Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

So, my computer is infected...


  • This topic is locked This topic is locked
3 replies to this topic

#1 Gabby

Gabby

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 20 August 2009 - 04:17 PM

My computer happened to contract a virus, and now its annoying me to no end.
I have a Windows Vista. Once I pass the user-chooser screen (I have two users on this laptop), the screen goes blank except for the mouse pointer. I tried to open up the task manager and it worked, but a few seconds later, I got the blue screen.
So, I went on safe mode, which is what I'm on right now. I'm trying to do a check-up with MBAM, and so far it found two (/rasvsnet.tmp). I removed those and tried it again, but my computer still will not load completely. Now I'm trying a full scan, but I'm not sure how that is going to go.
I've been running Malwarebytes Anti-Malware and Super Anti Spyware. MBAM found these so far: (I'll update this when the scanning is finished, but one of them is a rootkit). SAS found these so far: Rootkit.Cloaked/Service-GEN (3) and Trojan.Agent/Gen-FraudLoad.

So far, I've installed: Mbam, SAS, AVG, Avira Antivir, Spybot (which only found a few cookies), RootRepeal (which I'm kind of afraid to use), and now I'm trying Panda Antivirus.
How do I go about getting rid of all 238121908 of these viruses?

Thank you!

---
Here's the log I got from Avira Antivir:

acslaeu.exe - TR/StartPage.21845.K
acslaeu.exe - TR/StartPage.21845.K
acsrollb.exe - TR/StartPage.HMI


Avira AntiVir Personal
Report file date: Thursday, August 20, 2009 16:47

Scanning for 1650870 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : SYSTEM
Computer name : xx-PC

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.88 2668032 Bytes 8/10/2009 19:03:53
ANTIVIR3.VDF : 7.1.5.143 448000 Bytes 8/20/2009 19:04:05
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/20/2009 19:04:46
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/20/2009 19:04:38
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/20/2009 19:04:14
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/20/2009 19:04:11
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Thursday, August 20, 2009 16:47

Starting search for hidden objects.
c:\windows\system32\kbiwkmbivetrur.dll
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bd9f.qua' ( QUARANTINE )
c:\windows\system32\kbiwkmcoiiiwqe.dll
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bda6.qua' ( QUARANTINE )
c:\windows\system32\kbiwkmhmnsbefh.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdaa.qua' ( QUARANTINE )
c:\windows\system32\kbiwkmnmnbkffr.dll
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdaf.qua' ( QUARANTINE )
c:\windows\system32\kbiwkmtbrrtpue.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdb3.qua' ( QUARANTINE )
c:\windows\system32\kbiwkmumpjpodx.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdb9.qua' ( QUARANTINE )
c:\windows\system32\kbiwkmxirdiopc.dll
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdbe.qua' ( QUARANTINE )
c:\windows\system32\drivers\kbiwkmobxpbsmu.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdc6.qua' ( QUARANTINE )
c:\windows\system32\drivers\kbiwkmtsdnlnpt.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6bdcf.qua' ( QUARANTINE )
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmiooqidow\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmiooqidow\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmiooqidow\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmiooqidow\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmiooqidow\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmiooqidow\imagepath
[INFO] The registry entry is invisible.
'132098' objects were checked, '15' hidden objects were found.

The scan of running processes will be started
Scan process 'SearchFilterHost.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'RootRepeal.exe' - '1' Module(s) have been scanned
Scan process 'WinRAR.exe' - '1' Module(s) have been scanned
Scan process 'WinRAR.exe' - '1' Module(s) have been scanned
Scan process 'Pandion.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'shellmon.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'waol.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'hidfind.exe' - '1' Module(s) have been scanned
Scan process 'hidfind.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '1' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'RIMAutoUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'avgtray.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'WebcamDell.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'RIMAutoUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'avgtray.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'WebcamDell.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'WerFault.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'DellDock.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'conime.exe' - '1' Module(s) have been scanned
Scan process 'DellDock.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnsx.exe' - '1' Module(s) have been scanned
Scan process 'avgrsx.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avgwdsvc.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'AEstSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'wlanext.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'DockLogin.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'stacsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
116 processes with 116 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights
Boot sector 'D:\'
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights

Starting to scan executable files (registry).
The registry was scanned ( '52' files ).


Starting the file scan:

Begin scan in 'C:\' <OS>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Common Files\aol\Backup\ACS\Current\EU\acslaeu.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\Program Files\Common Files\aol\Backup\ACS\Current\Suite\comps\acslaeu.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\Program Files\Common Files\aol\Backup\ACS\Current\Suite\comps\acsrollb.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.HMI Trojan

Beginning disinfection:
C:\Program Files\Common Files\aol\Backup\ACS\Current\EU\acslaeu.exe
[NOTE] The file was moved to '4b00c8b3.qua'!
C:\Program Files\Common Files\aol\Backup\ACS\Current\Suite\comps\acslaeu.exe
[NOTE] The file was moved to '4b00c8b6.qua'!
C:\Program Files\Common Files\aol\Backup\ACS\Current\Suite\comps\acsrollb.exe
[NOTE] The file was moved to '4b00c8b9.qua'!


End of the scan: Thursday, August 20, 2009 18:04
Used time: 1:14:49 Hour(s)

The scan has been canceled!

2467 Scanned directories
98043 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
12 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
98038 Files not concerned
883 Archives were scanned
2 Warnings
14 Notes
132098 Objects were scanned with rootkit scan
15 Hidden objects were found

Edited by Gabby, 20 August 2009 - 05:07 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:06 AM

Posted 20 August 2009 - 06:37 PM

Hello Gabby :thumbsup:

RootRepeal (which I'm kind of afraid to use)


Your fears are not unfounded. RootRepeal can cause some serious damage if you don't know exactly what you're doing.

That being said, you have a rootkit on your system. With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Gabby

Gabby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 20 August 2009 - 07:31 PM

Alright, I posted the link in that forum, and updated my situation a bit here: http://www.bleepingcomputer.com/forums/ind...=251162&st=

Thanks for the help!

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:06 AM

Posted 21 August 2009 - 12:22 AM

Hello,

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Because of this, I have removed your bumping post to your HiJack This topic.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users