Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No might be infected here I am infected


  • Please log in to reply
1 reply to this topic

#1 ibuz

ibuz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 22 November 2009 - 11:59 AM

It started with web search redirects, it was not a real problem as I would copy and paste the actual link to a
new tab and continue without further problems.

I then noticed some quick launch icons missing in the taskbar, but when I opened the task manager, they were
all there and running just no icons. (no they were not hidden) I also had a couple of programs that would not run
at all. I would click the program to open but it would only appear in the taskbar at the bottom minimized, when I
would click it to maximize, it had no effect other than depressing the tab as if it were maximized. But it would not
maximize. I would load the program to my pen drive and run on my laptop with no problems.

At one time a virus software installed itself and said a lot of files were corrupt and I needed to download and buy
their pro version. I was able to remove it, or maybe just stop it from creating havoc at the time.

I use Firefox and lately noticed new tabs popping up and browsers opening to ad pages. I would here a video and
not show any programs open in the taskbar at the bottom. Task manager would show IE running so I shut it down.
I opened IE and in options, IE should check if its the default browser was unchecked. (I rechecked it)
IE does not have the WOT as Firefox does, so who knows what sites it was sent to and opened.

This weekend I said enough is enough. I had this site bookmarked researching these problems before and was going
to try to solve the problem on my own. I ran Malwarebytes Anti-Malware, SUPERAntiSpyware, ATF Cleaner per directions
on most threads. Also tried Spybot - Search & Destroy. All would find problems and remove them. Everything would work
fine for awhile but the problems would return. In one thread I noticed to run rkill before running the spyware software and
gave it a try. That seemed to really piss this virus off, as now I get an alert from my AVS every 5 minutes. (win32 zbot mhs)
it adds a file to windows temp folder under a different name each time after the AVS deletes it.

I am running out of options other than a complete reinstall of everything, which I wll most likely hate loosing all of the
information accumulated in the last 3 years. I do not do a lot of contacts but save most as drafts to avoid viruses that
distribute themselves that way. I would not guess as what to delete or save, but delete everything as it stands right now,
hand writing all the information down and hand reinstalling everything needed. Its just me and the wife so this is the only
computer attached to the web. I do not network so the office and laptop computers are not attached to the infected computer.
Both desktops run xp home and the laptop runs xp pro, all sp2.

Here are the logs I came up with.

------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 3204
Windows 5.1.2600 Service Pack 2

11/20/2009 3:13:35 PM
mbam-log-2009-11-20 (15-13-35).txt

Scan type: Quick Scan
Objects scanned: 102565
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gigusibew (Trojan.Vundo.H) -> Quarantined and
deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good:
(0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8916cbb1-88af-4181-b8b2-70cdab3fce5f}
\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8916cbb1-88af-4181-b8b2-70cdab3fce5f}
\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{8916cbb1-88af-4181-b8b2-70cdab3fce5f}
\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\hruvl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\piyefire.dll (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
[http://www.superantispyware.com/?rid=3324]http://www.superantispyware.com

Generated 11/20/2009 at 05:25 pM

Application Version : 4.30.1004

Core Rules Database Version : 4295
Trace Rules Database Version: 2166

Scan type : Complete Scan
Total Scan Time : 00:21:04

Memory items scanned : 462
Memory threats detected : 3
Registry items scanned : 4905
Registry threats detected : 8
File items scanned : 13197
File threats detected : 8

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\BUDAMATA.DLL
C:\WINDOWS\SYSTEM32\BUDAMATA.DLL
C:\WINDOWS\SYSTEM32\DENUNAPU.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\TUSOHAZA.DLL
C:\WINDOWS\SYSTEM32\TUSOHAZA.DLL

Trojan.Agent/Gen-6TO4
C:\WINDOWS\SYSTEM32\6TO4V32.DLL
C:\WINDOWS\SYSTEM32\6TO4V32.DLL

Rootkit.Agent/Gen-DiskFake
HKLM\System\ControlSet001\Services\daqdrv
C:\WINDOWS\SYSTEM32\DAQDRV.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_daqdrv
HKLM\System\ControlSet003\Services\daqdrv
HKLM\System\ControlSet003\Enum\Root\LEGACY_daqdrv
HKLM\System\CurrentControlSet\Services\daqdrv
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_daqdrv

