Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm pretty sure i'm infected [Moved]


  • Please log in to reply
14 replies to this topic

#1 dpow

dpow

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 08 August 2009 - 06:49 PM

My (parents) computer has been acting very strange lately, I believe its infected by something that keeps coming back even when I use Malwarebytes Anti-Malware to get rid of it. Lately a virus/trojan keeps popping called Trojan.Win32.patched.gq and it won't go away. Now I turned the computer on today and see a red circle with "x" in the middle icon at the bottom of the taskbar. I tried to use the Malwarebytes Anti-Malware but a tab pops up saying "windows can not access the specified device, path, or file. You may not have the appropiate permision to access the item."

Can anyone help me please.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:33 AM

Posted 08 August 2009 - 11:14 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 08 August 2009 - 11:38 PM

Hello and welcome,let's try running part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 August 2009 - 02:10 PM

I accidentily hit the #2 and enter so heres that information from copy/paste:

SmitFraudFix v2.423

Scan done at 14:59:46.03, Tue 08/11/2009
Run from C:\Documents and Settings\Marlyn Powell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
::1 localhost
??????????????? antivirprotection.com
??????????????? www.antivirprotection.com

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP Removed.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\braviax.exe Deleted
C:\WINDOWS\system32\winupdate.exe Deleted
C:\WINDOWS\system32\_scui.cpl Deleted
C:\Program Files\AdvancedVirusRemover\ Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DDE772C9-D51B-4813-BEDD-7E51F448521A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DDE772C9-D51B-4813-BEDD-7E51F448521A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DDE772C9-D51B-4813-BEDD-7E51F448521A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!



RK.2



Registry Cleaning

Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#5 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 August 2009 - 02:12 PM

And heres the info from hitting #1 and enter copy/paste:

SmitFraudFix v2.423

Scan done at 15:05:23.35, Tue 08/11/2009
Run from C:\Documents and Settings\Marlyn Powell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Marlyn Powell


C:\DOCUME~1\MARLYN~1\LOCALS~1\Temp


C:\Documents and Settings\Marlyn Powell\Application Data


Start Menu


C:\DOCUME~1\MARLYN~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="cru629.dat"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\sdra64.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DDE772C9-D51B-4813-BEDD-7E51F448521A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DDE772C9-D51B-4813-BEDD-7E51F448521A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DDE772C9-D51B-4813-BEDD-7E51F448521A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 11 August 2009 - 03:29 PM

Ok good that the malware was there so it didn't hose your PC.
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 August 2009 - 08:44 PM

I had had downloaded Malwarebytes a while ago before I came on here but my pc wouldn't let me access it when I had tried to run the scanner, a tab kept popping up saying "windows can not access the specified device, path, or file. You may not have the appropiate permision to access the item."

And I'm not sure how to rename MBAM to zztoy.exe when its already downloaded on my pc? ( sorry i'm not to computer savvy).

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 11 August 2009 - 08:52 PM

Try rebooting into Safe Mode with Networking.
Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Uninstall MBAM ..then follow my instructions.. But after the install and update,reboot to normal mode a scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 August 2009 - 09:28 PM

I did everything exactly as you said, but as the quick scan began to run it just stopped and went away, and now it won't start again. Should start over by uninstalling mbam again?

Oh yeah a fake Home Antivirus 2010 icon popped up too on my taskbar, if thats of any importants.

Edited by dpow, 11 August 2009 - 09:29 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 11 August 2009 - 09:50 PM

That's the rogue giving us a hard time.. I suspect it has a rootkit also.. So first we'll run Sophos.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 August 2009 - 11:01 PM

ok heres the log from the ARK scan:



Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/11/2009 at 23:05:03
User "Marlyn Powell" on computer "DB72YN81"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\ndis.sys
Hidden: file C:\WINDOWS\system32\dumprep.exe
Hidden: file C:\WINDOWS\system32\scecli.dll
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MYW2OTZH\49913526625;tzo=240;a=p-64sT3KHSHCVUk;media=ad;labels=_imp.adserver.doubleclick%2C_imp.publisher.32980478%2C_imp.placement.211918921%2C_imp.creative[1].gif
Hidden: file C:\Program Files\Windows Antivirus Pro\ANTI_files.exe
Hidden: file C:\WINDOWS\system32\dllcache\ndis.sys
Hidden: file C:\i386\symndis.sys
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\W1M7FFUK\xd4jeFJBgZiTclp6z2dyQqjL-L5orPJZAxKvlrnCtwINzpFxOrMutI9YeLKGmIHk82gKi07V1Wt4embwNzG7blq9Np-dwRCUirrJfwSObeEmdn0hTwExcTtPIE21PoqlCGn435Gk_PjmdAJEo8ZP[1].htm
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\N82BCIPM\.com%2Fsearch%2Fsearch-ng.do%3Fsearch_query%3Dvideo%2Bgame%2Bconsoles%26search_constraint%3D0%26tc%3D0%26ic%3D48_0%26ref%3D501456.4292601690%2B500524[1].htm
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\ONJK7QBW\.13059965.13260185.12313258%252FD%253Dmail%252FS%253D398300003%253AREC%252FY%253DYAHOO%252FEXP%253D1228681225%252FL%253D4Cjoa9G_RNpQ5GwISTk99gGvSE5xjUk8E[1]
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\U5A1INVF\.8454630%2FD%3Dpager%2FS%3D97420565%3AHB%2FY%3DYAHOO%2FEXP%3D1200643029%2FA%3D4919419%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad[1].htm
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\L66ZMI7V\.8454630%2FD%3Dpager%2FS%3D97420565%3AHB%2FY%3DYAHOO%2FEXP%3D1200643031%2FA%3D4919419%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad[1].htm
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\NCS6LN33\off%252csw2%253a%2521fchandoff%252csw3%253a%2521fchandoff%26f%3D151654152%26id%3D3%26cbk%3Dfcloaded%26tgt%3D_,;dcopt=rcl;mtfIFPath=nofile;ord=1250045934[1]
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\W1M7FFUK\off%252csw2%253a%2521fchandoff%252csw3%253a%2521fchandoff%26f%3D151654782%26id%3D4%26cbk%3Dfcloaded%26tgt%3D_,;dcopt=rcl;mtfIFPath=nofile;ord=1250045944[1]
Hidden: file C:\Program Files\Verizon\Verizon Internet Security Suite\RPS.exe
Hidden: file C:\Program Files\Verizon\Verizon Internet Security Suite\Kav\Bin\Bases\avcmhk4.dll
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTCJL5C2\1;sr=1024x768x32;dc=1243085593-78730991-34632503;dst=1;et=1243085978781;tzo=240;a=p-28xXVjOjVJlTQ;labels=Broadband%20Enterprises%20LLC.Digitas.Kraft[1].gif
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\MZCOJV1V\.12616498%252FD%253Dmpartv%252FS%253D398384139%253AN%252FY%253DYAHOO%252FEXP%253D1234154400%252FL%253DYU0r6GKIgrY4TDc7SY2e8QNnR7m42EmPl4AABMkn%252FB%253D[1]
Hidden: file C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\Content.IE5\00CR3F24\FK%253DOs5hcID.0b9NM7tNnbFdag%252FA%253D5761149%252FR%253D0%252F_%2524%252Chttp%253A%252F%252Fus.mc843.mail.yahoo.com%252Fmc%252Fmd[1].php%253Fen%253Dcp1252
Hidden: file C:\WINDOWS\system32\sdra64.exe
Stopped logging on 8/11/2009 at 23:52:27

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 11 August 2009 - 11:14 PM

Rerun Sophos ,delete these
Hidden: file C:\WINDOWS\system32\scecli.dll
Hidden: file C:\Program Files\Windows Antivirus Pro\ANTI_files.exe
Hidden: file C:\WINDOWS\system32\sdra64.exe


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 August 2009 - 11:50 PM

ok heres the mbam log:

Malwarebytes' Anti-Malware 1.40
Database version: 2608
Windows 5.1.2600 Service Pack 2

8/12/2009 12:42:06 AM
mbam-log-2009-08-12 (00-42-06).txt

Scan type: Quick Scan
Objects scanned: 98021
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 7
Registry Data Items Infected: 10
Folders Infected: 3
Files Infected: 72

Memory Processes Infected:
C:\WINDOWS\braviax.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\HomeAntivirus2010\HomeAntivirus2010.exe (Rogue.Multiple) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\HomeAntivirus2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Delete on reboot.
C:\Program Files\HomeAntivirus2010\AVEngn.dll (Rogue.HomeAntiVirus) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\home antivirus 2010 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\HomeAntivirus2010 (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\HomeAntivirus2010\HomeAntivirus2010.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\HomeAntivirus2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Quarantined and deleted successfully.
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\hpdimla.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\isporart.exe (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\odgqdh.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\cchksw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\sjty.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\winantivsetup.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\minix32.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ghaf8jkdfd.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\DFAF4ADA23E4DC32 (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\DFB1AD3423E279D8 (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC3180.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN27.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sfjh98w3jkdmfkd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2A.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\713865392.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\abq8oo.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN6.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BNC.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BND.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BNE.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\41ENGDYJ\mfsgkb[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8PERW1MN\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8PERW1MN\yvfpctuuy[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CPENOLAV\nwxxbpgxyl[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6381EV\jpcmde[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6381EV\nzanobbcpt[1].htm (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6381EV\vfttkyptg[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6381EV\yohlcd[1].htm (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marlyn Powell\Local Settings\Temp\msupd_2.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\HomeAntivirus2010\AVEngn.dll (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\rkqwmn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN19.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN33.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\izat.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 12 August 2009 - 12:03 AM

Hello some advice on the backdoors we found. Please do this next. I'll look back tomorrow.

