Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

One big infected mess!


  • Please log in to reply
15 replies to this topic

#1 aereissner

aereissner

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 30 August 2010 - 08:47 PM

Hi, I have what seems to be mulitiple infections with so many alert pop ups I can't even tell what the problem is! Trojan's, worms, dll error messages, you name it, too many to count and so frequent I can barely run the computer at this point.
I tried doing CCleaner then Malwarebytes both quick and full system scan which said it removed 24 infected items but when I did the reboot every error and pop up came fast back fast and furious. The latest a blue screen which forced system shut down with an error message that said "page_fault_in_nonpaged_area"
I'm leaving my desktop shut down for the time being and sending my "HELP" message from my laptop. I have had the odd issue before and CCleaner then Malwarebytes has always cleaned the system up, never experienced one this deep and troublesome before.
Many thanks for your help!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 30 August 2010 - 11:03 PM

Hello and welcome..
We need to know more about these error messages. dll error messages. Were they >>> A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message??

Would you post an infected MBAM log please.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 31 August 2010 - 08:07 PM

Ok, first of all, thank you very much for your response.
Instructions were clear and easy to follow and actually had no trouble installing and running programs.
However, here I still am...

So, as per your advice, here we go.

1. DLL messages pop up 4 at a time upon start up. All stating "Error Loading"
I did take down a couple of the exact error messages a) E1890.dll :thumbsup: c:\windows\opebavukubonerav.dll
But then I noticed every time I re-booted the message extensions were all different. (always Error Loading though)

2. First MBAM scan and log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

9/1/2010 5:43:29 PM
mbam-log-2010-09-01 (17-43-29).txt

Scan type: Quick scan
Objects scanned: 135401
Time elapsed: 11 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Amy\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

3. Super AntiSpyware Scan and Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/01/2010 at 07:10 PM

Application Version : 4.42.1000

Core Rules Database Version : 5437
Trace Rules Database Version: 3249

Scan type : Complete Scan
Total Scan Time : 01:05:35

Memory items scanned : 287
Memory threats detected : 0
Registry items scanned : 6626
Registry threats detected : 40
File items scanned : 73234
File threats detected : 42

Trojan.Agent/Gen
[MChk] C:\WINDOWS\SYSTEM32\R1890.EXE
C:\WINDOWS\SYSTEM32\R1890.EXE
HKLM\Software\Classes\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}#AppID
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}\InprocServer32
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}\InprocServer32#ThreadingModel
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}\ProgID
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}\Programmable
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}\TypeLib
HKCR\CLSID\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}\VersionIndependentProgID
HKCR\brumavybpgrm.brumavybpgrm.1.0
HKCR\brumavybpgrm.brumavybpgrm.1.0\CLSID
HKCR\brumavybpgrm.brumavybpgrm
HKCR\brumavybpgrm.brumavybpgrm\CLSID
HKCR\brumavybpgrm.brumavybpgrm\CurVer
HKCR\TypeLib\{7B6A2552-E65B-4A9E-ADD4-C45577FFD8FD}
C:\WINDOWS\$NTUNINSTALLMTF1011$\MMX.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}
HKU\S-1-5-21-3138902052-692511197-3660026087-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0AE69231-D93A-40F6-A41B-38E2C9DFEBF3}
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\HCPHJQW.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Amy\Cookies\amy@serving-sys[1].txt
C:\Documents and Settings\Amy\Cookies\amy@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Amy\Cookies\amy@chitika[2].txt
C:\Documents and Settings\Amy\Cookies\amy@collective-media[2].txt
C:\Documents and Settings\Amy\Cookies\amy@adserver.adtechus[1].txt
C:\Documents and Settings\Amy\Cookies\amy@ad.yieldmanager[2].txt
C:\Documents and Settings\Amy\Cookies\amy@trafficmp[2].txt
C:\Documents and Settings\Amy\Cookies\amy@revsci[1].txt
C:\Documents and Settings\Amy\Cookies\amy@realmedia[1].txt
C:\Documents and Settings\Amy\Cookies\amy@bs.serving-sys[1].txt
C:\Documents and Settings\Amy\Cookies\amy@content.yieldmanager[3].txt
.divx.112.2o7.net [ C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\WXDUL2JR ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\WXDUL2JR ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\WXDUL2JR ]
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-3138902052-692511197-3660026087-1006\SOFTWARE\FunWebProducts