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

Adware.Vundo/Variant-LockDown
C:\WINDOWS\SYSTEM32\BUYETUZA.DLL

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\DASOFUPU.DLL

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\NIPUJIJA.DLL

-------------------------------------------------------------------------------------------------------------

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/22 00:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4BE7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB860C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB43A9000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c406b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c40574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c40a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c4014c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c4064e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c4008c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c400f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c4076e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c4072e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4c408ae

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb4cfd0b0

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 932) Address: 0x10000000 Size: 20480

Object: Hidden Module [Name: tdlclk.dll]
Process: Explorer.EXE (PID: 1780) Address: 0x00aa0000 Size: 20480

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 1780) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 836) Address: 0x10000000 Size: 32768

==EOF==

-------------------------------------------------------------------------------------------------------------------------------------

I'm also including a log from my AVS to show alert every 5 minutes after rkill and complete virus scan.

7/19/2009 12:37:14 PM SYSTEM 1616 Sign of "HTML:IFrame-HE [Trj]" has been found in "http://gps-software-hub.com/
wp-content/themes/guzel-pro/js/tabs.js" file.
8/6/2009 9:37:09 PM SYSTEM 1600 Sign of "JS:Redirector-I [Trj]" has been found in "http://mujerobrera.org/photoalbum/
include/smarty/nxuab/2.js" file.
8/13/2009 7:19:04 PM SYSTEM 1600 Sign of "JS:Obfuscated-CV [Trj]" has been found in "http://vxz.dhoqia.info/pka/in.php" file.
8/20/2009 6:57:51 PM SYSTEM 1616 Sign of "JS:Pdfka-ON [Expl]" has been found in "http://intaxboolcorp.com/downlds/gc.pdf" file.
9/7/2009 7:02:55 PM SYSTEM 2036 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
9/19/2009 11:14:10 AM SYSTEM 1648 Sign of "JS:Downloader-ED [Trj]" has been found in "http://otn.etdfsao.net/rzfh/in.php" file.
9/25/2009 12:22:13 PM SYSTEM 1616 Sign of "HTML:IFrame-EP [Trj]" has been found in "http://rywire.com/store/thumbnails/
pics/eltloelt-2046.html" file.
9/25/2009 6:36:02 PM SYSTEM 1616 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://pescanner1.info/25/24-049wLyIzLGBzL==" file.
9/25/2009 6:36:14 PM SYSTEM 1616 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://pescanner1.info/25/24-049wLyIzLGBzL==" file.
9/25/2009 6:36:21 PM SYSTEM 1616 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://pescanner1.info/25/24-049wLyIzLGBzL==" file.
9/29/2009 7:41:43 PM SYSTEM 412 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
9/29/2009 7:41:43 PM SYSTEM 412 An error has occured while attempting to update. Please check the logs.
10/2/2009 9:05:30 PM SYSTEM 232 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://piscanner2.info/25/25-050wLzIzLGBzL==" file.
10/2/2009 9:05:43 PM SYSTEM 232 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://piscanner2.info/25/25-050wLzIzLGBzL==" file.
10/3/2009 6:21:55 PM SYSTEM 328 Sign of "HTML:IFrame-EP [Trj]" has been found in "http://www.tennessee-mom.com/wp-content/
uploads/2007/01/henlamo.html" file.
10/17/2009 9:28:50 PM SYSTEM 456 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://sp2scanner.info/25/24-049wLyIzLGBzL==" file.
10/19/2009 9:17:27 PM SYSTEM 452 Sign of "JS:FakeAV-AS [Trj]" has been found in "http://spyware-remover-free.org/index.php?
PHPSESSID=259b4c25aa08557e7c8892c5d64253db" file.
10/24/2009 12:30:27 PM Bob 452 Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\iehelper.dll" file.
10/24/2009 12:30:42 PM Bob 452 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\syssvc.exe" file.
