Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Complete idiot in need of help.


  • Please log in to reply
18 replies to this topic

#1 Desmage

Desmage

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 02:26 PM

Hello, I'm pretty much a complete idiot so bare with me. Yesterday I was trying to find a link to watch a movie and a link I went to froze. As soon as I closed it a fake windows update icon appeared on my taskbar. It told me that I was infected, so of course I clicked it. Right after clicking it a bunch of fake virus protection crap popped up telling me what to download and what to buy. I quickly turned off my laptop and when I restarted it I scanned with McAfee. After the first scan it got rid of 112 viruses and no more fake virus protection software popped up. I thought I might have been safe, but I scanned once more just to be safe. There were 5 more viruses removed. While thinking I was safe I decided to forget about what had happened I was watching videos on youtube. While watching them I started hearing random audio out of nowhere...I started hearing the Micheal Jackson song - Heal the World. I knew there was no reason I should have been hearing that because I was watching anime. I went on task manager and saw that several Internet explorers were opened up, but I use Google Chrome. As soon as I closed them the audio stopped. Since then Internet Explorer keeps showing up on task manager, and sometimes I hear more random audio. Although Internet Explorer is showing up on task manager it doesnt show up anywhere else...It's completly hidden...Later that day I went to go play World of Warcraft, but it seems that it's been corrupted...The sound doesnt work on it and it's also very buggy. Right away I realized that I must have still had viruses, so after having a friend change my password on WoW, I scanned a few more times. The same 3 files keep coming back after McAfee quarentines them.

c:\windows\system32\skynettykdjsqy.dll
c:\windows\system32\skynetlirmipsa.dll
c:\windows\system32\skynetdbwtebjuln.tmp

on all of the files it says DNSChanger.ad detected
----------------------------------------------------------------------------

I'm completly clueless, and have no idea what I should do. Please help :thumbsup:

Edited by Desmage, 15 July 2009 - 02:31 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:14 PM

Posted 15 July 2009 - 03:01 PM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Posted Image

Edited by DaChew, 15 July 2009 - 03:36 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 03:43 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 16:41
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETdtkmpxby.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETlirmipsa.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETotvcxxnw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETtykdjsqy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdajupyrxxfoulufia.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACeorodhjexkltuutbp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClrhxwjpwojxlfirav.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnhmctqftoreyyplmg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACogpskwbqbomlpsaoi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACoyowrmoejtvgtmyki.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACswkboqjendwresntj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_vdagofgnkbpwg7y
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_xtscafks033bmhm
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_jwegx6lk3qxsjb1
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_busgwscnf2nkmp7
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_4nn78ts1aremyfy
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC481b.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_nrgdrbhbwkuqio4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_g7x6y3r5v9iubpu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_hcicv2ppacmdhac
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\SKYNETkvvijmla.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACovkdvpwxgxynldksx.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner\application data\skypepm\2009-07-15-2.ezlog
Status: Size mismatch (API: 648, Raw: 376)

Path: c:\documents and settings\owner\local settings\temp\etilqs_d09k96d23klybai4umve
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\etilqs_zmbemxbdegobvsutycby
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Temp\UAC9673.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner\application data\skype\desmage\etilqs_cxdrqtgv6kecl85wfcr1
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\owner\application data\skype\desmage\etilqs_swpimhqmdiabv9zzr3bu
Status: Allocation size mismatch (API: 4096, Raw: 0)

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:14 PM

Posted 15 July 2009 - 03:56 PM

Path: C:\WINDOWS\system32\drivers\SKYNETkvvijmla.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACovkdvpwxgxynldksx.sys
Status: Invisible to the Windows API!


Rerun the file scan and highlight these 2 lines, right click and choose wipe file

McAfee will probably catch then now but just to be safe

Reboot

Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#5 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 06:20 PM

Path: C:\WINDOWS\system32\drivers\SKYNETkvvijmla.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACovkdvpwxgxynldksx.sys
Status: Invisible to the Windows API!


