Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is TRASHED!! Renos and Microjoin.Gen!C trojans identified by Windows Defender


  • This topic is locked This topic is locked
25 replies to this topic

#1 mr black

mr black

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 17 June 2009 - 12:04 PM

Symptoms are as follows:

- Windows Defender has warned of several Trojans (win32/Renos and win32/microjoin.gen!C) but seems unable to quarantine them
- Constant internet windows opening with all manner of junk in them
- Spyware pop ups with fake antispyware. In fact, when Windows starts, there is actually a fake antispyware 'warning' which I have to click OK before I can get any further
- No access to task manager ("Your administrator has disabled Task Manager")
- When I did manage to get System Restore Wizard open, there was not a single restore point...I'm pretty sure I didn't disable it on my own.
- IE will open and I can browse briefly, but eventually everything just grinds to a halt because of the new browser windows opening and system runs out of Virtual Memory

DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by xxxxx at 18:56:47.79 on Tue 06/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.36 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Protector\protector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\WINDOWS\svc.exe
C:\WINDOWS\odb.exe
C:\WINDOWS\vlc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
svchost.exe "C:\WINDOWS\system32\apcupsr.exe"
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Security Adviser\mssadv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hUu.exe
C:\hUu.exe
C:\hUu.exe
C:\hUu.exe
C:\Documents and Settings\xxxxx\Desktop\dds.scr
C:\hUu.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msctrl.exe] c:\program files\microsoft security adviser\msctrl.exe
uRun: [msavsc.exe] c:\program files\microsoft security adviser\msavsc.exe
uRun: [msscan.exe] c:\program files\microsoft security adviser\msscan.exe
uRun: [msiemon.exe] c:\program files\microsoft security adviser\msiemon.exe
uRun: [msfw.exe] c:\program files\microsoft security adviser\msfw.exe
uRun: [mssadv.exe]
uRun: [UpdateWin] c:\windows\system32\apcupsr.exe
uRunServices: [UpdateWin] c:\windows\system32\apcupsr.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [msctrl.exe] c:\program files\microsoft security adviser\msctrl.exe
mRun: [msavsc.exe] c:\program files\microsoft security adviser\msavsc.exe
mRun: [msscan.exe] c:\program files\microsoft security adviser\msscan.exe
mRun: [msiemon.exe] c:\program files\microsoft security adviser\msiemon.exe
mRun: [msfw.exe] c:\program files\microsoft security adviser\msfw.exe
mRun: [mssadv.exe]
mRun: [netc] c:\windows\svc.exe
mRun: [odby] c:\windows\odb.exe
mRun: [UpdateWin] c:\windows\system32\apcupsr.exe
mRun: [vlc] c:\windows\vlc.exe
mRun: [lsass] c:\windows\lsass.exe
mRun: [15129474] c:\documents and settings\all users\application data\15129474\15129474.exe
mRun: [95139466] c:\documents and settings\all users\application data\95139466\95139466.exe
mRun: [15121364] c:\documents and settings\all users\application data\15121364\15121364.exe
mRun: [15130774] c:\documents and settings\all users\application data\15130774\15130774.exe
mRun: [95131356] c:\documents and settings\all users\application data\95131356\95131356.exe
mRun: [95140766] c:\documents and settings\all users\application data\95140766\95140766.exe
mRun: [15130374] c:\documents and settings\all users\application data\15130374\15130374.exe
mRun: [15129274] c:\documents and settings\all users\application data\15129274\15129274.exe
mRun: [95140366] c:\documents and settings\all users\application data\95140366\95140366.exe
mRun: [95139266] c:\documents and settings\all users\application data\95139266\95139266.exe
mRunOnce: [Protector] c:\program files\protector\protector.exe -startup
mRunServices: [UpdateWin] c:\windows\system32\apcupsr.exe
uExplorerRun: [Msn] c:\hUu.exe
uExplorerRun: [MsnHost] c:\hUu.exe
uExplorerRun: [MsnLoad] c:\hUu.exe
uExplorerRun: [MsnConvert] c:\hUu.exe
uExplorerRun: [MsnMessendger] c:\hUu.exe
dExplorerRun: [Msn] c:\uZm.exe
dExplorerRun: [MsnHost] c:\uZm.exe
dExplorerRun: [MsnLoad] c:\uZm.exe
dExplorerRun: [MsnConvert] c:\uZm.exe
dExplorerRun: [MsnMessendger] c:\uZm.exe
StartupFolder: c:\docume~1\xxxx\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagefox.lnk - c:\windows\installer\{0a117913-c6be-4524-a1a2-47ae6f3604ef}\IMAGEFOX_STRTUP_SHRTCUT.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoTrayItemsDisplay = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://images.autodesk.com/adsk/files/mgaxctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

