Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirects and roge spyware programs


  • This topic is locked This topic is locked
6 replies to this topic

#1 Roosky

Roosky

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 15 November 2009 - 01:23 PM

My computer is infected with a variety of rogue antivirus programs. The title are changing, but the results are the same. I have had personal guard 2009, system security center alerts, system alrets, etc.. Some have sent popups to pay for the software to remove the detected viruses. Additional issues include various pop-up ads to a multitude of offers. All search engine (google, yahoo, msn, ask, etc..) queries seem to be hijacked, so the results are limited or when I click the result it redirects to an ad.

At some point the virus places 3 desktop shortcuts that seemingly link to porn sites. When deleted those reappear every few days.

At first I was not able to run Malwarebytes anti-malware program but after renaming and locating the files on a usb drive I was able to get it to run. This has seemingly slowed the progression, but does not remove it.

I can't restart into Safe mode of any variety as it blue screens.

I was able to get the DDS and rootrepeal with the results below.

I'm at a loss, so any help would be greatly appreciated.

Note: this seems very similar to the following posting:
http://www.bleepingcomputer.com/forums/t/267981/infected-with-windows-system-defender/


DDS (Ver_09-10-26.01) - NTFSx86
Run by srippel at 9:52:54.17 on Sun 11/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1032 [GMT -7:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {C98F2BD6-3D41-4DF6-BB9F-4702B57856BC}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
svchost.exe C:\WINDOWS\TEMP\VRT10.tmp
C:\WINDOWS\System32\alg.exe
svchost.exe C:\WINDOWS\TEMP\VRT83.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\srippel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: {c1082fce-8c18-4b46-9600-e83383ab25e4} - bemusugo.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.tripletsandus.com/80s/80s_games/pac.htm"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\clean.exe" /runcleanupscript
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [pobutajit] Rundll32.exe "c:\windows\system32\bozoyipo.dll",a
dRun: [jsh87r3huiehf89esiudgd] c:\windows\temp\r2xphrlp60.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\cmd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
mPolicies-explorer: NoDisconnect = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: calence.com\phxap11
Trusted Zone: phxap11
Trusted Zone: calence.com\phxap11
Trusted Zone: phxap11
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.babysites.com/inc/iu/5.5.6/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211981442515
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://azexpress.orbital.com/dwa8W.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://azexpress.orbital.com/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://calence.webex.com/client/T26L/nbr/ieatgpc.cab
Notify: ljJCSJYR - ljJCSJYR.dll
AppInit_DLLs: c:\windows\system32\rdolib.dll wahijisa.dll c:\windows\system32\bozoyipo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: vagewewuh - {b0945523-3f1f-489d-95d6-faafbb64fd18} - c:\windows\system32\jozavuyo.dll
SSODL: bewisezaj - {02ca2fb4-39da-46b8-aae3-51b13723c235} - c:\windows\system32\wodezoga.dll
SSODL: kuhosedop - {83725cf2-f645-43d0-9149-30ce0152c4d4} - c:\windows\system32\kudegovu.dll
SSODL: bomadiwaf - {84f13c41-ba77-4151-b0b6-400b9f10f573} - c:\windows\system32\pivujobe.dll
SSODL: feboboyiw - {1c1f712a-e6a0-4c14-b91d-4c191d1058a9} - c:\windows\system32\layofosa.dll
SSODL: foribihiy - {6211e2b6-4712-4cb0-8dab-064b946eda11} - c:\windows\system32\yiyidaju.dll
SSODL: pizihowaf - {d13e656e-8313-420c-8b02-78999a3b310d} - c:\windows\system32\bozoyipo.dll
STS: tokatiluy: {b0945523-3f1f-489d-95d6-faafbb64fd18} - c:\windows\system32\jozavuyo.dll
STS: mujuzedij: {02ca2fb4-39da-46b8-aae3-51b13723c235} - c:\windows\system32\wodezoga.dll
STS: kupuhivus: {83725cf2-f645-43d0-9149-30ce0152c4d4} - c:\windows\system32\kudegovu.dll
STS: jugezatag: {84f13c41-ba77-4151-b0b6-400b9f10f573} - c:\windows\system32\pivujobe.dll
STS: mujuzedij: {1c1f712a-e6a0-4c14-b91d-4c191d1058a9} - c:\windows\system32\layofosa.dll
STS: jugezatag: {6211e2b6-4712-4cb0-8dab-064b946eda11} - c:\windows\system32\yiyidaju.dll
STS: gahurihor: {d13e656e-8313-420c-8b02-78999a3b310d} - c:\windows\system32\bozoyipo.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\iiffCRjg
LSA: Notification Packages = scecli lomofasi.dll gopigede.dll basibezo.dll wahijisa.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-7 64288]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-7-2 123392]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2008-1-24 35692]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2007-6-12 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-6-12 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-4-20 307984]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-11-12 312592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
S3 daqdrv;daqdrv;c:\windows\system32\daqdrv.sys [2004-8-4 2304]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2007-4-4 943696]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 575064]

