Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Issues


  • This topic is locked This topic is locked
3 replies to this topic

#1 pfeathers

pfeathers

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 June 2010 - 07:20 PM

I got infected with the typical webpage that says, you are infected with a virus, run this to disinfect. I disabled my NIC so I would not keep getting infected and tried to shut things down. After a reboot, I ran malware and it found 50 some items. Open NIC up and I would get infected all over again. I spent quite a bit of time trying to get rid of the stuff. I ran Kaspersky and it found a couple items (deleted: Trojan program Trojan.Win32.Clicker.hd File: f:\documents and settings\all users\application data\update\seupd.exe//data0004
.) & deleted: Trojan program Exploit.Java.ByteVerify File: C:\Documents and Settings\Owen Huffaker\Application Data\Sun\Java\Deployment\cache\6.0\54\46a4d9b6-268c9c4a
)

Now when I run the malware program it runs clean. I have run a complete Kaspersky scan it finds nothing.

I am still having some problems. 1) I get a phishing page identified by Kaspersky loading "http://cdn.mfdclk001.org/QAg4Flfe7s6j4TC688b767f6bcd96fd31d7f554888f0847315A". Kaspersky says that it has something to do with credit card number theft. 2) In 0utlook, a message pops up saying the my email address cannot be found, and when I send a message it bounces with - No transport provider was available for delivery to this recipient. 3) Can't seem to boot in safe mode. I don't remember how long I have tested this so I am not sure it is connected to all this but I get the BSOD with stop: 0x0000007B (0xF8B4E528, 0xc0000034, 0x00000000, 0x00000000).


I need some help on where to go from here, I think I still have some lingering issues/files on my system. This is what the malware program intially found after the infection:

The following is the malware log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2010 3:29:12 PM
mbam-log-2010-06-03 (15-29-12).txt

Scan type: Quick scan
Objects scanned: 156709
Time elapsed: 17 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 18
Registry Values Infected: 11
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35af0447-15c8-4edd-8fb1-0f50f44cdab8} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{35af0447-15c8-4edd-8fb1-0f50f44cdab8} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6db55326-6f4a-426c-a598-8a8384910bee} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6db55326-6f4a-426c-a598-8a8384910bee} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yidxpslq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yidxpslq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwzxfqwazmshrx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.164,93.188.166.195 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{960ec3a0-dc7b-4693-b096-e5a52b3f648d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.164,93.188.166.195 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\konqjafw.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\gjzoyrl.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\ocnwxsmera.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temporary Internet Files\Content.IE5\191ALG4M\hypwhc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temporary Internet Files\Content.IE5\9WP2BDZP\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\m053cuor.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Application Data\xiayfemax\ivhqnjotssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ltuwoffkuktk.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\iexplarer.exe (Trojan.Agent) -> Delete on reboot.

Edited by pfeathers, 04 June 2010 - 07:22 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:57 AM

Posted 04 June 2010 - 07:40 PM

Hello pfeathers,

Welcome to the Forums,

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:57 PM

Posted 04 June 2010 - 07:50 PM

I'll just move this thread to Am I Infected.

Louis

#4 pfeathers

pfeathers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 June 2010 - 10:31 PM

I created a new post (Infected Trojan.downloader and other stuff) as instructed in the Virus, Trojan, Spyware, and Malware Removal Logs and included the appropriate logs. Thanks for the help.

New topic here. Has been picked up. Closing this one. ~ OB

Edited by Orange Blossom, 06 June 2010 - 06:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users