A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 dpow

dpow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 12 August 2009 - 02:31 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/12/2009 at 03:19 AM

Application Version : 4.27.1002

Core Rules Database Version : 4051
Trace Rules Database Version: 1991

Scan type : Complete Scan
Total Scan Time : 01:31:28

Memory items scanned : 662
Memory threats detected : 1
Registry items scanned : 6053
Registry threats detected : 38
File items scanned : 104100
File threats detected : 95

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\XWREG32.DLL
C:\WINDOWS\SYSTEM32\XWREG32.DLL

Adware.E404 Helper/Variant-N1
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220}

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg
C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\TWFYBHLUIFBVD2VSBA\NQIVVJ5RKI1SXZPPVE.VBS

Adware.ClickSpring/Outer Info Network
HKU\S-1-5-21-304208170-714411422-753848960-1006\Software\OINAnalytics

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\6
HKLM\Software\6#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\6#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\6#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\7
HKLM\Software\7#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\7#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\7#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\8
HKLM\Software\8#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\8#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\8#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

Rogue.Component/Trace
HKLM\Software\Microsoft\50378027
HKLM\Software\Microsoft\50378027#50378027
HKLM\Software\Microsoft\50378027#Version
HKLM\Software\Microsoft\50378027#50372da7
HKLM\Software\Microsoft\50378027#50374442
HKU\S-1-5-21-304208170-714411422-753848960-1006\Software\Microsoft\FIAS4018
HKU\S-1-5-21-304208170-714411422-753848960-1006\Software\Microsoft\FIAS4057

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-304208170-714411422-753848960-1006\SOFTWARE\Microsoft\fias4013
C:\Documents and Settings\Marlyn Powell\Local Settings\Temporary Internet Files\fbk.sts

Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys

Rogue.AdvancedVirusRemover
HKU\S-1-5-21-304208170-714411422-753848960-1006\Software\Microsoft\Windows\CurrentVersion\Run#Advanced Virus Remover [ C:\Program Files\AdvancedVirusRemover\PAVRM.exe ]

Rogue.HomeAntiVirus2010
HKLM\SOFTWARE\HomeAntivirus2010
HKLM\SOFTWARE\HomeAntivirus2010#info

Trojan.Agent/Gen-BraviaX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0127761.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0127783.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0127784.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0127807.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568\A0127808.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127849.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127865.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127890.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127891.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127901.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127902.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127929.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP569\A0127930.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0128929.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0128930.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0128956.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0128957.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0128993.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0128994.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0129025.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0129026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP571\A0129068.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP571\A0129069.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP571\A0129074.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP571\A0129075.EXE

Rogue.Agent/Gen-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP570\A0127960.EXE

Rootkit.BraviaX-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP571\A0129084.SYS

Adware.Tracking Cookie
.fastclick.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.fastclick.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.fastclick.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.advertising.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.doubleclick.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
cp.affiliaterevenue.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
cp.affiliaterevenue.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
login.tracking101.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.mediatraffic.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.mediatraffic.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.zedo.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.zedo.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.zedo.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.zedo.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.zedo.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.zedo.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
srv.ad-adnet.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.tribalfusion.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
.atdmt.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
friendlytrack.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
friendlytrack.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bpqkc4em.default\cookies.txt ]
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@admarketplace[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@adserver.adtechus[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@advertising[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@bridge1.admarketplace[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@ehg-ripedigitalentertainment.hitbox[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@ehg.hitbox[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@imrworldwide[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@insightexpressai[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@media6degrees[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@questionmarket[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@redirect.clickshield[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@revsci[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@tremor.adbureau[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@wmvmedialease[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\marlyn_powell@www.burstnet[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adrevolver[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.bridgetrack[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver.adtechus[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@at.atwola[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@c7.zedo[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickthrough.kanoodle[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@edge.ru4[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@interclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media.adrevolver[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@specificclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@tacoda[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@tracking.realtor[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@trafficmp[1].txt

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\TVVNRHST.INI




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users