S3 DCamUSBSanyo;SANYO Digital Camera PC Camera;c:\windows\system32\drivers\sdscwebd.sys [2007-1-8 86656]

=============== Created Last 30 ================

2009-06-16 18:56 1,524,736 a------- c:\windows\edcregc.exe
2009-06-16 18:52 4,716,032 a------- c:\program files\optimize314.exe
2009-06-16 18:49 859,648 a------- c:\windows\invictus.dll
2009-06-16 18:44 1,590,784 a------- c:\program files\22.exe
2009-06-16 18:42 260,608 a------- C:\uZm.exe
2009-06-16 18:39 6,998 a------- C:\OueimIFY.bat
2009-06-16 18:39 4,588,032 a------- c:\windows\list.doc
2009-06-16 18:38 235 a------- C:\VOAFI.bat
2009-06-16 18:31 4,363,776 a------- c:\windows\QdrDrive16.dll
2009-06-16 18:30 260,608 a------- C:\QftkL.exe
2009-06-16 18:30 6,998 a------- C:\Fi8VS.bat
2009-06-16 18:30 246 a------- C:\lNe5hvZ.bat
2009-06-16 18:27 3,778,048 a------- c:\windows\nzpuoqsv.exe
2009-06-16 18:25 <DIR> --dsh--- C:\found.005
2009-06-15 18:30 260,608 a------- C:\wNCp49bq.exe
2009-06-15 18:29 6,998 a------- C:\qCwQgt.bat
2009-06-15 18:29 273 a------- C:\w0NR9dJQ.bat
2009-06-15 18:08 260,608 a------- C:\XOM.exe
2009-06-15 18:07 6,998 a------- C:\Dgp0.bat
2009-06-15 18:07 229 a------- C:\vFYR8pe.bat
2009-06-15 18:07 531,456 a------- c:\program files\dadirova.dll
2009-06-15 17:58 260,608 a------- C:\hUu.exe
2009-06-15 17:57 6,998 a------- C:\z6euH.bat
2009-06-15 17:57 231 a------- C:\GkAfh.bat
2009-06-15 17:54 260,608 a------- C:\PrkB2G.exe
2009-06-15 17:54 1,433,600 a------- c:\windows\switchbetweenapps.pcrswitp31[1].exe
2009-06-15 17:54 <DIR> --d----- c:\program files\Protector
2009-06-15 17:54 6,998 a------- C:\jk7x1oJi.bat
2009-06-15 17:54 259 a------- C:\hX5C.bat
2009-06-15 17:54 <DIR> --d----- c:\docume~1\xxxxx\applic~1\none
2009-06-14 10:58 281,600 a------- c:\windows\lsass.exe
2009-06-13 11:44 233,472 a------- c:\windows\vlc.exe
2009-06-12 00:16 41,984 ---shr-- c:\windows\system32\apcupsr.exe
2009-06-11 23:40 109 a--sh--- c:\windows\system32\944868117.dat
2009-06-11 23:39 41,984 ---shr-- c:\windows\system32\1028x.exe
2009-06-11 23:38 234,496 a------- c:\windows\odb.exe
2009-06-11 23:37 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-11 23:37 234,496 a------- c:\windows\svc.exe
2009-06-11 23:32 12,288 a------- c:\windows\msscan.dll
2009-06-11 23:32 12,288 a------- c:\windows\msiemon.dll
2009-06-11 23:32 12,288 a------- c:\windows\msfw.dll
2009-06-11 23:32 12,288 a------- c:\windows\msctrl.dll
2009-06-11 23:32 12,288 a------- c:\windows\msavsc.dll
2009-06-11 23:31 33,792 a------- c:\windows\mssadv.dll
2009-06-11 23:31 <DIR> --d----- c:\program files\Microsoft Security Adviser
2009-06-11 23:31 33,280 a------- C:\0xf9.exe
2009-05-24 14:33 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-24 14:33 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-06-15 18:17 4,867,072 a------- c:\program files\cls.bmb

============= FINISH: 19:01:57.19 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:35 PM

Posted 18 June 2009 - 07:22 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

also, Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.
Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs


* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

By the way, is there any reason why you don't have an Antivirus installed?

