Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware


  • Please log in to reply
16 replies to this topic

#1 atazk

atazk

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 06 June 2009 - 04:13 PM

Hi, i got infected with a malware, i believe it was malwaredoctor it disabled regedit, command prompt, folder options and the task manager and i have been unable to get rid of it. I ran several scans with avast and removed all files it found infected, ive also run uniblue programs to try to take care of it but im afraid it is still there. Also my computer restarts automatically many times. I downloaded malwarebytes and ran a scan but i still need some help removing this.

at the top are some processes that launch this malware that i cant seem to get rid of.
Posted Image

and this is an error message i get:
Posted Image

thanks for your help.

Edited by atazk, 06 June 2009 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 June 2009 - 10:28 AM

Hi, im running windows XP Pro service pack 3 and i was infected with some sort of malware, it disabled explorer.exe, task manger, regedit and the folder options, i have tried to remove it, but now my uniblue spyware program wont even load up, since i have run avast antivirus several times, now it doesnt find infected files, but explorer.exe still doesnt run.
The image shows the startup processes of the malware, i disbled them but it doesnt seem to do anything i need some help removing them. The processes linked to the malware seem to be lbru.exe,1361538659, asgupd32, fmnupd32, pqlmq and service.
Posted Image

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:46 PM

Posted 07 June 2009 - 12:52 PM

Hello and welcome to the AII forum atazk.

Based on the information you have provided, I believe that your computer does indeed have a malware infection. However, it is possible that one of the tools we are allowed to run here in AII could remove this infection easily, so I would like to try that before referring you to the HJT Team.

In your post, you said:

since i have run avast antivirus several times, now it doesnt find infected files


Does this mean that avast did at one time find infected files, but now no longer does? If this is the case, do you recall the names of the infected files that avast found?

***********************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

In your next reply, please provide the following:
SUPERAntiSpyware log
Answers to my questions at the beginning of the post

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 June 2009 - 07:54 PM

To your question, YES, avast did scan found infected files and at aleast attempted to remove them, later on i ran a scan again and it did not find infected files, then because of the virus all my antispyware and anti virus stopped working, they wouldnt load.

Here is what i believe to be the avast log, at least it is what i could find:
6/6/2009 5:42:21 AM Admin 3584 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\WINDOWS.0\Temp\1370197022.exe\[FSG]" file.
6/6/2009 5:55:47 AM Admin 3584 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\WINDOWS.0\Temp\lsass.exe\[FSG]" file.
6/6/2009 5:55:53 AM Admin 3584 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\WINDOWS.0\Temp\smss.exe\[FSG]" file.
6/6/2009 3:03:42 PM Admin 2028 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP671\A1519874.exe\$PLUGINSDIR\InstallerHelperPlugin.dll" file.
6/6/2009 3:26:12 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550476.exe\[FSG]" file.
6/6/2009 3:48:14 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550477.exe\[FSG]" file.
6/6/2009 3:48:20 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550478.exe\[FSG]" file.
6/6/2009 3:48:23 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550479.exe\[FSG]" file.
6/6/2009 3:48:30 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550480.exe\[FSG]" file.
6/6/2009 3:48:30 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550483.exe\[FSG]" file.
6/6/2009 3:48:31 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550484.exe\[FSG]" file.
6/6/2009 3:48:31 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550485.exe\[FSG]" file.
6/6/2009 3:48:31 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550488.exe\[FSG]" file.
6/6/2009 3:48:31 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550489.exe\[FSG]" file.
6/6/2009 3:48:32 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550490.exe\[FSG]" file.
6/6/2009 3:48:32 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550491.exe\[FSG]" file.
6/6/2009 3:48:32 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550492.exe\[FSG]" file.
6/6/2009 3:57:21 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{5FF57FFA-2B2E-4729-8D48-471E179A45FE}\RP11\A0010266.exe\[FSG]" file.
6/6/2009 3:57:23 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{5FF57FFA-2B2E-4729-8D48-471E179A45FE}\RP11\A0010267.exe\[FSG]" file.
6/6/2009 3:57:23 PM Admin 2028 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\System Volume Information\_restore{5FF57FFA-2B2E-4729-8D48-471E179A45FE}\RP11\A0010268.exe\[FSG]" file.


