Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTOSKRNL-HOOK and DNSChanger.o


  • Please log in to reply
No replies to this topic

#1 irvw

irvw

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 30 May 2009 - 10:58 AM

I have a Dell Inspiron 9300 laptop running Windows XP Pro, SP3. I connect to the internet via a wireless router Ė WRT54G. About two weeks ago I started getting a message saying my computer was infected with a virus. Sorry, I did not write down the exact message. When I would clicked on the message it would send me to a website that sold virus protection. I donít know the name of that site.

My McAfee subscription had expired, so I renewed and attempted to download the update when strange things started to happen. While I was able to purchase the subscription, the file would not down load. After a few Google searches I discovered the Malwarebytes Anti-Malware and download successfully. However I could not get the executable file to run. Someone suggested that I should try to rename the file and try again. When I renamed the file the scan ran fine and produced the following log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/17/2009 2:40:31 PM
mbam-log-2009-05-17 (14-40-31).txt

Scan type: Quick Scan
Objects scanned: 107976
Time elapsed: 15 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 28
Registry Values Infected: 10
Registry Data Items Infected: 40
Folders Infected: 7
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\wamejawe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\mofomugo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\towemiye.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30f88cda-bb66-4127-97bb-4f1f03c7bdde} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{30f88cda-bb66-4127-97bb-4f1f03c7bdde} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{30f88cda-bb66-4127-97bb-4f1f03c7bdde} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\digifast (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DVDConv (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c7a3bf3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sepepumido (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm9f49086f (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\digifast (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[g7u7l (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wamejawe.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mofomugo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\towemiye.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\towemiye.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe calc.ifo beforemain) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{207651a6-c086-4932-b12b-3262ddd4f40e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2521ce49-70bf-4d3e-9760-c532c56d5536}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6cb19f42-4689-4d83-a874-ee0746d4b346}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7f2b5e97-2bef-4d8f-a0d1-3d4794cd702e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{207651a6-c086-4932-b12b-3262ddd4f40e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2521ce49-70bf-4d3e-9760-c532c56d5536}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6cb19f42-4689-4d83-a874-ee0746d4b346}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6cb19f42-4689-4d83-a874-ee0746d4b346}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7f2b5e97-2bef-4d8f-a0d1-3d4794cd702e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7f2b5e97-2bef-4d8f-a0d1-3d4794cd702e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{207651a6-c086-4932-b12b-3262ddd4f40e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2521ce49-70bf-4d3e-9760-c532c56d5536}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6cb19f42-4689-4d83-a874-ee0746d4b346}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7f2b5e97-2bef-4d8f-a0d1-3d4794cd702e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{207651a6-c086-4932-b12b-3262ddd4f40e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2521ce49-70bf-4d3e-9760-c532c56d5536}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6cb19f42-4689-4d83-a874-ee0746d4b346}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7f2b5e97-2bef-4d8f-a0d1-3d4794cd702e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{207651a6-c086-4932-b12b-3262ddd4f40e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{2521ce49-70bf-4d3e-9760-c532c56d5536}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{6cb19f42-4689-4d83-a874-ee0746d4b346}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{7f2b5e97-2bef-4d8f-a0d1-3d4794cd702e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.75,85.255.112.95 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Application Data\digifast (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\WWShow (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Jcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Start Menu\Programs\DVDConv (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pilabuma.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amubalip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vehetigi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igitehev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ziwafume.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emufawiz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zaruhore.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wamejawe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vowayawu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mofomugo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\towemiye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Irv Williamson\Application Data\digifast\digifast.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Application Data\Microsoft\Windows\nivguaen.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Jcore\Jcore2.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kumiberu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Local Settings\Temp\__37.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Application Data\digifast\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Application Data\digifast\DFUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-7-6-54-100025285-100021050-100025110-5418.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ovfsthenelalitjrsveiujyrdaxedlydljaujo.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthcsqnqbomilgukvhnlecohyggisptngff.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthlhmtqdixglepkrawhsquaavejqaebtqk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthnirbaoyfddxcuyhwpqecwyeaycmjyfrm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthbnaobwpiudqosppsefkdvkjxcjapyyrv.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthiiqpafjwgdlgscdjfhntopnnrtdwsten.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Application Data\Twain\Twain.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irv Williamson\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I continued to rescan the computer. But it was not until the second scan that I shut down my internet connection.

By the fourth scan the report was clean:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/17/2009 5:10:35 PM
mbam-log-2009-05-17 (17-10-35).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 460243
Time elapsed: 1 hour(s), 51 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I then returned to the McAfee site. At this point, the malware scan must have help, for I was able to complete the download. When I ran the scan it found a few problems and said they were repaired. I do not have a good record of what the problems were as I later re-installed McAfee which destroyed my log.

Somewhere I notice that my system was not running right. For example the system restore process would was not working. I could not save or restore system using the System Restore Wizard. I also was having difficulty starting the computer. Many times it would freeze during startup. Also, a day or so after getting McAfee update, the personal firewall stopped working. McAfee provide special software to completely remove my install and re-installed completely. Since then my firewall appears to be working fine.

I ran several McAfee deep scans and Malware deep scans throughout the day. Both would find a problem and repair. Malware would find this:

Files Infected:
C:\i386\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully. When I run malware now I get a clean report

And McAfee would find these NTOSKRNL-HOOK and DNSChanger.o. McAfee says it has removed NTOSKRNL-HOOK and quarantined the DNSChanger.o but they continue to show up whenever I run the scan.

Yesterday I reset my wireless router thinking perhaps the virus has gotten in that equipment. I also upgraded the firmware in my WRT54G LinkSys router.

What do you suggest I do?

BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users