Edited by miekiemoes, 18 June 2009 - 07:23 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 22 June 2009 - 02:22 PM

OK thanks, I'll get the Malware program and run it. This may sound like a dumb question but what is the best way to back up my data? I have only a CD-ROM burner and a floppy.

Out of curiosity, what is it that you see in the DDS log that tells you my system is severely corrupted?

I guess I don't have an antivirus because I find they usually take up a lot of processing power and slow things down. I never open suspicious attachments, I always have the firewall running (at least I thought so) and Windows Defender has done an amazing job of blocking spyware for the past 2 years. Probably dumb, but that's my answer to your question!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:35 PM

Posted 23 June 2009 - 01:09 AM

Hi,

I have only a CD-ROM burner and a floppy.

You can use both, whatever is easier to use for you.

Out of curiosity, what is it that you see in the DDS log that tells you my system is severely corrupted?

80% of the entries listed in your log is malware.

I guess I don't have an antivirus because I find they usually take up a lot of processing power and slow things down. I never open suspicious attachments, I always have the firewall running (at least I thought so) and Windows Defender has done an amazing job of blocking spyware for the past 2 years.

Malware does take a lot more of processing power + it collects all your passwords and other personal info and is responsible for infecting other computers as well.
Also read here: http://miekiemoes.blogspot.com/2008/08/i-d...use-i-have.html
In anyway, as I already said, your computer is SEVERLY infected. This wouldn't have happened if your had an Antivirus (Windows defender is no Antivirus)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 08:20 AM

OK well I guess I've learned a lesson about anti-virus.

Right now, the PC is not letting ANY applications run except Internet Explorer. No graphics editor, no Media Player. I was able to download the MalwareBytes .exe but I cannot run it. Any other way to run it? Maybe from DOS prompt or on startup?

Please give me detailed instructions because I don't remember exactly how to do any of these things :thumbup2: Also, I have tried to start Windows in Safe Mode several times and it is unable to do so.

Thanks!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:35 PM

Posted 23 June 2009 - 08:46 AM

Hi,

Looks like the huge amount of malware downloaded and installed more malware on top. Please don't expect miracles. If we are having too much trouble here, then a format and reinstall will actually be the fastest and especially the safest solution.

Anyway, can you try to run malwarebytes from Windows safe mode?
Also, please rename mbam.exe to iexplore.exe or firefox.exe and try to run it. Don't use any other names, this because, in case you are dealing with the Winbluesoft infection on top, the infection only allows a few applications to run - and from what I hear here, it looks like you're dealing with that one as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 01:57 PM

I can't even get Safe Mode to open! I hold down the Shift or Space key or whatever it is to get the Safe Mode menu to come up, but then when I select Safe Mode, it tries to re-start but cannot. This happens whether I pick Safe Mode, Safe Mode with Command Prompt, Safe mode with Networking.... none of them work. My only choice is to start Windows normally.

Any other options?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:35 PM

Posted 23 June 2009 - 02:06 PM

We can still try one more thing, but if that doesn't work either, then there's not much we can try anymore. As I said, your computer is crippled with malware - it actually suprises me it's still able to boot.

Can you try normal mode again but with the renamed malwarebytes?

If that fails, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.


If that fails as well,
Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the Avira AntiVir Rescue System from here
  • Place a blank CD in your burner and double-click on the downloaded file.
  • The program will automatically burn the CD for you.
  • Place the burned CD into the affected computer and start the computer from this CD.
  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  • Click on the Configuration button.
    • Select Scan all files
    • Select Try to repair infected files and Rename files, if they cannot be removed
    • Select Scan for dialers
    • Select Scan for joke programs (Jokes)
    • Select Scan for games
    • Select Scan for spyware (SPR)
  • Click on Virus scanner
  • Click on Start scanner at the bottom of the screen
  • Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings
The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post here if you're unable to view the entire screen of Avira.