This is the SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2009 at 06:27 PM

Application Version : 4.26.1004

Core Rules Database Version : 3928
Trace Rules Database Version: 1871

Scan type : Complete Scan
Total Scan Time : 02:54:44

Memory items scanned : 210
Memory threats detected : 1
Registry items scanned : 6928
Registry threats detected : 68
File items scanned : 67896
File threats detected : 123

Trojan.Unclassified/C00-WL/A
C:\WINDOWS.0\SYSTEM32\__C0020E99.DAT
C:\WINDOWS.0\SYSTEM32\__C0020E99.DAT
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c0020E99

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d}
HKLM\Software\Classes\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\inprocserver32
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\progid
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\versionindependentprogid
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\inprocserver32
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\progid
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\versionindependentprogid

Adware.Gen-WinFi
HKLM\Software\Classes\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839}
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\inprocserver32
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\inprocserver32#ThreadingModel
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\progid
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\programmable
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\typelib
HKCR\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\versionindependentprogid
HKCR\ORB.ta.1
HKCR\ORB.ta.1\clsid
HKCR\ORB.ta
HKCR\ORB.ta\clsid
HKCR\ORB.ta\curver
HKCR\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}
HKCR\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0
HKCR\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0
HKCR\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32
HKCR\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\flags
HKCR\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\helpdir
C:\WINDOWS.0\SYSTEM32\SPRIA.DLL
HKCR\Interface\{21eeb010-57f3-11dd-b116-dad055d89593}
HKCR\Interface\{21eeb010-57f3-11dd-b116-dad055d89593}\proxystubclsid
HKCR\Interface\{21eeb010-57f3-11dd-b116-dad055d89593}\proxystubclsid32
HKCR\Interface\{21eeb010-57f3-11dd-b116-dad055d89593}\typelib
HKCR\Interface\{21eeb010-57f3-11dd-b116-dad055d89593}\typelib#Version

Trojan.Downloader-SVCHost/Fake
HKLM\System\ControlSet001\Services\dhcpsrv
C:\WINDOWS.0\DHCP\SVCHOST.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_dhcpsrv
HKLM\System\controlset002\Services\dhcpsrv
HKLM\System\controlset002\Enum\Root\LEGACY_dhcpsrv
HKLM\System\ControlSet003\Services\dhcpsrv
HKLM\System\ControlSet003\Enum\Root\LEGACY_dhcpsrv
HKLM\System\CurrentControlSet\Services\dhcpsrv
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_dhcpsrv

Rootkit.Agent/Gen-PCIStub
HKLM\System\ControlSet001\Services\sndintd
C:\WINDOWS.0\SYSTEM32\SNDINTD.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_sndintd
HKLM\System\controlset002\Services\sndintd
HKLM\System\controlset002\Enum\Root\LEGACY_sndintd
HKLM\System\ControlSet003\Services\sndintd
HKLM\System\ControlSet003\Enum\Root\LEGACY_sndintd
HKLM\System\CurrentControlSet\Services\sndintd
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_sndintd
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081184.SYS

Trojan.Unknown Origin
HKLM\system\controlset001\services\14d5ef19e9d0f86ce0c15f84344cc79a
C:\WINDOWS.0\SYSTEM32\14D5EF19E9D0F86CE0C15F84344CC79A.SYS
HKLM\system\controlset002\services\14d5ef19e9d0f86ce0c15f84344cc79a
HKLM\system\controlset003\services\14d5ef19e9d0f86ce0c15f84344cc79a
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg
C:\WINDOWS\SYSTEM32\1EF641D8C0DA2D67B3ADAE8A89866391.SYS
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT
C:\WINDOWS\SYSTEM32\TDSSPQLT.DAT
C:\WINDOWS\UNINSTALL_NMON.VBS

