Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infection and such


  • This topic is locked This topic is locked
9 replies to this topic

#1 dubbleii

dubbleii

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:06 AM

Posted 08 December 2010 - 06:39 PM

Please help. I have windows xp 2002.

This is the system look log:

SystemLook 04.09.10 by jpshortstuff
Log created at 22:44 on 19/11/2010 by Administrator
Administrator - Elevation successful

========== reg ==========

[HKEY_CURRENT_USER\SOFTWARE\QNB2EB90WX]
"Apu7"="xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr16ecGpxWwUaOWYn7Q=="
"Apu9"="7SDUIc7NyUn+3sclxwY/uFru3YoUrrsl1guavGK5ggBc0pw7+s8i7tHcaKqvEU+clbWGSynk5zeta0YsaCMifiFXr6IFUaa1ckpl/G0DF6TGcsqayrFNxHEr+lJFj1KOlIwiUDTQg25XjHof/8pNTnbXzzT6JoRpEmm0ZfE2AiG3Up6h+tSgnYkEz6RzmpOQIGVkeqXt0/hju5j2J7yfe7CN/aZm4ZzInzEs4J4DkiPfbIeSdzmjrv9vsHnTSzXCLihtKSPEqw6qMT5SvNTUROjUzqQrATQh95NCZEs40z9gm3Fd2Af0rTpRtNooxn7d/hMs3SsmMMlcp0lz9NYlu33l+LIbMgZoZ9hKTF99Qf9PM0inQCtnxfxrx7jONGVd5Mw6cmOjIfXITeiV2fggcFEtGe00cOd4X/H8Cd16QN6NS+yCcSBKZ4c="
"Alu7"= 0x0001cb199c (30087580)
"AluK"= 0x002e46de20 (776396320)
"AluL"= 0x000000000e (14)
"ApuA"="tSLPLpWL7R22spR48AI743bz2Kge8sEUw0qiuHy2iAog1s0v9M0gqMzCQfK0HljtkauXVCGbnnfra35yNQwaJTgv68pZQ/3ySGBDoDoWM6yAXu2H0qZ61FYX5n9D2QXxqbEnBnzwpjYL9yRfp/EQSAbsyAraONgJB3/6OPp3GyHDTYCjrc7sqM40+JErmIzaB2QhZba725R1sr2kOfmVOMnMlPUv0JruzRQ9mA=="
"ApuM"="tSbFNJuL/h22spR48AI743bz2Kge8sEYxUysqiamkxVuzc807482s8iCTbO2Ek2jzfCVUG+quwulcjITAW1SJDp5+o1eQv24CyZHvzELJvDNUu/Fn7ttw1wJ4CVa3hvj9qwlVm2I3lMJj1w6u+cQXVb7h1HFIscVAGWsdqgsQCSKB8umpdLq4oM4+tNmhZvNDXonP6+8xYYqr7/0KIHtaNim+71o2oG+"
"Alu0"= 0x000000000e (14)
"AluA"= 0x0001cb18de (30087390)
"AluM"= 0x00fb672b80 (-77124736)
"Alu9"= 0x0000015180 (86400)


[HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W]
"AluL"="FOqmUtjORx7c8w=="
"AluN"="Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg237X11Fld7MwcCBRfcPq52epvdMeg//Fz+p6csSavmjbegPbMh5Ws5LOVY+QpNNejse3xVVQVM8PRlI/Y09kTGBCuZtft3u95dQQPiGfxVLt5K5CQIh4oohgIWlQvlpIxi0HWzF82M4gmCyMRI9WjYOMgWGREmdPce8fPwQZN803Ivid0+IwzmVcCDyRpwN+9aWRCQiHjRMG/Ua25E9fi3ZtMlov7k4GazKFH"
"AgeR"= 0x0000015180 (86400)
"AgeX"= 0x000000000d (13)
"AgeP"= 0x0000000e10 (3600)
"AgeL"= 0x00000000d5 (213)
"AgeU"= 0x0000000064 (100)
"Age5"= 0x000000014b (331)
"AgeEU"= 0x0000000000 (0)
"AgeN"= 0x0001cb199a (30087578)
"AgeE"= 0x00f74f04c0 (-145816384)
"AluE"="aLfrDI2XFQne7LNKIp6qLHAm+HlZigWC9fCZDfBc0fkpjPzW1FlN7JUMRzckMavInKg/Qr/hrKEGu42BjXnW+BHQ3A=="
"AluX"="ZuLNIa64IWuvvLI2S7mICE4O8iFnqi/6lPGZOoQgs7J0x4Dgk1NI9w=="
"AluP"="QbnlBNyuOG7blco5U6yHDVN/wGBathPMvdieEoUItJZX353j2wJGtZc1PgE+duyrwvRtPoe50dMf4NKekk3g4Gi7k+HpzL2T64qFM782bbu2+bewbRsFKuHcm6/K3+UbcEjzRpu/85V5VyJLhlOXcKtmO/aOHzwl7z0ZeT8RqPlBiUPooWsWAYI3WVlGNMHRf+kkGR8OxdiqJ86KzzxOly/u5wZ3+9hukWwRTQk+yISvZFdEYjbABp62U8TUAJXchvN/x97Typi595IaKd2dX9WzfKF/yvjqWJWMXsXZL348Bpun5h+8FyLkK27tcOQ2dpb3x++BKQLGyTljNZYGnvFFzWtiA4FGcv52+7GoRrq+4I3+cMx7K9b68dQ3EHJG2VrXYtCk7LPrfGPyMFpi+jySRsRW6vC++KXslJqfsNkUR/Sh5tepDmXUjPheIV8ygw22xZos5FaxfmYoxAfiaxZ5amXXmphwwqzYQeaj6BKK8DvmFaXF9HjpxDEtWrew92ZbZoZG3ll9CfLju3jhScTKUJV4BDL/JS2hcKbf4gF9sthcKC2OsegKdiO0XLOn6IhkEU8sd/h/sC8E7bkdodm5QMZbZqw5bbjFDzCIRqEILWKaxTnbvuOgil4GhBq/mTSCzXU8KOAXRrOq1Y8GPMsxRWBwgnOaAFA7mfR/MRGuLs92hn4XCCH4lPnQ6jHZD9Sv1JE7WPp1pO8+b8M9Ux9+ghflB9maeZ4Q809mLszGzb+OTGnu3+r+Dzx6XQD+558ed6MFKdT3RN/RJ5TTSKy80W22sOGc/sbjbHYRch9yWDViyFe33Sp4hrp+yq4hDKrlV5l+4NWDa95NZm4fkrIANa6n/xgvFNfe7A1GbDqJHeRf2WRo4BAe+QXpUb6fJCNlHFyzB3MPy6NBP/b23IguhJUglMVtE9ydyO0T1RNoV503m0HPfixaLVZgN2hIo5kwggA8QPD0Hx+6TOO2yhBnDp22ybIrCui3uB7rGU4dsW5+LopexbjVulB3UX


-= EOF =-


Thanks.

~dubbleii

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:06 PM

Posted 08 December 2010 - 07:02 PM

Download OTL to your desktop.

Open OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:reg
[-HKEY_CURRENT_USER\SOFTWARE\QNB2EB90WX]
[-HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Now please run OTL on Scan as shown below

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#3 dubbleii

dubbleii
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:06 AM

Posted 08 December 2010 - 08:13 PM

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\QNB2EB90WX\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.17.3 log created on 12082010_201208

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:06 PM

Posted 08 December 2010 - 08:18 PM

That was easy. I suspect the registry entries are just leftovers but to be sure...


Please run MBAM and SAS next

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#5 dubbleii

dubbleii
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:06 AM

Posted 08 December 2010 - 10:10 PM

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5275

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2010 10:08:33 PM
mbam-log-2010-12-08 (22-08-33).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 346695
Time elapsed: 55 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{4f8c7447-2867-42e9-b614-082a4636ada8}\RP2\A0000574.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\system volume information\_restore{4f8c7447-2867-42e9-b614-082a4636ada8}\RP2\A0000576.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

#6 dubbleii

dubbleii
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:06 AM

Posted 08 December 2010 - 11:12 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2010 at 11:09 PM

Application Version : 4.46.1000

Core Rules Database Version : 5975
Trace Rules Database Version: 3787

Scan type : Complete Scan
Total Scan Time : 00:47:34

Memory items scanned : 419
Memory threats detected : 0
Registry items scanned : 6954
Registry threats detected : 0
File items scanned : 21977
File threats detected : 0

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:06 PM

Posted 09 December 2010 - 03:36 PM

That looks like that then, dubbleii.

Any problems or questions before we wrap this up
Posted Image
m0le is a proud member of UNITE

#8 dubbleii

dubbleii
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:06 AM

Posted 09 December 2010 - 06:42 PM

I think that's it.

Thanks for your help.

dubbleii

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:06 PM

Posted 09 December 2010 - 07:58 PM

Great, let's clear up then

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:06 PM

Posted 14 December 2010 - 08:51 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users