10/24/2009 12:30:47 PM Bob 452 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\syssvc.exe" file.
10/24/2009 12:30:53 PM Bob 452 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\syssvc.exe" file.
10/24/2009 12:47:35 PM Bob 116 Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\iehelper.dll" file.
10/24/2009 12:47:46 PM Bob 116 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
10/24/2009 1:19:17 PM Bob 116 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\Bob\Local Settings\
Temporary Internet Files\Content.IE5\8C97RZPW\omni[1].gif" file.
10/24/2009 1:19:27 PM Bob 116 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\Bob\Local Settings\
Temporary Internet Files\Content.IE5\8C97RZPW\omni[2].gif" file.
10/24/2009 1:19:32 PM Bob 116 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\Bob\Local Settings\
Temporary Internet Files\Content.IE5\8C97RZPW\omni[3].gif" file.
10/24/2009 2:49:04 PM Bob 544 Sign of "Win32:Alureon-DI [Rtk]" has been found in "C:\Documents and Settings\Bob\Local Settings\
Temporary Internet Files\Content.IE5\8C97RZPW\load[1].php" file.
10/24/2009 2:58:02 PM Bob 544 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Bob\Local Settings\
Temporary Internet Files\Content.IE5\DT8KULJY\index[2].swf" file.
10/24/2009 4:50:49 PM SYSTEM 2044 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
10/25/2009 5:41:20 PM SYSTEM 416 Sign of "JS:Pdfka-SE [Expl]" has been found in "http://abcagrid.com/docs/bh.pdf" file.
10/31/2009 2:08:09 PM Bob 452 Sign of "Win32:Bredolab-AP [Trj]" has been found in "C:\System Volume Information\_restore
{BC17B70E-90CD-42CA-8475-955D4EDEAB66}\RP314\A0087679.exe" file.
11/1/2009 9:42:00 PM SYSTEM 1796 Sign of "JS:FakeAV-V [Trj]" has been found in "http://malware-online-scaner.net/flist.js" file.
11/2/2009 8:29:40 AM SYSTEM 1792 Sign of "JS:FakeAV-V [Trj]" has been found in "http://malware-online-scaner.net/flist.js" file.
11/6/2009 7:50:01 PM SYSTEM 1740 Sign of "HTML:Iframe-inf" has been found in "http://www.infinitycarloans.com/\{gzip}" file.
11/7/2009 2:25:15 PM SYSTEM 1792 Sign of "JS:FakeAV-V [Trj]" has been found in "http://malware-online-scaner.info/flist.js" file.
11/7/2009 2:50:49 PM Bob 1020 Sign of "Win32:Bredolab-AP [Trj]" has been found in "C:\Documents and Settings\Bob\Local Settings\
Temporary Internet Files\Content.IE5\4DAJK9EN\op[1].exe" file.
11/7/2009 3:54:36 PM SYSTEM 1792 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
11/10/2009 12:06:09 PM SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx: [http://hxxp://www.nfl.com/static/
embeddablevideo/09000d5d81413740.json]hxxp://www.nfl.com/static/embeddablevideo/...5d81413740.json (C:\WINDOWS\TEMP\_avast4_\unp57485484.tmp) returning error, 0000A413.
11/17/2009 2:14:19 PM SYSTEM 1916 Sign of "JS:Downloader-GA [Trj]" has been found in "http://hgroup0v.in/hbo/news.php\{gzip}" file.
11/18/2009 4:10:51 PM SYSTEM 1844 Sign of "HTML:Iframe-inf" has been found in "http://magiceuroz.in/ad3i/\{gzip}" file.
11/18/2009 10:07:55 PM SYSTEM 1844 AAVM - scanning warning: x_AavmCheckFileDirectEx: [http://rt32.infolinks.com/action
11/20/2009 6:36:40 AM SYSTEM 1912 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YBKXOLYD\atdnabbc[1].htm"
11/20/2009 6:54:59 AM SYSTEM 1912 Sign of "Win32:Fraudo [Trj]" has been found in "http://77.74.48.116/odiqbu201.html" file.
11/20/2009 7:00:51 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8M5O32UV\dktqrriwfx[1].htm" file.
11/20/2009 7:00:56 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K7UZEJM9\lrylmmfcz[1].htm" file.
11/20/2009 7:00:59 AM SYSTEM 1912 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K7UZEJM9\djgtguhvvf[1].htm" file.
11/20/2009 7:01:02 AM SYSTEM 1912 Sign of "Win32:Ertfor [Trj]" has been found in "C:\WINDOWS\system32\m46km.dll" file.
11/20/2009 7:01:06 AM SYSTEM 1912 Sign of "Win32:Fraudo [Trj]" has been found in "C:\WINDOWS\system32\sabiyubi.exe" file.
11/20/2009 7:01:09 AM SYSTEM 1912 Sign of "Win32:Wali [Cryp]" has been found in "C:\jpvedf.exe" file.
11/20/2009 7:01:12 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\dxtsyxru.exe" file.
11/20/2009 7:01:17 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\nijap.exe" file.
