Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove hijack.regedit?


  • Please log in to reply
15 replies to this topic

#1 golf71

golf71

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 August 2009 - 01:58 PM

I have reviewed some of the other forums and have run the Malwarebytes and tried removing all and when I restart it is still there. Below is the log file. Any help would be great.

Malwarebytes' Anti-Malware 1.36
Database version: 1989
Windows 5.1.2600 Service Pack 3, v.3264

8/5/2009 11:41:57 AM
mbam-log-2009-08-05 (11-41-57).txt

Scan type: Quick Scan
Objects scanned: 112257
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:54 PM

Posted 05 August 2009 - 02:33 PM

Hello please do 2 things next. Run Flash Disinfector then Rerun an updated MBAM.

Download and Run FlashDisinfector

You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 golf71

golf71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 August 2009 - 03:59 PM

Below is the log files after running the Flash Disinfector. I ran Malware again with 138 infections. I allowed it to clean up; reboot; reran and now no infections.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3, v.3264

8/5/2009 3:34:51 PM
mbam-log-2009-08-05 (15-34-51).txt

Scan type: Quick Scan
Objects scanned: 145356
Time elapsed: 12 minute(s), 56 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 24
Registry Values Infected: 17
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 84

Memory Processes Infected:
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\a.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\win.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\evdoserver.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msxmlhpr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\evdoserver.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cooecp.tlb (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\logcde.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\windef.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\windef.Log (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\winpaged.ocx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully.
C:\hcel.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\niawndos.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\umoikchf.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\winantivsetup.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_847807891676.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\1452796659.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\1916871852.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\3986345008.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\dr6vrjhgf44.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\dr6vrjhgf46.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\hsf78sied.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\login.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\oufgeixnsv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\rnaemcwxso.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\services.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\spool.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\spymcqfgqn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\UAC9b2d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\w[4].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\dbsinit.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146120114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\allenj\Local Settings\Temp\dr6vrjhgf47.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.





--------------------------------------------------------------------------



Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3, v.3264

8/5/2009 3:52:29 PM
mbam-log-2009-08-05 (15-52-29).txt

Scan type: Quick Scan
Objects scanned: 145200
Time elapsed: 13 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:54 PM

Posted 05 August 2009 - 04:05 PM

Hello first having seen so many Bots and backdoors you need to be advised of this.
Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 golf71

golf71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 06 August 2009 - 11:52 AM

After running both ATF-Cleaner and SUPERAntiSpyware, here is the SUPER log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/06/2009 at 11:37 AM

Application Version : 4.27.1000

Core Rules Database Version : 4041
Trace Rules Database Version: 1981

Scan type : Complete Scan
Total Scan Time : 02:14:42

Memory items scanned : 258
Memory threats detected : 0
Registry items scanned : 9072
Registry threats detected : 7
File items scanned : 124594
File threats detected : 7

Rogue.MalwareCore
HKCR\AppId\{C4963B5C-F107-4ea4-8AFE-4AEA413582AF}

Rogue.Component/Trace
HKLM\Software\Microsoft\BC6D55E8
HKLM\Software\Microsoft\BC6D55E8#bc6d55e8
HKLM\Software\Microsoft\BC6D55E8#Version
HKLM\Software\Microsoft\BC6D55E8#bc6df868
HKLM\Software\Microsoft\BC6D55E8#bc6d918d
HKU\S-1-5-21-602162358-1532298954-682003330-1240\Software\Microsoft\FIAS4018

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@review-male-enhancement[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@statcounter[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.extagen-male-enhancement[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.googleadservices[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.googleadservices[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.googleadservices[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.review-male-enhancement[1].txt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:54 PM

Posted 06 August 2009 - 12:19 PM

Ok, this looks real good..
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 golf71

golf71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 06 August 2009 - 12:24 PM

In steps 3,4,5,6, and 10 the pictures show up as a red X. I don't know what tab or button to select.

Thanks again for you help!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:54 PM

Posted 06 August 2009 - 12:28 PM

OK use these
Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 golf71

golf71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 06 August 2009 - 12:47 PM

Here it is.