Adware.AdRotator
HKLM\SOFTWARE\Street-Ads
HKLM\SOFTWARE\Street-Ads\sta
HKLM\SOFTWARE\Street-Ads\sta\instl
HKLM\SOFTWARE\Street-Ads\sta\instl#InstallDir
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$#NoRepair
HKU\S-1-5-21-3138902052-692511197-3660026087-1006\Software\Street-Ads
HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}
HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}\instl
HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}\instl\data
HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}\instl\data#afltId
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps\{38061EDC-40BB-4618-A8DA-E56353347E6D}
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps\{86AE9D98-AA26-48E8-BB92-A94D3D1D3CF4}
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps\{A6E9EECF-55F9-4709-86C6-69A4F037F8F5}
C:\WINDOWS\$NTUNINSTALLMTF1011$\apUninstall.exe
C:\WINDOWS\$NTUNINSTALLMTF1011$\mmduch.dll
C:\WINDOWS\$NTUNINSTALLMTF1011$
C:\Documents and Settings\Amy\Application Data\STREET-ADS\sta
C:\Documents and Settings\Amy\Application Data\STREET-ADS

Trojan.Agent/Gen-Faldesc
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2A6.TMP
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2A7.TMP
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2A9.TMP
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2AB.TMP
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2AD.TMP
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2B4.TMP
C:\DOCUMENTS AND SETTINGS\AMY\LOCAL SETTINGS\TEMP\2B5.TMP

Trojan.Agent/Gen-AdShot
C:\WINDOWS\SYSTEM32\A1890.DLL
C:\WINDOWS\SYSTEM32\E1890.DLL


4. Second MBAM Scan (I could barely get through this due to still persistant adware/malware/virus notification pop ups but managed after a couple reboots)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4518

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/1/2010 8:31:41 PM
mbam-log-2010-09-01 (20-31-41).txt

Scan type: Quick scan
Objects scanned: 156749
Time elapsed: 22 minute(s), 18 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
C:\Documents and Settings\Amy\Local Settings\Application Data\574364.exe (Rogue.SystemSecurity) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{e1ff9a5b-9e37-34a4-c18c-d43e8af69eee} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BetterThanBeforeBrandingSystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\betterthanbeforebrandingsystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\574364 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xncoawerms.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxsaocnmew.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\BetterThanBeforeBrandingSystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Amy\Local Settings\Application Data\574364.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\xncoawerms.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\rxsaocnmew.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\asmxcewrno.tmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\lqrog.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\emnasrocwx.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\unqo.exe (Rootkit.Bubnix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\wtpvaae.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\st_witty820_1930.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\oacsmwrenx.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\rowamnxces.tmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\BetterThanBeforeBrandingSystem\BetterThanBeforeBrandingSystem.dll (Adware.PlayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\BetterThanBeforeBrandingSystem\uninstall.exe (Adware.PlayMP3z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

I leave this in your capable hands.

Thanks in advance for any further assistance you can provide and for your time!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 31 August 2010 - 10:00 PM

OK,good you updated MBAM and reran it. The difficulty was needing to rerun RKill after the reboot.
But we made great progress. We may still need a rerun but first an Online scan.
How is it runnning after these???


ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.


About those DLL errors....

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. Example: opebavukubonerav.dll

Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 01 September 2010 - 09:31 AM

Hi, One quick question before I proceed with the next steps, would I be performing these in safe mode or normal mode?
Thanks!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 01 September 2010 - 02:53 PM

These two are in Normal..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 05 September 2010 - 08:01 PM

Hi and sorry for the delay, been away for a few days!
I think we're almost there!

I did RKill then,
Ran the ESET which cleared the majority of the pop ups, then tried the autoruns which cleared the DLL error pop ups.
I am left with two threat messages that pop up.
1. Resident Shield Alert - "Multiple Threat Detections"
2. Access File Infected c: Windows/explore.exe - detected on open.

I am including the ESET log as requested.

