Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed virus "Defiler." Would like additional guidance, perhaps with combofix.


  • Please log in to reply
12 replies to this topic

#1 Tsume

Tsume

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 17 May 2009 - 12:42 AM

A friend whom I help with computers called to tell me he was getting error messages about AVG processes, and having trouble getting to some websites. I had him try to run an online virus scan from TrendMicro or Bitdefender, but he said they wouldn't run. Later, he told me that no icons were appearing on his desktop - only the wallpaper. When I went back over to his house, I also discovered that if I tried to run cmd or regedit, the desktop would black out for a second, as thought explorer were restarting. Likewise, I discovered that there was no way to get to the task manager (CTRL-ALT-DEL did nothing at all - not even a "disable" message, and there was no taskbar present on the desktop to be able to right click for the task manager).

I booted an Avira AntiVir, standalone CD in his system and let it run. Later, he said it had reported and renamed four files, and he used a different computer to send me a list of what he thought were the "filenames." Actually, they appeared more like threat names, and I am certain he didn't copy them down correctly (especially since he is neither computer savvy nor a good typist). Here's the list he sent:
  • SPR/Tool.hardoff.A
  • JS?Dldr.Agent.BJ2
  • ADSPV/Comet.c.1A
  • EXPOffice.G
Unfortunately, by the time I told him those were not filenames, he had already rebooted to see how the system would run, but there was no improvement, so I had him bring the computer over to my place so I could check it out more thoroughly and keep an eye on it.

The first thing I did with it was to run the Conficker detector/fixer from Symantec, but it said no problems were found.

Next, I ran HJT from a USB drive, and everything looked okay there (and also when analysed through an online HJT analyser that I have used before).

After that, I did a lot of Google searching, and finally came upon this blog entry that suggested renaming regedit.exe to something else so the virus wouldn't kill it, then making sure the value of HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 was set to wdmaud.drv. Sure enough, it wasn't, so I went ahead with the change. Before deleting the file to which that key had been pointing, though, I copied it onto a USB drive, carried it over to my Linux system, and submitted it to VirusTotal. Of course, it was definitely a virus file, and the various scanners used somewhat different names, but the easiest one to remember and write was "Defiler" (though, later, I couldn't find much about it by that name on the Web).

After that registry change, I was able to connect to the Internet from that machine again and, more importantly, I was able to uninstall, re-install, update and scan with AVG, which found one other file that it identified as "Defiler."

Right now, for a second opinion, I'm running an online scan from BitDefender, and it IS working, but I'm concerned that either not all of the malware is gone, or it IS gone, but some "scars" and "side effects" have been left behind, since I was NOT able to get TrendMicro's online scanner to work.

Once the BitDefender scan finishes, I'm hoping you guys will be able to lend a hand with my checking for any additional problems. In particular, if you feel it is appropriate or necessary, I would like you to walk me through ComboFix. I have a lot of IT experience (31 years), so you won't have to deal with things like "which key is the any key" from me (something many people have asked ME over the years), but I have absolutely NO experience with ComboFix, and am aware that it can cause big problems if not used properly.

With that, I'll let you take the lead and tell me where you would like me to begin.

Thank you very much.

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 17 May 2009 - 11:23 AM

Combofix should never be used without the guidance of an expert. This section of the forum is not for combofix logs or the use of combofix. The tools used here are almost all very user friendly and cannot cause the amount of damage like combofix can.

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it.

  • Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first

    Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

    If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..
  • Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.

~ Courtesy of boopme

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here or here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please include the following in your reply:
MBAM log

#3 Tsume

Tsume
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 17 May 2009 - 02:57 PM

Thanks. I am aware of the potential dangers of ComboFis, and that it shouldn't be used without the guidance of an expert. That is why I requested guidance, but I didn't see a section of the forum that IS for the use of ComboFix, and my search of existing messages found the most related messages and replies in the HijackThis forum, which didn't seem appropriate, either. So between that, and just needing to start the discussion by using the simpler tools, I chose to post in this section.

After I followed your instructions, MalwareBytes said that there were no problems found. Although it probably doesn't matter, I have included the log file, anyway.

What, if anything should I try next? I want to be as certain as possible that this machine is fully clear of any potential threats before I have my friend come to pick it up. If ComboFix can perform just a scan without jeopardising anything, and if that would help, then please direct me to the proper section of the forum for discussing that. If not, then please let me know what should be done next.

Remember: The machine is still not entirely free of symptoms. Neither the Firefox nor IE version of the TrendMicro Housecall online scanner will run properly. Even after I have removed all Housecall-related files, IE will never get past the update process, and Firefox WILL update, but will not get past "preparing." I have also uninstalled and reinstalled Java, just in case (before that, the Firefox version would not even get THAT far).

As mentioned above, here's the MalwareBytes log file:

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3

5/17/2009 11:38:15 AM
mbam-log-2009-05-17 (11-38-15).txt

Scan type: Quick Scan
Objects scanned: 82235
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Thanks again!

Edited by Tsume, 17 May 2009 - 03:02 PM.


#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 17 May 2009 - 06:55 PM

Combofix is only to be run under supervision of members on the HJT team, which is why it is only mentioned in that area of the forums.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


#5 Tsume

Tsume
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 17 May 2009 - 11:08 PM

It's scanning now, and will have to be left overnight, since it's only gotten to about 15%, so far. I shall post the results in the morning.

Thank you.

#6 Tsume

Tsume
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 18 May 2009 - 07:46 AM

Well, it's morning, but there's still no real answer.

When I got up, the program had only gotten to about 50%, didn't show anything found, and there was a Windows error dialog box on the screen saying that RZY89.exe had been unable to write to a certain location in memory and had terminated. I searched the machine for RZY89.exe, but didn't find anything, so I presume it's either a temp file used by CureIt, or is some kind of malware that we are trying to find in the first place - most likely the former.