Rerun the file scan and highlight these 2 lines, right click and choose wipe file

McAfee will probably catch then now but just to be safe

Reboot

Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/







Everything you told me was working great until I finished the malewarebytes scan, once I removed all the infected objects and let it restart my laptop. Windows cant startup, please help.....It goes to the startup menu that says windows did not start successfully, and when I let it try to startup windows normally it just goes back to the menu that says it couldnt startup again....Please help, I dont know what to do... :thumbsup:

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:14 PM

Posted 15 July 2009 - 06:55 PM

Can you start in safe mode?

http://www.malwareremoval.com/tutorials/safemodeboot.php
Chewy

No. Try not. Do... or do not. There is no try.

#7 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 07:23 PM

Can you start in safe mode?

http://www.malwareremoval.com/tutorials/safemodeboot.php


I couldnt start in safe mode, but I went to last known good configuration and it started up, but while it was starting up I got a whole bunch of error messages while it said Welcome. After about 15 error messages windows finally started up. I'm going to check if I'm having any problems, and I'll post anything that I need help with.

#8 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 07:34 PM

Everything seems to be working perfectly fine from what I see. Also I dont see any signs of that virus yet, although I havent scanned yet. I'm still worried about those error messages I got though, I'm scared that I might have damaged something..etc


Please get back to me soon, thank you so much for all the help.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:14 PM

Posted 15 July 2009 - 07:38 PM

I had second thoughts about McAfee and this removal, often as not, something like this happens. Some malware fighters remove it from the infected computer before trying to clean. I always do when I am working on a computer.

Do you have that MBAM log?
Chewy

No. Try not. Do... or do not. There is no try.

#10 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 07:39 PM

I had second thoughts about McAfee and this removal, often as not, something like this happens. Some malware fighters remove it from the infected computer before trying to clean. I always do when I am working on a computer.

Do you have that MBAM log?

Malwarebytes' Anti-Malware 1.39
Database version: 2436
Windows 5.1.2600 Service Pack 2

7/15/2009 6:54:33 PM
mbam-log-2009-07-15 (18-54-33).txt

Scan type: Quick Scan
Objects scanned: 88574
Time elapsed: 12 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 105
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\171290781448mmx.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{1f5e0ea2-abea-44c3-95ec-2d1e721fe95e} (Adware.AdSponsor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9815da81-2e0c-478c-90e4-06e474e704d0} (Adware.AdSponsor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\171290781448mmx.dll (Spyware.OnlineGames) -> Delete on reboot.
c:\WINDOWS\system32\UACnhmctqftoreyyplmg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\253SJESR\svchost[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\9AJK3R19\db[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\NPMyWebS.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETdtkmpxby.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETotvcxxnw.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETkvvijmla.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACovkdvpwxgxynldksx.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:14 PM

Posted 15 July 2009 - 07:44 PM

Let's get another file scan with Rootrepeal

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Read this part about disabling/unloading McAfee

If we try to remove anything else we need to turn off McAfee running at bootup.
Chewy

No. Try not. Do... or do not. There is no try.

#12 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 07:56 PM

Let's get another file scan with Rootrepeal

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Read this part about disabling/unloading McAfee

If we try to remove anything else we need to turn off McAfee running at bootup.

It keeps crashing when I try to open it.




ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00429430
Attempt to write to address: 0x00b84000






Nvm, I got it working now.

Edited by Desmage, 15 July 2009 - 08:01 PM.


