Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm not sure what to do


  • Please log in to reply
1 reply to this topic

#1 progressive

progressive

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 13 October 2009 - 10:22 AM

I'm not sure which of these can be removed, or which cannot / aren't not recommended. ??? :flowers: It would be nice if you could answer quickly on this malwarebytes thing, since the window is still open. Other stuff is maybe too difficult to answer, but I hope not.


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

13.10.2009 16:40:30
mbam-log-2009-10-13 (16-40-24).txt

Scan type: Quick Scan
Objects scanned: 160881
Time elapsed: 47 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
C:\WINDOWS\svc.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Omistaja\Local Settings\Temp\4_pinnew.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Omistaja\Local Settings\Temp\6_ldr3.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Omistaja\Local Settings\Temp\avto.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\svc.exe (Trojan.Agent) -> No action taken.


PS In start, maybe when trying to update Malwarebytes, it said: An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.

Error code: 732 (0, 0)



Before this I ran Norman Malware Cleaner and Dr.Web Scanner for Windows.

Dr.Web:
(Every time I scan with Dr.Web, it's in different locations, and only one virus at time, but every time one virus like this)


Object: Process in memory:
(different locations:)
C:\WINDOWS\Explorer.EXE:196
C:\DOCUME~1\Omistaja\LOCALS~1\Temp\dc06797590\hmfljs.exe:2080
C:\Program Files\Last.fm\Last.fm\LastFM.exe:800
C:\WINDOWS\System32\taskmgr.exe:428
C:\WINDOWS\System32\svchost.exe:160
C:\Program Files\Bonjour\mDNSResponder.exe:332
Status: BackDoor.Tdss.565
Action: Eradicated

It seems crazy that those kind of things could be infected. And some file many times, but not always. So those are not "infected", but virus still uses them somehow?

Norman Malware Cleaner:
Deleted file: C:\Documents and Settings\Omistaja\Local Settings\Temp\e.exe (Infected with W32/Dloader.ZIND)
Deleted file: C:\Documents and Settings\Omistaja\Local Settings\Temp\Kh06.exe (Infected with W32/VBTroj.BPVO)
Deleted file: C:\Documents and Settings\Omistaja\Local Settings\Temporary Internet Files\Content.IE5\JRBW26M6\load[2].exe (Infected with W32/Dloader.ZIND)


Also, Microsoft Windows malware remover (I'm not sure what it's in English):
Trojan:Win32/Alureon.gen!U (Removed)

When I try to make Norman On-Demand Scan, it says (Norman is my only virus protection that is always on, other are on-demand):
An unanticipated error has occured
If it persists, please send the information below
to our support department:

Context: NVCOD - ScanThread
Routine: NscExecuteScan
Error value: 0x00300002
Error name: NDIORC_CANT_OPEN_PHYS



but anyway, norman found these:
C:\Program
W32/FakeAV.AB!genr

C:\PROGRA~1\FOOBAR~1\FOOBAR
W32/FakeAV.AB!genr





Some symptoms:

When I try to login as some other user, nothing happenes, but when I go back as admin, there's multiple windows named "svg" saying "A call to an OS function failed." "OK"

The "Users" tab is empty on Task Manager, but few times when I've been able to login as other user, the users are shown, but it says "console". Same kind of situation: http://www.daniweb.com/forums/thread26451.html#

Few times my Firewall isn't on by default :thumbsup:

Sometimes I can login as some other, and I think it depends on whether I use normal startup or eclectic startup etc (I don't know what it is in English). In msconfig, I just removed some programs, not crucial.

All started when I started to Safari as browser. Now one time immediately when I opened Safari, it offered some wmv-file to download.

But otherwise there isn't much symptoms. The most annoying is though Windows Media Player that doesn't work. I can play playlists etc., but cannot add anything to Media Library.

--

When trying to start Windows, there's usually this blue(green)screen (I found a translation in English, I think, but not that code in full. I had only 1,4 GB but i deleted files and this message came even if there is 7GB free):

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates. Try chaging video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:

*** STOP: 0x0000007E (0xC0000005, 0x85511848, 0xF798B2CC, 0xF798AFC8)


Edited by progressive, 13 October 2009 - 10:24 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 PM

Posted 13 October 2009 - 12:11 PM

You have a serious infection here, which we cannot treat in this forum, since it involves using advanced tools.

I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!


Edit ~ as for the MBAM scan results, all of those are bad, you should delete them, although some of them will most likely come back in a next scan.

Edited by elise025, 13 October 2009 - 12:17 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users