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7C46000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB46FD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: C:\WINDOWS\system32\WZSZXbshifbhcvvdtvkayvclfrmqrvitvtjib.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXerfwerwer
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXhtkkgcsiietxmbotmxdppulxuiyawiyu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXwlgvkjhysnalnargpcwpkmlkbwqgkomv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXymqenvoiimegssejlhqqbokgncygafyo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WZSZXc757.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WZSZXd10b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WZSZXd5de.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\WZSZXbwywrjboodcexwnsqhxjvitodltpkdup.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\allenj\application data\im\sldimschedulerlog_20090-40400-1100_00022.txt
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\allenj\Local Settings\Temp\WZSZX71a7.tmp
Status: Invisible to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb7dc9df0

Stealth Objects
-------------------
Object: Hidden Module [Name: WZSZXwlgvkjhysnalnargpcwpkmlkbwqgkomv.dll]
Process: svchost.exe (PID: 1572) Address: 0x02890000 Size: 233472

Object: Hidden Module [Name: WZSZXbshifbhcvvdtvkayvclfrmqrvitvtjib.dll]
Process: svchost.exe (PID: 1572) Address: 0x028d0000 Size: 712704

Object: Hidden Module [Name: WZSZXymqenvoiimegssejlhqqbokgncygafyo.dll]
Process: svchost.exe (PID: 1572) Address: 0x02c20000 Size: 61440

Object: Hidden Module [Name: WZSZXhtkkgcsiietxmbotmxdppulxuiyawiyu.dll]
Process: svchost.exe (PID: 1572) Address: 0x10000000 Size: 81920

Object: Hidden Module [Name: WZSZXwlgvkjhysnalnargpcwpkmlkbwqgkomv.dll]
Process: iexplore.exe (PID: 2968) Address: 0x10000000 Size: 233472

Hidden Services
-------------------
Service Name: WZSZXserv.sys
Image Path: C:\WINDOWS\system32\drivers\WZSZXbwywrjboodcexwnsqhxjvitodltpkdup.sys

==EOF==

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:54 PM

Posted 06 August 2009 - 01:55 PM

Posted Image

Run just the file scan with Rootrepeal


Path: C:\WINDOWS\system32\drivers\WZSZXbwywrjboodcexwnsqhxjvitodltpkdup.sys
Status: Invisible to the Windows API!


Highlight this line

Rightclick and choose wipe file

Reboot/restart your computer and immediately run a quick scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:54 PM

Posted 06 August 2009 - 02:24 PM

I'd like to run this also after that.
Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 golf71

golf71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 06 August 2009 - 02:37 PM

Ok. Here is after the File Scan with RootRepeal. Also, below that is the mbr.txt file.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 14:30
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: C:\WINDOWS\system32\WZSZXbshifbhcvvdtvkayvclfrmqrvitvtjib.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXerfwerwer
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXhtkkgcsiietxmbotmxdppulxuiyawiyu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXwlgvkjhysnalnargpcwpkmlkbwqgkomv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\WZSZXymqenvoiimegssejlhqqbokgncygafyo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WZSZXc757.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WZSZXd10b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WZSZXd5de.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\allenj\Local Settings\Temp\WZSZX71a7.tmp
Status: Invisible to the Windows API!



______________________________________________

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
BIOS signateure not found

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:54 PM

Posted 06 August 2009 - 02:41 PM

The scan with Malwarebytes was critical to the cleaning, what happened to that?
Chewy

No. Try not. Do... or do not. There is no try.

#14 golf71

golf71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 06 August 2009 - 02:49 PM

Here it is.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3, v.3264

8/6/2009 2:46:22 PM
mbam-log-2009-08-06 (14-46-22).txt

Scan type: Quick Scan
Objects scanned: 133994
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WZSZXhtkkgcsiietxmbotmxdppulxuiyawiyu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WZSZXbshifbhcvvdtvkayvclfrmqrvitvtjib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WZSZXwlgvkjhysnalnargpcwpkmlkbwqgkomv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WZSZXymqenvoiimegssejlhqqbokgncygafyo.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\WZSZXbwywrjboodcexwnsqhxjvitodltpkdup.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:54 PM

Posted 06 August 2009 - 02:55 PM

Run a new rootrepeal file scan now after rebooting

The mbr infection and those dll's should be gone

Edited by DaChew, 06 August 2009 - 02:55 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users