=============== Created Last 30 ================

2009-11-15 16:22:42 44 ----a-w- c:\windows\system32\85.tmp
2009-11-15 04:40:37 44 ----a-w- c:\windows\system32\11.tmp
2009-11-15 03:59:13 44 ----a-w- c:\windows\system32\1A3.tmp
2009-11-15 03:16:22 44 ----a-w- c:\windows\system32\157.tmp
2009-11-14 19:46:59 75264 ----a-w- C:\muhj.exe
2009-11-14 19:46:57 15000 ----a-w- c:\windows\system32\xvipg.dll
2009-11-14 19:46:56 120132 ----a-w- C:\krbgv.exe
2009-11-14 19:46:40 84 ----a-w- c:\windows\system32\64.tmp
2009-11-14 18:30:30 44 ----a-w- c:\windows\system32\35.tmp
2009-11-14 18:18:11 44 ----a-w- c:\windows\system32\25.tmp
2009-11-14 18:04:55 0 d-----w- c:\program files\Cleaner
2009-11-14 17:58:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 17:57:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 17:57:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 15:47:51 44 ----a-w- c:\windows\system32\10.tmp
2009-11-14 05:13:24 868 ----a-w- c:\windows\system32\8866389.exe
2009-11-14 05:13:14 133632 ----a-w- c:\windows\SC.INS
2009-11-13 15:10:40 44 ----a-w- c:\windows\system32\53.tmp
2009-11-13 03:37:09 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2009-11-13 03:37:07 0 d-----w- c:\program files\IObit
2009-11-13 00:51:54 0 d-----w- c:\windows\pss
2009-11-12 23:15:32 44 ----a-w- c:\windows\system32\183.tmp
2009-11-12 23:15:30 61440 ----a-w- c:\windows\system32\fgjk4wvb.dll
2009-11-12 23:15:27 868 ----a-w- c:\windows\system32\5063898.exe
2009-11-12 16:03:12 44 ----a-w- c:\windows\system32\1D.tmp
2009-11-12 02:45:39 348 ----a-w- c:\windows\system32\uses32.dat
2009-11-12 02:45:39 100 ----a-w- c:\windows\system32\flags.ini
2009-11-12 02:45:03 44 ----a-w- c:\windows\system32\138.tmp
2009-11-12 02:44:58 868 ----a-w- c:\windows\system32\6943911.exe
2009-11-11 22:43:25 44 ----a-w- c:\windows\system32\36.tmp
2009-11-11 16:13:19 75264 ----a-w- c:\windows\system32\3047841.exe
2009-11-11 16:13:18 468 ----a-w- c:\windows\system32\6526453.exe
2009-11-11 13:58:10 44 ----a-w- c:\windows\system32\1C.tmp
2009-11-11 05:29:51 44 ----a-w- c:\windows\system32\D6.tmp
2009-11-11 05:29:43 868 ----a-w- c:\windows\system32\6440546.exe
2009-11-11 05:21:30 53136 ----a-w- c:\windows\system32\PxSecure.dll-7702609
2009-11-11 05:21:25 50 ----a-w- c:\windows\wininit.ini
2009-11-07 04:13:54 0 d-----w- c:\docume~1\srippel\applic~1\AVG8
2009-11-04 04:45:16 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 04:44:00 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 04:32:52 19550 ----a-w- c:\windows\system32\AAWService_2009_11_03_21_32_52.dmp
2009-10-19 15:07:37 268 ---ha-w- C:\sqmdata19.sqm
2009-10-19 15:07:37 244 ---ha-w- C:\sqmnoopt19.sqm