Trojan.NetMon/DNSChange
C:\Program Files\Network Monitor

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0020E99
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0020E99#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0020E99#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0020E99#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0020E99#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0020E99#Logon

Adware.OneStepSearch
C:\Program Files\SEEKEEN\seekeen.dll
C:\Program Files\SEEKEEN

Trojan.Virut
C:\Program Files\MICPHONE\antit.dll
C:\Program Files\MICPHONE\antit.exe
C:\Program Files\MICPHONE

Trojan.Downloader-Gen/Suspicious
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\KEYS\A-Z.VIDEO.CONVERTER.ULTIMATE.V7.52\KEYGEN\KEYGEN.EXE
C:\WINDOWS.0\SYSTEM32\WM0DAP32.EXE
C:\WINDOWS.0\TEMP\021830FB.EXE
C:\WINDOWS.0\TEMP\04E0CAD4.EXE
C:\WINDOWS.0\TEMP\17224F84.EXE
C:\WINDOWS.0\Prefetch\021830FB.EXE-04314ABD.pf
C:\WINDOWS.0\Prefetch\04E0CAD4.EXE-05548B15.pf

Trojan.Agent/Gen-FSG
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\KEYS\CAMTASIA 5 KEYGEN\KEYGEN.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\KEYS\SANDBOXIE KEYGEN\SANDBOXIE.V3.02.INCL.KEYMAKER-EMBRACE\KEYGEN.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\KEYS\SISOFTWARE SANDRA PRO HOME XII 2008.1.12.30\KEYGEN.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\KEYS\SISOFTWARE.SANDRA.PRO.BUSINESS.XII.2008.1.12.30.MULTILINGUAL.RETAIL.KEYMAKER.ONLY-ZWT\KEYGEN.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\KEYS\SOLARWINDS ORION\KEYGEN.EXE

Trojan.Agent/Gen-AVFake
C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS.0\APPLICATION DATA\91543586\91543586.EXE

Rogue.Malware Doctor
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\APPLICATION DATA\1361538659.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081229.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0082267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0086269.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0087269.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0088657.EXE

Trojan.Agent/Gen-AvastFake
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\APPLICATION DATA\1458931097.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0075115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0076118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0078115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081230.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0082268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0086271.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0087272.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0088669.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0088671.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP157\A0090755.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP157\A0090763.EXE

Trojan.Unclassified-PQLMQ/AVP
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\PQLMQ.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550473.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550474.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550505.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0076116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0080159.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081168.EXE

Adware.180solutions/Seekmo/Zango
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP667\A1519674.DLL

Trojan.Agent/Gen-FakeDrop
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550482.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550481.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550487.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550494.EXE

Trojan.Agent/Gen-FraudLoad
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550486.EXE

Trojan.Agent/Gen-Virut
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550500.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717\A1550525.EXE

Trojan.Unclassified-Packed/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0076119.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0078116.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081250.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081266.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0082266.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0086270.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0087270.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0088670.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP157\A0090751.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP157\A0090761.DLL

Trojan.Smitfraud Variant-Gen/Bensorty
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP155\A0078120.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP161\A0144907.DLL

Trojan.Agent/Gen-FraudDrop
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0078130.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081178.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081255.EXE
C:\WINDOWS\LD08.EXE
C:\WINDOWS.0\TEMP\PERFLIB_PERFDATA_218.DAT

Trojan.Downloader-DncYool64
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081181.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0090716.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP157\A0090749.SYS

Trojan.Agent/Gen-FUG
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0081269.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0082269.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0082275.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0085267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP156\A0085268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP157\A0090764.EXE

Adware.Vumer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP161\A0144908.DLL
C:\WINDOWS\SYSTEM32\SPRIA.DLL

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\ADEEFAACAEED.DLL
C:\WINDOWS.0\SYSTEM32\EAEAEEBBACC.DLL

Worm.Alcra Variant
C:\WINDOWS\SYSTEM32\CMD.COM
C:\WINDOWS\SYSTEM32\NETSTAT.COM
C:\WINDOWS\SYSTEM32\PING.COM
C:\WINDOWS\SYSTEM32\REGEDIT.COM
C:\WINDOWS\SYSTEM32\TASKKILL.COM
C:\WINDOWS\SYSTEM32\TASKLIST.COM
C:\WINDOWS\SYSTEM32\TRACERT.COM

