Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Andreas Hauslade a virus?


  • Please log in to reply
4 replies to this topic

#1 aburre2

aburre2

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 23 February 2010 - 11:12 PM

I'm using process explorer and there is a executable file called opeia.exe running and under description it says Andreas Hauslade. There is a process under it's called lsm32.sys and it's connecting to 007guard.com.

BC AdBot (Login to Remove)

 


#2 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 23 February 2010 - 11:56 PM

Hello :thumbsup:

The SUPERAntiSpyware website says opeia.exe IS an infection:
Trojan.Agent/Gen-BackDoor[Opeia]
--------------------------------------------------------------------------------------------------------------------
Use ATF Cleaner:
http://www.atribune.org/index.php?option=c...5&Itemid=25

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Notes for Windows Vista users:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"

-------------------------------------------------------------------------------------------------
Scan with SUPERAntiSpyware. (Make sure you update it before scanning)

How to use SUPERAntiSpyware to scan and remove malware from your computer
Posted by Grinler on November 2, 2009

http://www.bleepingcomputer.com/virus-remo...pyware-tutorial

-------------------------------------------------------------------------------------------------

Scan with Malwarebytes'. (Make sure you update it before scanning)

How to use Malwarebytes' Anti-Malware to scan and remove malware from your computer
Posted by Grinler on February 16, 2010

http://www.bleepingcomputer.com/virus-remo...alware-tutorial


For those having trouble running Malwarebytes Anti-Malware
SEE POST BY quietman7:

http://www.bleepingcomputer.com/forums/t/267354/for-those-having-trouble-running-malwarebytes-anti-malware/

-------------------------------------------------------------------------------------------------------
This is a good start on taking care of the infection(s). It may take more specialized help to get this completely taken care of, but this will get you started.

Please reply back with the results of the SUPERAntiSpyware scan and the Malwarebytes' scans.
Copy paste the entire contents of the scan results logs into your next reply.
Also, please advise what, if any, symptoms you are still experiencing.






If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 aburre2

aburre2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 24 February 2010 - 01:20 AM

The SUPERAntiSpyware down link wasn't working. I ran MBAM and it found a lot of infections. Here's the log file.

Memory Processes Infected: 2
Memory Modules Infected: 4
Registry Keys Infected: 8
Registry Values Infected: 17
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\system32\PeerSvc.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Fonts\services.exe (Worm.Archive) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\ntload.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.
c:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peersvc (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Worm.Archive) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Worm.Archive) -> Data: c:\windows\fonts\services.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Worm.Archive) -> Data: c:\windows\fonts\services.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\ntload.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\ntload.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Allen Burrell\ntload.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Allen Burrell\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\ntload.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8S0KS6VP\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8S0KS6VP\w[2].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JQFZM2J7\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JQFZM2J7\w[2].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XY03ERXF\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XY03ERXF\w[2].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\NetworkService\ntload.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\1551325.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\3156092.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\3287775.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.
C:\WINDOWS\system32\402903.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\4063029.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\422935.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\4738275.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\6106791.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\7110209.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\7286143.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\8155481.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\895077.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\9519922.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\9943049.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\996345.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\9996562.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wmdtc.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Allen Burrell\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\PeerSvc.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Allen Burrell\Local Settings\temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\services.exe (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> No action taken.

#4 aburre2

aburre2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 24 February 2010 - 01:51 AM

after removing all those infections MBAM rebooted my computer and now when it starts up I can't see anything but my desktop background. The computer doesn't fully log on and I can't see any features.

Edited by aburre2, 24 February 2010 - 01:51 AM.


#5 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 24 February 2010 - 11:12 PM

Hello :thumbsup:
Your Malwarebytes' log shows "No action taken" on all listed items
(meaning the items detected were NOT QUARANTINED, NOT FIXED).
The top part of the Malwarebytes' log wasn't included, so I couldn't see what database version was used for that scan.
I don't know if you had the most recent Malwarebytes' database at the time of the scan.

Do not make ANY CHANGES to your computer.

In view of the fact that Malwarebytes' did not successfully quarantine the detected items, it would be best for you to
head over to the Virus, Trojan, Spyware, and Malware Removal Logs forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Read this topic:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Create a new post in the
Virus, Trojan, Spyware, and Malware Removal Logs forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Include your most recent Malwarebytes' scan log (copy and paste the ENTIRE CONTENTS of the Malwarebytes' scan log - including the top part that shows the database version, what date/time the scan was run, everything....), and provide a link to this topic.

A member of the Malware Response Team will help you.
They are knowledgeable and experienced and that's where you will get the best help.
Do be patient, because they have lots of people to help.
If we don't change the direction we are going,
We are likely to end up where we are headed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users