009-04-26 (10-26-30).txt

Scan type: Quick Scan
Objects scanned: 76595
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 20
Registry Values Infected: 11
Registry Data Items Infected: 6
Folders Infected: 5
Files Infected: 32

Memory Processes Infected:
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\jksahfo93wjfkd.dll (Trojan.Ertfor) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08b0e5c0-4fcb-11cf-aax5-00401c608512} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navigator (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6f94c6d6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6ca7f54a (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vejitetazo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcidemunajazeti (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows resurections (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sobstmo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\WWShow (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\brad\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Jcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\sobstmo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jksahfo93wjfkd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\brad\Local Settings\Temp\Temporary Internet Files\Content.IE5\MDV0CJ9J\156[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sgseerhdfg48.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\Content.IE5\2E3Y8J9Z\ddsuper1[1].htm (Virus.Virut) -> Quarantined and deleted successfully.
C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\Content.IE5\74IN47WL\ddsuper3[1].htm (Trojan.Boaxxe) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\ThunMail\testabd.dll (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.dll.vir (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dncyool64.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wxsdug.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ptrf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\pejolido.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\brad\Local Settings\Temp\4262402218.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 PM

Posted 25 April 2009 - 09:35 PM

Yes thatis what we need. We still have more to get off. So next
run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Rerun MBAM loke this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 26 April 2009 - 09:54 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2009 at 00:41 AM

Application Version : 4.26.1000

Core Rules Database Version : 3864
Trace Rules Database Version: 1815

Scan type : Complete Scan
Total Scan Time : 01:48:00

Memory items scanned : 246
Memory threats detected : 0
Registry items scanned : 5017
Registry threats detected : 38
File items scanned : 58649
File threats detected : 7

Rootkit.Mailer/Gen
HKLM\System\ControlSet002\Services\c1aaf216
C:\WINDOWS\SYSTEM32\DRIVERS\C1AAF216.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_c1aaf216
HKLM\System\ControlSet004\Services\c1aaf216
HKLM\System\ControlSet004\Enum\Root\LEGACY_c1aaf216
HKLM\System\CurrentControlSet\Services\c1aaf216
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_c1aaf216

Rootkit.Agent/Gen-ETHDrop
HKLM\System\ControlSet002\Services\ethpxuxx
C:\WINDOWS\SYSTEM32\DRIVERS\ETHPXUXX.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_ethpxuxx
HKLM\System\ControlSet004\Services\ethpxuxx
HKLM\System\ControlSet004\Enum\Root\LEGACY_ethpxuxx
HKLM\System\CurrentControlSet\Services\ethpxuxx
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ethpxuxx

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg
C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\CPV.stt

Trojan.Fake-Alert/Trace
C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\fbk.sts

Rogue.Component/Trace
HKU\S-1-5-21-3003916563-1157146543-1844567693-1006\Software\Microsoft\FIAS4057

Trojan.Agent/Gen-MSNCache
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\msncache
HKLM\SYSTEM\CurrentControlSet\Services\msncache#Type
HKLM\SYSTEM\CurrentControlSet\Services\msncache#Start
HKLM\SYSTEM\CurrentControlSet\Services\msncache#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\msncache#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\msncache#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\msncache\parameters
HKLM\SYSTEM\CurrentControlSet\Services\msncache\parameters#ServiceDll
HKLM\SYSTEM\CurrentControlSet\Services\msncache\security
HKLM\SYSTEM\CurrentControlSet\Services\msncache\security#Security
HKLM\SYSTEM\CurrentControlSet\Services\msncache\Enum
HKLM\SYSTEM\CurrentControlSet\Services\msncache\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\msncache\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\msncache\Enum#NextInstance
C:\WINDOWS\SYSTEM32\MSNCACHE.DLL

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\TWEXT.EXE

Trojan.Agent/Gen-FakeAlert
C:\WINDOWS\TEMP\Y2WNFWHS.EXE

#6 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 26 April 2009 - 09:58 AM

Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 5.1.2600 Service Pack 3

27/04/2009 12:57:02 AM
mbam-log-2009-04-27 (00-57-02).txt

Scan type: Quick Scan
Objects scanned: 74253
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#7 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 26 April 2009 - 10:06 AM

Hello,

Haven't got many questions at this stage, my computer is running faster than it was but all the programs in the task bar in the bottom right hand corner still don't appear when i start the computer up and on start up i get a pop up from windows explorer that goes to scvhost.exe. I also get a pop up bubble saying that windows firewall is not activated and automatic updates is turned off. Also when i try an connect my ipod the computer doesnt seem to reognise it, and still ocassionally getting error messages from internet explorer saying it has encountered an error and needs to close.