If you are still having a lot of problems afterwards, then I suggest you to format and reinstall Windows, because this looks like a lost case already.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 04:10 PM

Thank you SO much for the suggestions, I will try all of these steps.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:35 PM

Posted 23 June 2009 - 04:13 PM

Ok, success. Don't expect miracles, because I suspect this is already a lost case here :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 04:37 PM

PS can I re-name the Combofix.exe in the same fashion as MBAM, so that it might actually run?

#12 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 09:40 PM

OK, I got Malwarebytes to run (renamed all the executables to iexplore.exe). It found hundreds of infected files obviously.

On restarting, I get some of the same spyware ads (pretending to be anti-spyware software), but less Internet popunders and error messages, and I think one of the main fake anti-spyware things is gone.

Here is the MBAM log followed by a new DDS log

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/23/2009 10:29:38 PM
mbam-log-2009-06-23 (22-29-38).txt

Scan type: Quick Scan
Objects scanned: 82016
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 42
Registry Data Items Infected: 4
Folders Infected: 7
Files Infected: 100

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\15129474\15129474.exe (Rogue.Multiple.H) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15129474 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15130774 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15130374 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15129274 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\95139266 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msn (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnhost (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnload (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnconvert (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnmessendger (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odby (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msn (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnhost (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnload (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnconvert (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnmessendger (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatewin (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatewin (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15121364 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay (Hijack.Tray) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\15129474 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\15130774 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\15130374 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\15129274 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\95139266 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\documents and settings\all users\application data\15129474\15129474.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15129474\15129474.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15129474\pc15129474cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15129474\pc15129474ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15130774\15130774.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15130774\15130774.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15130774\pc15130774cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15130374\15130374.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15130374\15130374.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15130374\pc15130374cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15129274\15129274.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15129274\15129274.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15129274\pc15129274cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\95139266\95139266.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\hUu.exe (Adware.CashOn) -> Quarantined and deleted successfully.
C:\WINDOWS\svc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\odb.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\vlc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\uZm.exe (Adware.CashOn) -> Quarantined and deleted successfully.
c:\WINDOWS\tmp2747989.log (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\tmp2995499.log (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\tmp9059543.log (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\msavsc.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\msctrl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\msfw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\msiemon.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\msscan.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\0xf9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\PrkB2G.exe (Adware.CashOn) -> Quarantined and deleted successfully.
c:\QftkL.exe (Adware.CashOn) -> Quarantined and deleted successfully.
c:\wNCp49bq.exe (Adware.CashOn) -> Quarantined and deleted successfully.
c:\XOM.exe (Adware.CashOn) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\1_dropper_other.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\5_odb.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\675.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\avto.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q3.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q4.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q5.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q6.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q7.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q8.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\q9.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\teste1_p.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\5_odb.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\avto.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\avto1.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\avto2.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\avto3.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\avto4.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nopmulti1.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nopmulti3.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nopmulti5.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000004D11CDC77B7471F22F (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000052FFCA1DBCF18A7790 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000053EBEA220916919FB1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000054075DD5738FAE3451 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000048734F756D1F2D5340 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP000000495F0F9A97ABFF894C (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000004A924ACE71B7802780 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000004B89B5119FF3A612EA (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP000000561A5A907BAA76D530 (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000005FC278DFA36ECAED61 (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000002FD698A494CBFC3262 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000030168BD2F9DD3DEE51 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000003125DE342E80FFB39A (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000003B08AB8CF670638337 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000003CAB78FAE74355C5F2 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000003DA4DFDEB7A6352BFC (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000003E532E95E22D5A5EB4 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000029BC88329A579F3CCE (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP00000032EEF4C5AFC4D3A659 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP0000003359D1CB7EDCBFC904 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\TMP000000347F6729B59F308DD1 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\temporary internet files\Content.IE5\0DPT6LBC\7[3].jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\temporary internet files\Content.IE5\0DPT6LBC\7[5].jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\microsoft security adviser\msctrl.log (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\microsoft security adviser\mssadv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\microsoft security adviser\mssadv.log (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\HOSTS (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\3_baracudanew.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\4_pinnew.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\6_ldr3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\apcupsr.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Coleman\local settings\Temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Coleman\local settings\Temp\60325cahp25caa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\dadirova.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\program files\msdmem.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\program files\zodetego.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\mssadv.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\lsass.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1028x.exe (Trojan.Agent) -> Quarantined and deleted successfully.