11/20/2009 7:01:20 AM SYSTEM 1912 Sign of "Win32:Malware-gen" has been found in "C:\maslf.exe" file.
11/20/2009 7:01:21 AM SYSTEM 1912 Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\TEMP\d1pn8.exe" file.
11/20/2009 7:01:25 AM SYSTEM 1912 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYTOXS3\atdnabbc[1].htm" file.
11/20/2009 7:01:28 AM SYSTEM 1912 Sign of "Win32:Malware-gen" has been found in "C:\maslf.exe" file.
11/20/2009 7:01:41 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYTOXS3\lrylmmfcz[1].htm" file.
11/20/2009 7:01:47 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYTOXS3\dktqrriwfx[1].htm" file.
11/20/2009 7:01:51 AM SYSTEM 1912 Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\TEMP\2429211472.exe" file.
11/20/2009 7:02:16 AM SYSTEM 1912 Sign of "Win32:Wali [Cryp]" has been found in "C:\jpvedf.exe" file.
11/20/2009 7:02:19 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\nijap.exe" file.
11/20/2009 7:02:23 AM SYSTEM 1912 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\dxtsyxru.exe" file.
11/20/2009 7:05:16 AM SYSTEM 1912 Sign of "Win32:Fraudo [Trj]" has been found in "C:\WINDOWS\system32\lugenipo.exe" file.
11/20/2009 7:53:21 AM SYSTEM 1912 Sign of "Win32:Alureon-EI [Rtk]" has been found in "C:\WINDOWS\TEMP\22F.tmp" file.
11/20/2009 5:42:02 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:42:16 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:42:27 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:42:40 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:42:50 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:00 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:10 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:20 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:30 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:39 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:48 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:43:58 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:44:07 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:44:16 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:44:29 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:44:45 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:44:55 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/20/2009 5:45:37 PM SYSTEM 1808 Sign of "Win32:Wali [Cryp]" has been found in "C:\WINDOWS\TEMP\tunder.exe" file.
11/21/2009 3:02:36 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\bdwy.tmp" file.
11/21/2009 3:07:47 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\uxpb.tmp" file.
11/21/2009 3:12:53 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\xtqp.tmp" file.
11/21/2009 3:18:04 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\kccc.tmp" file.
11/21/2009 3:23:10 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qorn.tmp" file.
11/21/2009 3:28:26 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\yxmx.tmp" file.
11/21/2009 3:33:31 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\sivf.tmp" file.
11/21/2009 3:38:35 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qipp.tmp" file.
11/21/2009 3:43:41 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\wquh.tmp" file.
11/21/2009 3:48:46 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\vdsa.tmp" file.
11/21/2009 3:53:50 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\gkvs.tmp" file.
11/21/2009 3:58:54 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\cycw.tmp" file.
11/21/2009 4:03:59 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ipuf.tmp" file.
11/21/2009 4:09:07 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\vedb.tmp" file.
11/21/2009 4:14:19 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\okmf.tmp" file.
11/21/2009 4:20:38 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\whpy.tmp" file.
11/21/2009 4:25:43 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\nxkh.tmp" file.
11/21/2009 4:30:48 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qnjm.tmp" file.
11/21/2009 4:35:53 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ajsr.tmp" file.
11/21/2009 4:41:15 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\utgi.tmp" file.
11/21/2009 4:46:25 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\omgh.tmp" file.
11/21/2009 4:51:29 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ttac.tmp" file.