Cheers mate!

Edited by Collo, 26 April 2009 - 09:54 PM.


#8 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 27 April 2009 - 02:01 AM

Any more help would be greatly appreciated!

Thanks

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 PM

Posted 27 April 2009 - 09:06 AM

Hello,was away yesterday. Let's run 2 more tools. I hope that removal will restore the try if not we'll fix it.

Run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Now run SDFix,we may still have rootkits.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 28 April 2009 - 05:18 AM

My computer has gotten so bad that it won't start up in normal mode only in safe and that means I can't connect to the Internet to download the programs what do I do??

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 PM

Posted 28 April 2009 - 09:23 AM

Can you use SAFE MODE with Networking??

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 29 April 2009 - 12:06 AM

Oh ok thisball sounds pretty serious then. I do Internet banking but I have been aware of virus infection and havnt accessed my account online from my computer since realizing the infection, should this be a problem? I would like to still try and clean the computer as I need it for Uni work, since it can't be completely cleaned does this mean I shouldn't access my Internet banking on my computer?

#13 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 29 April 2009 - 03:50 AM

SmitFraudFix v2.412

Scan done at 18:48:54.46, Wed 29/04/2009
Run from C:\Documents and Settings\brad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\VRT1.tmp
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\brad


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\brad\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\brad\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\brad\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
Suspicious item found: 3D265850F0A3AB20


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\windows\\system32\\jebikono.dll,C:\\WINDOWS\\system32\\bobitudo.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2474967B-D799-4F11-B32D-28723F82D066}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2474967B-D799-4F11-B32D-28723F82D066}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#14 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 29 April 2009 - 05:59 AM

SDFix: Version 1.240
Run by Administrator on Wed 29/04/2009 at 07:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\182294~1 - Deleted
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds - Deleted
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds - Deleted



Folder C:\Documents and Settings\LocalService\Application Data\twain_32 - Removed
Folder C:\Documents and Settings\NetworkService\Application Data\twain_32 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 19:22:25
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\brad\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iPhoneBrowser\\iPhoneBrowser.exe"="C:\\Program Files\\iPhoneBrowser\\iPhoneBrowser.exe:*:Enabled:iPhoneBrowser"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe:*:Enabled:SmoothView"
"C:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"="C:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe:*:Enabled:RegSrvc"
"C:\\jgxxsfa.exe"="C:\\jgxxsfa.exe:*:Disabled:jgxxsfa"
"C:\\WINDOWS\\system32\\3361\\svchost.exe"="C:\\WINDOWS\\system32\\3361\\svchost.exe:*:Enabled:SVCHOST.EXE"
"C:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"="C:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe:*:Disabled:Firefox"
"C:\\WINDOWS\\system32\\reader_s.exe"="C:\\WINDOWS\\system32\\reader_s.exe:*:Enabled:reader_s"
"C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe:*:Enabled:services"
"C:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"="C:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe:*:Enabled:EvtEng"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\\WINDOWS\\system32\\VT100.EXE"="C:\\WINDOWS\\system32\\VT100.EXE:*:Enabled:VT100 Emulator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,280,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 29 Apr 2009 2,189,056 ...H. --- "C:\WINDOWS\system32\ntoskrnl.exe"
Wed 11 Feb 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 10 Feb 2009 8,822,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\adcebe53c9a3a7af3f6702e528bbb746\BIT1E.tmp"
Tue 10 Feb 2009 9,237,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e716d682d02fa2ad9ede26c52c60faa9\BITC.tmp"

Finished!

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 PM

Posted 29 April 2009 - 08:53 AM

Hello ..

I shouldn't access my Internet banking on my computer?

I would not from here till it is cleaned.

We need to run part 2 the Cleaner
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Now Rerun MBAM like this:

Open MBAM in normal mode and click [b]Update[/b] tab, select Check for Updates,when done
click Scanner tab,select Full scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 29 April 2009 - 07:33 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users