DDS (Ver_09-05-14.01) - NTFSx86
Run by XXXXX at 22:38:21.48 on Tue 06/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.160 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Protector\protector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xxxxx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRunOnce: [Protector] c:\program files\protector\protector.exe -startup
StartupFolder: c:\docume~1\coleman\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ImageFox.lnk -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://images.autodesk.com/adsk/files/mgaxctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 DCamUSBSanyo;SANYO Digital Camera PC Camera;c:\windows\system32\drivers\sdscwebd.sys [2007-1-8 86656]

=============== Created Last 30 ================

2009-06-23 22:03 <DIR> --d----- c:\docume~1\xxx\applic~1\Malwarebytes
2009-06-23 22:03 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 22:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 21:57 1,946,112 a------- c:\windows\csearch.dll
2009-06-19 08:40 638,976 a------- c:\windows\icqspoof.c
2009-06-16 19:12 4,715,008 a------- c:\windows\netctl.exe
2009-06-16 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\95140366
2009-06-16 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\95139466
2009-06-16 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\95131356
2009-06-16 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\15121364
2009-06-16 18:56 1,524,736 a------- c:\windows\edcregc.exe
2009-06-16 18:52 4,716,032 a------- c:\program files\optimize314.exe
2009-06-16 18:49 859,648 a------- c:\windows\invictus.dll
2009-06-16 18:44 1,590,784 a------- c:\program files\22.exe
2009-06-16 18:39 6,998 a------- C:\OueimIFY.bat
2009-06-16 18:39 4,588,032 a------- c:\windows\list.doc
2009-06-16 18:38 235 a------- C:\VOAFI.bat
2009-06-16 18:31 4,363,776 a------- c:\windows\QdrDrive16.dll
2009-06-16 18:30 6,998 a------- C:\Fi8VS.bat
2009-06-16 18:30 246 a------- C:\lNe5hvZ.bat
2009-06-16 18:27 3,778,048 a------- c:\windows\nzpuoqsv.exe
2009-06-16 18:25 <DIR> --dsh--- C:\found.005
2009-06-15 18:29 6,998 a------- C:\qCwQgt.bat
2009-06-15 18:29 273 a------- C:\w0NR9dJQ.bat
2009-06-15 18:07 6,998 a------- C:\Dgp0.bat
2009-06-15 18:07 229 a------- C:\vFYR8pe.bat
2009-06-15 17:57 6,998 a------- C:\z6euH.bat
2009-06-15 17:57 231 a------- C:\GkAfh.bat
2009-06-15 17:54 1,433,600 a------- c:\windows\switchbetweenapps.pcrswitp31[1].exe
2009-06-15 17:54 <DIR> --d----- c:\program files\Protector
2009-06-15 17:54 6,998 a------- C:\jk7x1oJi.bat
2009-06-15 17:54 259 a------- C:\hX5C.bat
2009-06-15 17:54 <DIR> --d----- c:\docume~1\xxxx\applic~1\none
2009-06-11 23:40 109 a--sh--- c:\windows\system32\944868117.dat

==================== Find3M ====================

2009-06-23 22:02 2,020,352 a------- c:\program files\gmt.exe.manifest
2009-06-15 18:17 4,867,072 a------- c:\program files\cls.bmb

============= FINISH: 22:38:59.87 ===============

#13 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 09:43 PM

And here is the latest Attach file if you need it, named Attach2 so as to distinguish from the first one I did.

Attached Files



#14 mr black

mr black
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2009 - 09:59 PM

I have successfully downloaded Combofix but will not run it unless you tell me to.

System is running MUCH better now, I can use most of my applications and the Internet runs fairly well, haven't seen any popunders, only the one piece of spyware pretending to be anti-spyware.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:35 PM

Posted 24 June 2009 - 12:06 AM

Hi,

Can you please also update your Malwarebytes? Because it's outdated.
Click the update tab > check for updates and download all updates.
Then rescan again.

This should also get rid of the fakealert thing.

Then post the new log in your next reply.

Also, once you've updated and rescanned, run Combofix as well and post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users