Unclassified.Oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSLXWP.DLL

Trojan.Dropper/Sys-NV
C:\WINDOWS.0\SYSTEM32\IASV32.DLL

Adware.Vundo Variant
C:\WINDOWS.0\SYSTEM32\WM0DAP.DLL

Trojan.Unclassified/C00-WL/B
C:\WINDOWS.0\SYSTEM32\__C003A2FA.DAT
C:\WINDOWS.0\SYSTEM32\__C0050031.DAT
C:\WINDOWS.0\SYSTEM32\__C0091ECF.DAT
C:\WINDOWS.0\SYSTEM32\__C00B1F7D.DAT

Adware.Tracking Cookie
C:\WINDOWS.0\Temp\Cookies\admin@www.findstuff[1].txt
C:\WINDOWS.0\Temp\Cookies\admin@www.icityfind[1].txt

Trojan.Agent/Gen-AccountCloner
C:\WINDOWS.0\TEMP\WPV951244135456.EXE

Trace.Known Threat Sources
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\IXZU4O8T\shopica_logo_bott[1].gif
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\YMR6NQU1\async_ads_rs[1].htm
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\YMR6NQU1\shopica_logo_top[1].gif
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\RBR132AO\search[1].htm
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\RBR132AO\style[1].css
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\IXZU4O8T\releted_dot[1].gif
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\ZX00O6E6\rssearch[1].htm
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\RBR132AO\sp[1].gif
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\IXZU4O8T\js[1].js
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\ZX00O6E6\favicon[2].ico
C:\WINDOWS.0\Temp\Temporary Internet Files\Content.IE5\YMR6NQU1\footer_dots[1].gif

Also after the scan finished and i rebooted, alot of services were stopped, so was network connections, is this normal?
Also I have reason to believe this affected 2 other computers in my house. Once i saw these services stopped on my computer(infected one) i came to post the logs, but as soon as i tried it seems services were stopped on the other one, i went to the third computer and same thing happened. I have a wireless network but i dont see how this can affect other computers. I was forced to restore registry logs with uniblue in order to get other computers to work. Im really not sure if this is relevant at all, but perhaps you know what happened.
PS: sorry for long reply time wise.
PSS: it seems i misread something too.

Edited by atazk, 07 June 2009 - 07:59 PM.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:46 PM

Posted 07 June 2009 - 10:29 PM

Hello atazk:

Also I have reason to believe this affected 2 other computers in my house. Once i saw these services stopped on my computer(infected one) i came to post the logs, but as soon as i tried it seems services were stopped on the other one, i went to the third computer and same thing happened


Infections can spread themselves in many different ways. One increasingly common avenue is through removable media (flash/USB drives, etc). If you use such devices, this may have caused the spread of malware to other machines in your home. This is only one of several possibilities though.

***************************************************
I would like for you to submit a few samples to Jotti for analysis.

Please make sure that this is done directly from the originally infected machine.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Program Files\MICPHONE\antit.exe
C:\Windows\Explorer.exe
C:\Windows\System32\svchost.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

In your next reply, please provide the following:
Jotti/Virustotal logs

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 June 2009 - 11:11 PM

I would if i could acces the internet from the infected computer, however i cant, for some reason after cleaning the infections with superantispyware most microsoft services were stopped, and i cant seem to restore them. Also i am using a USB but did not insert it in the third computer after the scan.

EDIT: this is what it looks like

Posted Image

Edited by atazk, 07 June 2009 - 11:17 PM.


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:46 PM

Posted 08 June 2009 - 11:30 AM

Hello atazk:


Alright, since you don't have internet access on that machine, disregard the Jotti instructions for now.

With regard to Microsoft services, do not worry if many of them read as stopped. many Microsoft services are not constantly running to conserve system resources, and are only engaged when their functions are needed.