==================== Find3M ====================

2009-11-04 04:45:10 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 04:09:55 51200 --sha-w- c:\windows\system32\basibezo.dll
2009-08-14 04:09:55 51200 --sha-w- c:\windows\system32\bemusugo.dll
2009-08-11 03:17:46 38400 --sha-w- c:\windows\system32\bufesine.dll
2009-08-07 04:00:43 38912 --sha-w- c:\windows\system32\fumuruti.dll
2009-08-09 21:00:14 38912 --sha-w- c:\windows\system32\gugukeha.dll
2009-08-14 04:09:23 51200 --sha-w- c:\windows\system32\hurudowa.dll
2009-08-11 03:17:46 52224 --sha-w- c:\windows\system32\juvilisi.dll
2009-08-13 16:09:08 90112 --sha-w- c:\windows\system32\lamazuna.dll
2009-08-11 15:18:15 38400 --sha-w- c:\windows\system32\ledahofo.dll
2009-08-14 16:09:41 38400 --sha-w- c:\windows\system32\nadubesu.dll
2009-08-11 03:17:46 60928 --sha-w- c:\windows\system32\pafelewa.dll
2009-08-10 15:17:52 37888 --sha-w- c:\windows\system32\pufegogu.dll
2009-08-14 04:09:23 38400 --sha-w- c:\windows\system32\tojojena.dll
2009-08-10 15:17:52 89088 --sha-w- c:\windows\system32\tonokule.dll
2009-08-15 05:09:58 37888 --sha-w- c:\windows\system32\vetahadu.dll
2009-08-14 04:09:55 51200 --sha-w- c:\windows\system32\wahijisa.dll
2009-08-13 16:09:08 38400 --sha-w- c:\windows\system32\yedeyoko.dll
2009-08-12 16:40:03 38912 --sha-w- c:\windows\system32\zoroviro.dll

============= FINISH: 9:54:50.96 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/15 10:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xB0634000 Size: 819200 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB0C1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27396827.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27411042.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27411208.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27425137.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27426749.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27427188.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27434279.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27434670.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27436861.LOG
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Trend Micro\OfficeScan Client\HLog\_r27441279.LOG
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 PM

Posted 15 November 2009 - 01:46 PM

Hello Roosky,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 PM

Posted 18 November 2009 - 05:16 PM

Hello Roosky,

Unfortunately I think We are Dealing with a very serious and unrecoverabl infection here.
We need to do some further checking before we proceed.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 PM

Posted 19 November 2009 - 08:58 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Roosky

Roosky
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 19 November 2009 - 11:45 PM

Thanks for the help but the computer is toast. Had to do a full format and fresh OS install. Didn't want to but it essentially locked down. I appreciate the effort though. Thanks.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 PM

Posted 21 November 2009 - 09:30 PM

Hello Roosky,

I'm sorry to see that your machine locked up. You where dealing with a mighty bad virus that infects all files on your machine it is called Virut.

Here is some information on it:

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Virut is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
  • With a Virut infection, there is always a chance of backed up data reinfecting the system (if you didn't make proper backups). You should not have backed up any of the following:

  • applications/installers
  • executable files (*.exe)
  • screensavers (*.scr)
  • autorun (.ini) or script (.php, .asp, .html, .htm, .xml) files
  • compressed files (.zip, .cab, .rar) that have .exe or .scr files inside them: Virut can penetrate and infect these files within compressed files too
  • any Operating System-related files
  • any files the user does not recognize

    If you did back up files, you should have do so only for important documents.

    Here are some steps and things you can do to keep yourself a little more secure.

    Recommendations
    Below are some recommendations to lower your chances of (re)infection.
    • Install and maintain an outbound firewall
    • Install Spyware Blaster and update it regularly
      If you wish, the commercial version provides automatic updating.
    • Install the MVPs hosts file, and update it regularly
      You can use the HostMan host file manager to do this automaticly if you wish.
      For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
    • Install an Anti-Spyware program, and update it regularly
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Keep Windows (and your other Microsoft software) up to date!
      I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

      If you are using Windows XP or earlier
      Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

      If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Edited by fireman4it, 21 November 2009 - 09:33 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:00 AM

Posted 25 November 2009 - 12:13 PM

As the problem here seems to be resolved, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. If you should have a new issue, please start a new topic. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users