What's next?

#7 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 18 May 2009 - 02:30 PM

Just a last note about Combofix. quoted from the top of the forums

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.


Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


#8 Tsume

Tsume
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 18 May 2009 - 09:02 PM

Regrettably, since I have to travel tomorrow, my friend demanded his computer back tonight, so this whole thing, at the very least, will have to go on hold.

SUPERAntiSypware had not quite finished at the time he came by for his computer, but it was ALMOST done (only in a bunch of data files) and had not found any infections.

All we can do at this stage is to let him use it, get his opinion about how it worked when I get back tomorrow night, and take it from there.

If there is something else you would like me to check on Wednesday, let me know. Otherwise, I thinik we'll need to call this one "closed," and then treat the inability to run the TrendMicro online scan as a separate issue should it be necessary.

Thank you for your assistance.

#9 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 19 May 2009 - 07:00 AM

The TrendMicro issue may not be malware related. If that is the only symptom you are seeing, it is most likely not related to malware since you can get other scanners to work.

#10 Tsume

Tsume
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 21 May 2009 - 09:13 PM

TrendMicro HAD been working on that system, before. It's one of the online scanners I use, periodically, for "second-opinion" scans. That is, since NO anti-virus product is 100% perfect, I like to scan with other tools, once in a while. Of course, this time, even all of that was not enough to prevent his getting this virus. :thumbsup:

I've been really busy the last couple of days, and he's just been using the system as I left it. So far, he said he hasn't had any problems, so it looks as though that's how this one is going to stand unless or until he does get some OTHER problem.

Thanks again!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 21 May 2009 - 09:32 PM

Hello this appears to to be a Zlob infection perhaps from the beginning, If possible run part 1 of S!Ri's SmitfraudFix...

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Tsume

Tsume
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 23 May 2009 - 10:05 PM

Smitfraudfix seemed to run cleanly. Here's the log:

SmitFraudFix v2.416



Scan done at 9:43:30.65, Sat 05/23/2009

Run from C:\Instalación\SmitfraudFix

OS: Microsoft Windows XP [Versión 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Process



C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\a-squared Free\a2service.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe

C:\Archivos de programa\Bonjour\mDNSResponder.exe

C:\Archivos de programa\Archivos comunes\Nero\Nero BackItUp 4\NBService.exe

F:\Archivos de programa\Nero NUEVE\Nero BackItUp 4\IoctlSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\ARCHIV~1\TURBOB~1\TBKService7.exe

C:\ARCHIV~1\TURBOB~1\tbksche7.exe

C:\ARCHIV~1\AVG\AVG8\avgrsx.exe

C:\ARCHIV~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Archivos de programa\eFax Messenger 4.3\J2GDllCmd.exe

C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\ARCHIV~1\AVG\AVG8\avgtray.exe

C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARCHIVOS DE PROGRAMA\TURBOBACKUP 7\tbksche7.exe

C:\Archivos de programa\Archivos comunes\Nero\Nero BackItUp 4\NBCore.exe

C:\Archivos de programa\Audible\Bin\AudibleDownloadHelper.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Instalaciˇn\SmitfraudFix\Policies.exe

C:\WINDOWS\system32\cmd.exe



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ hosts





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\Web





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system32





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system32\LogFiles





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Documents and Settings\David Black





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\DOCUME~1\DAVIDB~1\CONFIG~1\Temp





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Documents and Settings\David Black\Application Data





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Start Menu





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\DOCUME~1\DAVIDB~1\FAVORI~1





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Desktop





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Archivos de programa





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Corrupted keys





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Desktop Components



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="file:///C:/DOCUME~1/DAVIDB~1/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg"

"SubscribedURL"="file:///C:/DOCUME~1/DAVIDB~1/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg"

"FriendlyName"=""



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Mi p gina de inicio actual"



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ o4Patch

!!!Attention, following keys are not inevitably infected!!!



o4Patch

Credits: Malware Analysis & Diagnostic

Code: S!Ri







╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ IEDFix

!!!Attention, following keys are not inevitably infected!!!



IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri







╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Agent.OMZ.Fix

!!!Attention, following keys are not inevitably infected!!!



Agent.OMZ.Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ VACFix

!!!Attention, following keys are not inevitably infected!!!



VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ 404Fix

!!!Attention, following keys are not inevitably infected!!!



404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!



SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"LoadAppInit_DLLs"=dword:00000001





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winlogon

!!!Attention, following keys are not inevitably infected!!!



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ RK



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""









╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ DNS



Description: NIC Fast Ethernet PCI Familia RTL8139 de Realtek - Minipuerto del administrador de paquetes

DNS Server Search Order: 190.11.239.2

DNS Server Search Order: 199.2.252.10

DNS Server Search Order: 190.11.225.2



HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E51652A-CE50-499B-8F1C-B19EF4890E55}: DhcpNameServer=190.11.239.2 199.2.252.10 190.11.225.2

HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E51652A-CE50-499B-8F1C-B19EF4890E55}: DhcpNameServer=190.11.239.2 199.2.252.10 190.11.225.2

HKLM\SYSTEM\CS3\Services\Tcpip\..\{9E51652A-CE50-499B-8F1C-B19EF4890E55}: DhcpNameServer=190.11.239.2 199.2.252.10 190.11.225.2

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=190.11.239.2 199.2.252.10 190.11.225.2

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=190.11.239.2 199.2.252.10 190.11.225.2

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=190.11.239.2 199.2.252.10 190.11.225.2





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Scanning for wininet.dll infection





╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ End

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 24 May 2009 - 08:28 PM

Since thr issue still persists We need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users