11/21/2009 4:56:35 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\cuel.tmp" file.
11/21/2009 5:01:39 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\xenq.tmp" file.
11/21/2009 5:06:44 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ffgs.tmp" file.
11/21/2009 5:11:49 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\vbdq.tmp" file.
11/21/2009 5:16:58 PM SYSTEM 1780 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\fqkp.tmp" file.
11/21/2009 5:26:55 PM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\vspi.tmp" file.
11/21/2009 5:43:48 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\cwki.tmp" file.
11/21/2009 6:07:17 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\stbv.tmp" file.
11/21/2009 6:12:27 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\mivs.tmp" file.
11/21/2009 6:24:20 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\vitn.tmp" file.
11/21/2009 6:29:25 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\gnvr.tmp" file.
11/21/2009 6:34:30 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\pwed.tmp" file.
11/21/2009 6:39:35 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ckqx.tmp" file.
11/21/2009 6:44:40 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\rxvi.tmp" file.
11/21/2009 6:49:47 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\exis.tmp" file.
11/21/2009 11:25:11 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\dqxj.tmp" file.
11/21/2009 11:30:16 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\bcbo.tmp" file.
11/21/2009 11:35:20 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qyfu.tmp" file.
11/21/2009 11:40:24 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\oixg.tmp" file.
11/21/2009 11:45:31 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ptov.tmp" file.
11/21/2009 11:47:25 PM SYSTEM 1768 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\Temp\vspi.tmp" file.
11/21/2009 11:55:36 PM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\cwoi.tmp" file.
11/22/2009 12:00:47 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\usit.tmp" file.
11/22/2009 12:05:56 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\piks.tmp" file.
11/22/2009 12:14:06 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\wdxv.tmp" file.
11/22/2009 12:19:13 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ftgi.tmp" file.
11/22/2009 12:24:20 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\shfn.tmp" file.
11/22/2009 12:29:27 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ciqr.tmp" file.
11/22/2009 12:34:34 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\xgnt.tmp" file.
11/22/2009 12:39:41 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\exoa.tmp" file.
11/22/2009 12:44:58 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qcpf.tmp" file.
11/22/2009 12:50:03 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\glne.tmp" file.
11/22/2009 12:55:09 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ccrx.tmp" file.
11/22/2009 1:00:16 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\ednk.tmp" file.
11/22/2009 1:05:23 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qhlw.tmp" file.
11/22/2009 1:10:30 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\xkrc.tmp" file.
11/22/2009 1:15:34 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\qcrp.tmp" file.
11/22/2009 1:20:39 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\idra.tmp" file.
11/22/2009 1:25:44 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\nsex.tmp" file.
11/22/2009 1:30:50 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\emxh.tmp" file.
11/22/2009 1:35:55 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\rtnt.tmp" file.
11/22/2009 1:40:57 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\lrhs.tmp" file.
11/22/2009 1:46:03 AM SYSTEM 1772 Sign of "Win32:Zbot-MHS [Trj]" has been found in "C:\WINDOWS\TEMP\pmoe.tmp" file.

Edited by ibuz, 22 November 2009 - 12:21 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:45 PM

Posted 23 November 2009 - 09:44 PM

You have an obvious rootkit infection
Using the Root Repeal log, please follow these instructions

Now that you were successful in creating a RR log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users