Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really bad infection, what is it?


  • Please log in to reply
No replies to this topic

#1 toddly

toddly

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:12:56 AM

Posted 22 October 2009 - 06:39 PM

I tried posting this problem months ago, but nobody responded, so the computer sat gathering dust for a bit. I am hoping this new post will finally get some attention. (link to old post: http://www.bleepingcomputer.com/forums/t/243337/i-think-ive-been-hit-by-an-anon-sniper/).

Somehow a bug got into my computer and it has taken over all of my security and registry software, so I cannot run the programs. Even Microsoft WORD will not run. I also cannot run Task Manager. And the virus has substituted the program icons on the desktop as well, and renamed programs to "ACME", like ACMEWORD and ACMEEXCEL, and so on. I am dead in the water.

I also noticed some odd files on the computer: gamesetup.exe, askbarsetup.exe, ccsetup210.exe, wsus3setup.cab, and setup.exe. I also notice that I now have some "exe.exe" files, which I find odd.
Some of these files are supposedly associated with a fujack virus. I copied mbam from another computer onto the sick one and ran it. It found some stuff, 7 infections, but not the stuff at the heart of the problem. MBAM said it fixed the infections, but it totally missed the monster of a virus running the machine. Also, the computer is running on Windows2000, so I am not able to run many of the fujack removal tools or anti-virus programs like AVG8.5.

Before my last post was removed, it recommended that I run a program (DDS), so I did. Below is the log from that program. I hope someone can help out. Thanks.

DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Todd Putnam at 16:00:49.41 on Thu 2009-10-22
Internet Explorer: 5.00.3700.1000 BrowserJavaVersion: 1.6.0_14
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.128.59 [GMT -7:00]


============== Running Processes ===============

C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
E:\FOROLD~1\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\2.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\2.bin\SPYBLOCK.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\winnt\is-JLTU3.exe" /REG
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with &DAP
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download &all with DAP
IE: {85d1f590-48f4-11d9-9669-0800200c9a66}
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

S1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2009-4-12 394952]
S2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
S3 ess;ESS Audio Driver (WDM);c:\winnt\system32\drivers\ess.sys [1980-2-19 64144]
S3 NAV Alert;NAV Alert; [x]
S3 NAV Auto-Protect;NAV Auto-Protect; [x]
S3 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [2008-9-2 30946]
S3 RegGuard;RegGuard;c:\winnt\system32\drivers\regguard.sys [2008-9-2 25773]
S3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;c:\winnt\system32\drivers\Mrv8000c.sys [2006-1-28 253568]

=============== Created Last 30 ================

2009-10-22 16:00 16,384 a------t c:\winnt\system32\Perflib_Perfdata_184.dat
2009-10-22 15:58 --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-10-22 14:53 693,760 a------- c:\winnt\is-JLTU3.exe
2009-10-22 14:53 10,498 a------- c:\winnt\is-JLTU3.msg
2009-10-22 14:53 370 a------- c:\winnt\is-JLTU3.lst
2009-10-22 13:50 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a0.dat

==================== Find3M ====================

2009-10-22 13:53 10 ---shr-- c:\program files\Desktop_.ini
2009-09-10 14:54 38,224 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 18,520 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-21 11:54 144,792 a------- c:\documents and settings\todd putnam\java.exe.exe
2009-07-21 11:50 2,235,920 a------- c:\documents and settings\todd putnam\AWC.exe.exe
2008-09-01 20:45 662,016 a------- c:\documents and settings\todd putnam\MemCleaner.exe.exe
1999-12-06 15:00 32,528 a------- c:\winnt\inf\wbfirdma.sys
1980-02-19 16:50 21,952 ----h--- c:\program files\folder.htt
1980-02-19 16:50 271 ----h--- c:\program files\desktop.ini
2008-05-26 17:29 161,792 a--shr-- c:\winnt\wmsoft08735.exe

============= FINISH: 16:01:43.03 ===============

Let me know what other information I need to supply to help diagnose this infestation. Thanks for any help you can offer!

toddly

Edited by toddly, 22 October 2009 - 07:15 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users