Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected wit hsomething, deleted my internet, etc


  • Please log in to reply
11 replies to this topic

#1 bconine23

bconine23

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 15 May 2009 - 11:07 AM

Hello,

I'm new here, and a computer idiot !!

Right from the start I posted in the wrong spot, and the wrong report. let's see if I did it right this time. Thanks in advance for any and all help !!!

Here is my DDS file:

DDS (Ver_09-05-14.01) - NTFSx86
Run by MARK at 10:57:48.32 on 2009-05-15
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {5dd4d4fc-6083-4776-a98f-c62cc9d14358} - c:\windows\system32\wvUoNHyA.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\mark\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\documents and settings\mark\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: state.ok.us\unemployment
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\rsek0n8m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://oklahomacity.cox.net/cci/home
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - plugin: c:\documents and settings\mark\application data\mozilla\firefox\profiles\rsek0n8m.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-14 20:35 409,600 a------- c:\windows\system32\CF23336.exe
2009-05-14 13:05 84 a------- c:\windows\system32\3.tmp
2009-05-13 14:36 0 a------- c:\windows\system32\7.tmp
2009-05-12 15:17 120 a------- c:\windows\system32\2.tmp
2009-05-12 15:11 404,480 a------- c:\windows\wdmon.exe
2009-05-12 15:11 380,416 a------- c:\windows\svx.exe
2009-05-12 15:11 347,136 a------- c:\windows\vlc.exe
2009-05-12 15:10 497,664 a------- c:\windows\alg.exe
2009-05-12 15:10 698,368 a------- c:\windows\amoumain.exe
2009-05-12 15:10 669,696 a------- c:\windows\servicelayer.exe
2009-05-12 15:06 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-12 15:05 109 a--sh--- c:\windows\system32\3826607055.dat
2009-05-12 15:05 388,608 a------- c:\windows\svc.exe
2009-05-12 15:05 482,816 a------- c:\windows\odb.exe
2009-05-12 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93038586
2009-05-12 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\63048589
2009-05-12 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13028594
2009-05-12 15:05 63,488 ---shr-- c:\windows\system32\advpack(3)x.exe
2009-05-12 15:01 69,632 a------- c:\windows\services(2).exe
2009-05-12 15:01 0 a------- c:\windows\system32\1B0.tmp
2009-05-12 15:01 120 a------- c:\windows\system32\1AC.tmp
2009-05-12 15:00 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-12 14:59 106 a------- C:\xcrashdump.dat
2009-05-12 14:59 27,648 a------- c:\windows\system32\__c00F236A.dat
2009-05-12 14:59 27,648 a------- c:\windows\system32\__c00D565.dat
2009-05-12 14:58 104,188 a------- c:\windows\system32\drivers\9a1f6045.sys
2009-05-12 14:58 27,648 a------- c:\windows\system32\__c0029662.dat
2009-05-12 14:57 2 a------- C:\-468360241
2009-05-12 14:57 27,648 a------- c:\windows\system32\__c0089B4.dat

==================== Find3M ====================

2009-05-14 13:10 113,168 ac------ c:\windows\hpoins07.dat
2009-05-12 15:06 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-22 23:17 3,744 a------- c:\docume~1\mark\applic~1\wklnhst.dat
2005-10-30 21:31 774,144 a------- c:\program files\RngInterstitial.dll
2008-07-23 16:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072320080724\index.dat

============= FINISH: 10:58:08.73 ===============


Thanks again!!

Attached Files


Edited by bconine23, 15 May 2009 - 11:13 AM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 24 May 2009 - 08:39 AM

hi bconine23,

sorry for delay, no shortage of posters. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?


#3 bconine23

bconine23
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 26 May 2009 - 09:20 AM

yes, I'm still needing help !!!

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 26 May 2009 - 03:52 PM

ok. Are you able to get on the internet to get a download? if so do this;

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:


http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**
**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

post the log in your reply.

How Can I Reduce My Risk to Malware?


#5 bconine23

bconine23
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 27 May 2009 - 09:02 AM

I am not able to connect to the internet from that computer. I am trying to download the file to a jump stick and transfer it.

If I can get this done I will post the new log.

#6 bconine23

bconine23
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 27 May 2009 - 11:05 AM

OK, was able to run malware removal program, but was NOT able to update it.

And after i restarted the computer, i got a message that read:

" Runtime error '372' failed to load 'vbalgrid' from ' vbalgrid6.0cx - version might be outdated

But, my internet IS back, and seems to be working better.

Here is the log from the scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

2009-05-27 10:40:34
mbam-log-2009-05-27 (10-40-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 197006
Time elapsed: 1 hour(s), 1 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\bqboabrv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\gbcygnog.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\wuhvqd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\wvUoNHyA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP526\A0176102.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP526\A0176162.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
c:\WINDOWS\svc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\svx.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\vlc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\wdmon.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\servicelayer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\alg.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\amoumain.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c0029662.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c0089B4.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00D565.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00F236A.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\9a1f6045.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\tmp9211134.log (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\MARK\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\MARK\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\odb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.


Thanks for your help, do you want me to do anything else?

#7 bconine23

bconine23
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 27 May 2009 - 02:01 PM

Well, computer ran for a few hours, just shut itself off, and now, when you power it back up, as soon as you log on, it powers up, then automatically shuts itself off before anything can load.

I cant get it to come back up, so i can run the malware program again.

How do i start it up in safe-mode, so i can run the program again?

#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 27 May 2009 - 08:42 PM

To reach safe mode you would tap the f8 key during a computer restart. Chose the first option from the list; safe mode.
once at the safe mode desktop re run MBAM.

also in safe mode go to start>settings>control panel>internet options>Connections tab>LAN settings>Make sure under Proxy server that there is no checkmark in the boxes.

You can copy/paste this into notepad and save it so you can read it in safe mode:

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Reboot normally and try updating MBAM. See how it goes. if it doesnt update, You can manually download the latest files then double click the file to install them to MBAM.
the file to download and install is below:

http://malwarebytes.gt500.org/database.jsp

How Can I Reduce My Risk to Malware?


#9 bconine23

bconine23
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 01 June 2009 - 09:31 AM

When i power up, even if safe mode, as soon as I log in, it shows that the computer is starting to load, and then it turns itself off and reloads in the NON- safe mode.

Now what?

After it powered back up, it let me log in as if it was working , then i got a message that said there was a error with the winlogon.exe, and needed to close. So it just goes in a cycle of starting up and shutting down, not letting me start any programs, etc.

Edited by bconine23, 01 June 2009 - 09:35 AM.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 01 June 2009 - 07:11 PM

ok, not good. have you had any luck getting it stable in either safe or normal mode? Do you have a set of disks or a recovery partition. Is it a desktop or laptop. Can you provide the manuf. and model number.

How Can I Reduce My Risk to Malware?


#11 bconine23

bconine23
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 02 June 2009 - 09:08 AM

No, I have not been able to stabalize it in either mode yet.

It is a desk top made by e-machines. it has an AMD / Athlon XP processor. Windows XP.

God, I'm tired of this computer.

I've go to the screen where I can choose the:

Safe Mode
Safe Mode w/ Networking
Safe Mode w/ command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode
Debugging Mode
Disable Automatic restart on system failure

Start Windows Normally
ReBoot
Return to OS Choices Menu

I've tried most of these but the safe mode w/ networking and Safe Mode with Command Prompt.

Don't know if there is anything we can do at this point?

#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:19 PM

Posted 02 June 2009 - 08:19 PM

may as well try the safe mode with networking. Cmd prompt wont do much good. do you have any CDs that came with it.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users