C:\Documents and Settings\Amy\Local Settings\temp\stpbc641.exe a variant of Win32/Kryptik.GBY trojan
C:\Documents and Settings\Amy\Local Settings\temp\xjoqojgw.exe a variant of Win32/Cimag.DH trojan
C:\Documents and Settings\Amy\My Documents\LimeWire\Saved\feet on ground mayah maria original studio version.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Amy\My Documents\LimeWire\Saved\feet on ground mayah maria VBR.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Amy\My Documents\LimeWire\Saved\feet on ground mayah maria.wma probably a variant of Win32/Agent.GLICIDR trojan
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL Win32/Toolbar.AskSBar application
C:\WINDOWS\explorer.exe Win32/Bamital.DX trojan
C:\WINDOWS\monenc.dll a variant of Win32/Cimag.DH trojan
C:\WINDOWS\oleyiziyem.dll a variant of Win32/Cimag.CK trojan
C:\WINDOWS\opebavukubonerav.dll a variant of Win32/Cimag.CK trojan
C:\WINDOWS\system32\6to4v32.dll a variant of Win32/Wimpixo.AA trojan
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DZ trojan
C:\WINDOWS\system32\qdiagdwc.ocx probably a variant of Win32/Genetik trojan
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.DX trojan
Operating memory Win32/Bamital.DX trojan

Thanks again!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 05 September 2010 - 10:27 PM

This is looking better,, These were some real nasty infections..
I want to Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 05 September 2010 - 11:10 PM

You're tellin' me! I thought my puter was a gonner this time! Likely through Limewire my son uses, now removed!

Here's the next quick scan log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4553

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/7/2010 12:07:14 AM
mbam-log-2010-09-07 (00-07-14).txt

Scan type: Quick scan
Objects scanned: 156784
Time elapsed: 14 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 06 September 2010 - 08:46 AM

Great!! let's finaly check for Rootkits. Not sure how much yime i'll have today but i will look back somewhere.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 September 2010 - 09:29 AM

Root Repeal Report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/09/07 10:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8CEE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\networkservice\cookies\system@fastclick[1].txt
Status: Size mismatch (API: 594, Raw: 551)

Path: c:\documents and settings\networkservice\cookies\system@scanscout[1].txt
Status: Size mismatch (API: 395, Raw: 365)

Path: C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\login_status[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\5-1005614[2].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\adStreamJSController[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\CAA81IBTCAZKIMUOCAIKEH5ICAZM7R4YCAX71H8ICAEHZADQCA8ADOTYCA3M1P23CA6HUKS3CARFWK1ZCAUK9LNECARI3VHYCA9XW7F7CAY6QF1VCA6PSCRZCA81OWWICA86RP4ECAL7938RCAM3029W
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\comment-func[6].php
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\fmr[10].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\fmr[8].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\fmr[9].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\services[1].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\014PPK5R\wp-postviews[1].htm
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xaa54f620

==EOF==

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 06 September 2010 - 07:25 PM

This looks good . Do you still have those error messages or popups??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 September 2010 - 07:33 PM

Yes, the last two are still popping up.
1. Resident Shield Alert - "Multiple Threat Detections"
2. Access File Infected c: Windows/explore.exe - detected on open.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 06 September 2010 - 09:17 PM

I should have also asked you which application is showing these.

We are going to run a long deep scan next with Drweb-cureit.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 aereissner

aereissner
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 11 September 2010 - 03:26 PM

OK, hi 5!
I think that did the trick!
Thank you so much for your time and assistance, greatly appreciated!

Here is the log just so you can make sure..

Process in memory: C:\WINDOWS\system32\svchost.exe:1060;;BackDoor.Tdss.565;Eradicated.;
winlogon.exe;C:\WINDOWS\system32;Win32.Dat.3;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
stpbc641.exe;C:\DOCUME~1\Amy\LOCALS~1\Temp;Trojan.Click1.25301;Deleted.;
xjoqojgw.exe;C:\DOCUME~1\Amy\LOCALS~1\Temp;BackDoor.Tdss.4037;Deleted.;
feet on ground mayah maria original studio version.mp3;C:\Documents and Settings\Amy\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
feet on ground mayah maria VBR.mp3;C:\Documents and Settings\Amy\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
A9RA414.tmp;C:\WINDOWS\temp;Exploit.PDF.1523;Deleted.;
explorer.exe;c:\windows;Win32.Dat.3;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
A0000377.exe\___\adInstlPlg.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000377.exe;Trojan.Siggen2.647;;
A0000377.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1;Container contains infected objects;Moved.;
monenc.dll;C:\WINDOWS;BackDoor.Tdss.4037;Deleted.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;

P.S. Can you recommend a good antivurus program ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users