Do you have any symptoms on your other machines? (errors, auto restarts, etc.). Go ahead and run SAS on your other machines as well. If the scans find anything, please post the logs here, but make sure you make a distinction about which computer the logs refer to. (For simplicity's sake, lets call the originally infected machine A, and the other two B and C).


As far as the originally infected machine goes, please stand by for further instruction. I am consulting with some expert colleagues regarding the best course of action to take, and am awaiting a reply from them, which I should receive shortly. In the meantime, it would be best to avoid using the infected machine as much as possible.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 08 June 2009 - 05:22 PM

Computer C would not run any anti virus or antispyware, it would always send me a debug error, also many websites related to fixing viruses, including bleepingcomputer.com cannot be accessed from computer C most other webpages work fine.

This is the superantispyware log for computer B:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2009 at 06:02 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1872

Scan type : Complete Scan
Total Scan Time : 01:59:29

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 4894
Registry threats detected : 48
File items scanned : 57874
File threats detected : 33

Rootkit.Mailer/Gen
HKLM\System\ControlSet001\Services\75c165a0
C:\WINDOWS\SYSTEM32\DRIVERS\75C165A0.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_75c165a0
HKLM\System\ControlSet002\Services\75c165a0
HKLM\System\ControlSet002\Enum\Root\LEGACY_75c165a0
HKLM\System\CurrentControlSet\Services\75c165a0
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_75c165a0

Rootkit.Agent/Gen-PCIStub
HKLM\System\ControlSet001\Services\sndintd
C:\WINDOWS\SYSTEM32\SNDINTD.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_sndintd
HKLM\System\ControlSet002\Services\sndintd
HKLM\System\ControlSet002\Enum\Root\LEGACY_sndintd
HKLM\System\CurrentControlSet\Services\sndintd
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_sndintd

Adware.Tracking Cookie
C:\Documents and Settings\Leslie\Cookies\leslie@www.adserver5[2].txt
C:\Documents and Settings\Leslie\Cookies\leslie@apmebf[1].txt
C:\Documents and Settings\Leslie\Cookies\leslie@fastclick[1].txt
C:\Documents and Settings\Leslie\Cookies\leslie@media.adfrontiers[2].txt
C:\Documents and Settings\Leslie\Cookies\leslie@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.findstuff[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.icityfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.gmbtrack[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@at.atwola[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@trafficmp[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[2].txt

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

Adware.Zango Toolbar/Hb
HKLM\Software\ZangoToolbar
HKLM\Software\ZangoToolbar\Install
HKLM\Software\ZangoToolbar\Install#OL

Adware.Zango/ShoppingReport
HKCR\WeatherDPA.WeatherController
HKCR\WeatherDPA.WeatherController\CLSID
HKCR\WeatherDPA.WeatherController\CurVer
HKCR\WeatherDPA.WeatherController.1
HKCR\WeatherDPA.WeatherController.1\CLSID
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\ProgID
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\Programmable
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\VersionIndependentProgID
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\ProgID
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\Programmable
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\VersionIndependentProgID
C:\Documents and Settings\Leslie\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML
C:\Documents and Settings\Leslie\Application Data\WeatherDPA\Weather\WeatherDPA
C:\Documents and Settings\Leslie\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Leslie\Application Data\WeatherDPA\Weather
C:\Documents and Settings\Leslie\Application Data\WeatherDPA

Trojan.Agent/Gen-SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#DeviceDesc

Trojan.Agent/Gen-MSNCache
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#DeviceDesc

Trojan.Virut
C:\Program Files\MICPHONE\antit.dll
C:\Program Files\MICPHONE\antit.exe
C:\Program Files\MICPHONE

Trojan.Downloader-WNSET/N
C:\DOCUMENTS AND SETTINGS\LESLIE\LOCAL SETTINGS\TEMP\1252584568.EXE
C:\WINDOWS\TEMP\3250062384.EXE
C:\WINDOWS\TEMP\3252249884.EXE