#13 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 08:30 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 21:29
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcmsc_tuadx0h5hzojqgi
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_kut4zh7tv6lojzw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ev9iafzmid8ais6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_lmhf7tbfecw0g9x
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_0ye6gewwtvocntr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_1guvueydwyqfn7d
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_acbaxnfro1dtprt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_uq4po7hise7hk5z
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\etilqs_9wzhwr73e6dhsntz5fco
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\etilqs_rf2glc5bceqa9l5e0uit
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\owner\application data\skype\desmage\etilqs_oj5bkkdocv6i051itkj5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\owner\application data\skype\desmage\etilqs_yw2lzpa484sk6pcfywkt
Status: Allocation size mismatch (API: 16384, Raw: 0)

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:14 PM

Posted 15 July 2009 - 08:38 PM

Try to disable McAfee

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply

Use processexplorer to kill any McAfee process still running

Run a quickscan with MBAM

Rebooting should load McAfee back up
Chewy

No. Try not. Do... or do not. There is no try.

#15 Desmage

Desmage
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 July 2009 - 08:52 PM

Process PID CPU Description Company Name
System Idle Process 0 92.31
Interrupts n/a Hardware Interrupts
DPCs n/a 3.08 Deferred Procedure Calls
System 4
smss.exe 956 Windows NT Session Manager Microsoft Corporation
csrss.exe 1012 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1040 Windows NT Logon Application Microsoft Corporation
services.exe 1088 1.54 Services and Controller app Microsoft Corporation
ati2evxx.exe 1248 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1280 Generic Host Process for Win32 Services Microsoft Corporation
mcagent.exe 196 McAfee Integrated Security Platform McAfee, Inc.
svchost.exe 1364 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1420 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 388 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 1556 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1620 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 2040 Spooler SubSystem App Microsoft Corporation
LVPrcSrv.exe 232 Logitech LVPrcSrv Module. Logitech Inc.
svchost.exe 420 Generic Host Process for Win32 Services Microsoft Corporation
AOLacsd.exe 476 AOL Connectivity Service America Online, Inc.
McSACore.exe 716 SiteAdvisor McAfee, Inc.
mcmscsvc.exe 816 McAfee Services McAfee, Inc.
McNASvc.exe 936 1.54 McAfee Network Agent McAfee, Inc.
McProxy.exe 1596 McAfee Proxy Service Module McAfee, Inc.
Mcshield.exe 1732 On-Access Scanner service McAfee, Inc.
msksrver.exe 1896 McAfee Anti-Spam Server McAfee, Inc.
PRISMXL.SYS 256 PrismXL Service New Boundary Technologies, Inc.
svchost.exe 332 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 592 Windows User Mode Driver Manager Microsoft Corporation
symwsc.exe 1508 Norton Security Center Service Symantec Corporation
MpfSrv.exe 2700 McAfee Personal Firewall Service McAfee, Inc.
lsass.exe 1100 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 164 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 500 Windows Explorer Microsoft Corporation
SOUNDMAN.EXE 3716 Realtek Sound Manager Realtek Semiconductor Corp.
AOLSP Scheduler.exe 3976 AOLSP Scheduler
atiptaxx.exe 4020 ATI Desktop Control Panel ATI Technologies, Inc.
SynTPLpr.exe 4080 TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 520 Synaptics TouchPad Enhancements Synaptics, Inc.
shwicon2k.exe 544 Alcor Micro, Corp.
PDVDServ.exe 568 PowerDVD RC Service Cyberlink Corp.
jusched.exe 632 Java™ Platform SE binary Sun Microsystems, Inc.
LVCOMSX.EXE 328 LVCom Server Logitech Inc.
realsched.exe 1504 RealNetworks Scheduler RealNetworks, Inc.
ctfmon.exe 672 CTF Loader Microsoft Corporation
Skype.exe 3324 Skype Skype Technologies S.A.
skypePM.exe 1476 Skype Extras Manager Skype Technologies
chrome.exe 3740 Google Chrome Google Inc.
chrome.exe 760 1.54 Google Chrome Google Inc.
chrome.exe 484 Google Chrome Google Inc.
chrome.exe 3168 Google Chrome Google Inc.
procexp.exe 3336 Sysinternals Process Explorer Sysinternals - www.sysinternals.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users