Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Advanced Virus Remover, etc.


  • This topic is locked This topic is locked
2 replies to this topic

#1 danielnealclark

danielnealclark

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 08 October 2009 - 11:07 PM

There's a program called Advanced Virus Remover which start by itself and starts scanning (I think this is totally bogus, but if you want the list of what it "finds" in its scan, I can do that.)
I turned on DEP as instructed, and it informs me that it has closed msimfo32, same for winupdate
There are popups sometimes that say the system has been infected
I get error boxes that "Internet Explorer has experienced an error and had to close, do you want to send error report"
I can't pull up task manager (ctrl+alt+del), it says it's been disabled by my administrator
I couldn't get the DDS to run until I activated the Guest account, in that account I can do task manager, and I was able to run DDS
I couldn't get RootRepeal to run as Guest (I get an error box "Decompression error (5)!", and in my regular logon account it gets stuck on the Initializing step after I select what to scan and select my C: drive
I then tried to check each box individually, and I got drivers, processes, ssdt and stealth objects to work, but not files, shadow ssdt, or hidden services.
So the attached report contains ONLY the scan results from drivers, processes, ssdt and stealth objects
My desktop background has been pirated and shows a blue background with a black box in the middle which reads "your system has been infected" (this is locked out in the Display Properties, under the Desktop tab, the selection of a background is grayed out)
I disconnected the infected computer from the internet too.

I really do appreciated this! This site is awesome. Let me know what to do next!
Thanks,
Daniel

Here's the DDS report:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Guest at 18:09:17.95 on Thu 10/08/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.canfind.org/search/ac.php?aid=139&sid=us3
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Taskman=c:\recycler\s-1-5-21-9058893499-1987172056-129386990-3722\msimfo32.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\windows\CouponBarIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [ReminderApp] c:\program files\nova development\scrapbook factory deluxe 4.0\ReminderApp.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\winhelper.dll
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://kennysphoto.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-08 17:11 3,255 a------- c:\windows\system32\wbem\Outlook_01ca486cb93e0dc0.mof
2009-10-07 15:52 <DIR> --d----- c:\documents and settings\Guest

==================== Find3M ====================

2009-10-08 17:06 11,776 a------- c:\windows\braviax.exe
2009-10-08 17:06 6,144 a------- c:\windows\system32\cru629.dat
2009-10-08 17:06 6,144 a------- c:\windows\cru629.dat
2009-09-04 18:58 11,776 a------- c:\windows\system32\braviax.exe
2009-09-04 14:44 31,232 a------- c:\windows\system32\wingenocx.dll
2009-09-04 14:18 18,243 a------- c:\program files\common files\foco._sy
2009-09-04 14:18 17,717 a------- c:\windows\system32\cyderydo.reg
2009-09-04 14:18 14,170 a------- c:\windows\mewidavedy.com
2009-09-04 14:18 14,069 a------- c:\windows\lera.reg
2009-09-04 14:18 12,857 a------- c:\windows\wucoj.pif
2009-09-04 14:18 12,673 a------- c:\program files\common files\pomy._sy
2009-09-04 14:18 11,472 a------- c:\windows\system32\zagyrymepe.bat
2009-09-04 14:18 10,208 a------- c:\program files\common files\juwyfijax.dat
2009-09-04 14:11 1,012,736 a------- c:\windows\system32\wscsvc32.exe
2009-09-04 14:11 20,992 a------- c:\windows\system32\winhelper.dll
2009-09-04 12:34 46 a------- C:\p2hhr.bat
2009-09-04 12:34 190,845 a------- c:\windows\system32\wisdstr.exe
2009-09-04 12:34 24,490 a------- c:\windows\system32\winupdate.exe
2009-09-04 12:33 17,920 a------- C:\osps.exe
2009-09-04 12:31 103,424 a------- C:\xvhu.exe
2009-09-04 12:31 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-09-04 12:31 9,728 a------- C:\fyblb.exe
2009-09-04 12:31 22,016 a------- C:\emxtqjit.exe
2009-09-04 12:30 29,696 a------- c:\windows\system32\drivers\beep.sys
2009-09-04 12:30 77,824 a------- c:\windows\system32\~.exe
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-09-12 15:28 1,029 a---h--- c:\program files\hpothb07.dat
2008-09-12 15:28 10,311,476 a------- c:\program files\Scan0007.tif
2008-09-12 15:26 3,028,284 a------- c:\program files\Scan0006.tif
2008-09-12 15:24 10,585,988 a------- c:\program files\Scan0005.tif
2008-09-12 15:21 4,099,236 a------- c:\program files\Scan0004.tif
2008-09-12 15:19 10,965,492 a------- c:\program files\Scan0003.tif
2008-09-12 15:15 10,920,620 a------- c:\program files\Scan0002.tif
2008-09-12 14:46 4,091,156 a------- c:\program files\Scan0001.tif
2008-09-12 14:38 106,084 a---h--- c:\program files\hpothb07.tif

============= FINISH: 18:10:16.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:07 PM

Posted 09 October 2009 - 05:04 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:07 PM

Posted 23 October 2009 - 07:57 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users