Trojan.Agent/Gen-FraudLoad
C:\DOCUMENTS AND SETTINGS\LESLIE\LOCAL SETTINGS\TEMP\MJUYFJUYTREWSXCQZOGHTRED44.EXE

Trojan.Dropper/Gen-NV
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\916653139.EXE

Trojan.Agent/Gen-VRT
C:\RECYCLER\S-1-5-21-842925246-1563985344-682003330-500\DC35.EXE

Trojan.Agent/Gen-AvastFake
C:\RECYCLER\S-1-5-21-842925246-1563985344-682003330-500\DC44.EXE

Trojan.Unclassified-Packed/Suspicious
C:\WINDOWS\SYSTEM32\JHXM32.DLL

Trojan.Agent/Gen-FakeDrop
C:\WINDOWS\TEMP\704001008.EXE
C:\WINDOWS\TEMP\719313508.EXE

Edited by atazk, 08 June 2009 - 05:22 PM.


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:46 PM

Posted 08 June 2009 - 05:38 PM

Hello atazk:

Do you have Internet access from computer B? If you do, lets try uploading to Jotti from this machine.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Program Files\MICPHONE\antit.exe
C:\Windows\Explorer.exe
C:\Windows\System32\svchost.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

In your next reply, please provide the following:
Jotti/Virustotal logs for all requested files
<-If you can.

Edited by Blade Zephon, 08 June 2009 - 05:52 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 08 June 2009 - 06:33 PM

For computer B, There was no file Micphone.
Filename: explorer.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 20 May 2009 18:22:57 (CET) Permalink
File size: 1033216 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 97bd6515465659ff8f3b7be375b2ea87
SHA1: 972307a3ef93680afdd03603df20f2241047a934


Filename: svchost.exe
Status:
Scan finished. 0 out of 18 scanners reported malware.
Scan taken on: Tue 9 Jun 2009 01:31:11 (CET) Permalink
File size: 14336 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 8f078ae4ed187aaabc0a305146de6716
SHA1: da0ff4006859a7580aba81f486f692dead2014fe

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:46 PM

Posted 08 June 2009 - 07:03 PM

The file is there, it's just being hidden by the malware. Let's see if we can get around that.

Go to Jotti again, but this time when the browse window opens, instead of navigating through the folders as usual, type the entire filepath in the box next to "File Name" and click open

Here is the filepath again

C:\Program Files\MICPHONE\antit.exe

Hopefully this will work

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 08 June 2009 - 07:13 PM

Error comes up asking me if im sure its the correct file path. I even tried searching for it with windows and nothing came up

Edited by atazk, 08 June 2009 - 07:17 PM.


#13 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 09 June 2009 - 12:40 AM

Somehow i was able to restore internet connectivity to computer A, i started up some windows processes manually in order to do so, however network icon still shows as if it is trying to acquire a network. Same thing happened with C:\Program Files\MICPHONE\antit.exe the file path is not found.

here is the log for explorer.exe:

Filename: explorer.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 2 Jun 2009 10:50:44 (CET) Permalink

Additional info
File size: 1033728 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 12896823fb95bfb3dc9b46bcaedc9923
SHA1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f


And svchost.exe:

Filename: svchost.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Mon 8 Jun 2009 12:47:39 (CET) Permalink

Additional info
File size: 14336 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:46 PM

Posted 09 June 2009 - 10:18 PM

My apologies for the delay atazk

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!


EDIT: If you caught it. . . I accidentally posted the wrong speech first but I fixed it :thumbsup:

Edited by Blade Zephon, 09 June 2009 - 10:23 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 10 June 2009 - 12:20 AM

Hello, I have three computers infected with a malware, which seems to be malware doctor. I was receiving help from blade zephon in the "am i infected? what do i do?" forum, this is the link to the thread: http://www.bleepingcomputer.com/forums/t/232089/infected-with-malware/

I ran the .dds file, however it comes up with the error below. I disabled all antipyware/antimalware/antivirus and tried to run it again, but it still gives me this error.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users