Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Vista 2011 victim


  • Please log in to reply
6 replies to this topic

#1 jazzermonty

jazzermonty

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 01 April 2011 - 03:36 PM

Hello folks

I came across this site while trying to battle with the vista 2011 security malware virus. A little history here to get the picture clear.

I located the *.exe file for vista in c:Users\username\AppData\local.

In my case, the exe was names uty.exe and utb.exe (all internet info is for pw.exe). So I must have the latest version :crazy:

Anway, by enabling the folder options for view hidden files and folders and view system files and folders I managed to delete the exe's. :wacko: I also corrected the registry entries (Repair_fix didn't cut it so had to do it manually by searching for uty.exe, and had to run Error_Repair_file.exe to make my exe files run again).

Now it looks like I've cleared the vista problem, but still have some malware on my system. When I use the internet with Google as my search engine, I always get a redirect. So far I've tried to run Malwarebytes, AVG and Smitfradfix but to no avail.

I isolated the following files on my system:

d3d9caps.dat - interwebs hinting that this can be malware. Re ran the internet with taskmanager hoping the file would be re written by the rogue exe but no.

Yxotogija.bin - no idea what this is but it got updated the last time the system updated itself with the virus so it go trashed.

Ghosebuqage.dat - as above.

I followed the instructions on your sticky post and ran the following:

Defogger - no probs

DDS - no probs (logs available)

GMER - system hangs at the following:

Device \Device\Ide\IAAStorageDevice-0-> \??\IDE#DiskWDC_WD120... device not found

Am going to run the microsoft malware detection software but I don't hold much hope. It'll take a few hours to complete and will post back later. Any help here would be appreciated.

Many thanks

P.S. Let me know if you want the logs (following the rules).

BC AdBot (Login to Remove)

 


#2 jazzermonty

jazzermonty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 02 April 2011 - 05:36 AM

Hello again

Ran the microsoft malware detection in safe mode. Left is running all night. Reported back no infection. Now going to repeat the same process in normal mode.

#3 jazzermonty

jazzermonty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 02 April 2011 - 05:41 AM

Windows live OneCare cannot run, error 0x0c600c03. Man this is bad.

#4 river58

river58

  • Banned Spammer
  • 75 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 02 April 2011 - 09:52 AM

Please download malwarebytes HERE then run a full scan. when the scan is done post the log here

Edited by river58, 02 April 2011 - 10:00 AM.


#5 jazzermonty

jazzermonty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 02 April 2011 - 02:29 PM

Please download malwarebytes HERE then run a full scan. when the scan is done post the log here

Hi River, thanks for the response. You'll see from below that MalwareBytes can't detect the intrusion:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6234

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

02/04/2011 13:08:00
mbam-log-2011-04-02 (13-07-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 303642
Time elapsed: 1 hour(s), 13 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This virus is also interfering with my HotKey app as it keeps crashing while the machine is running on normal mode (Windows C++ runtime error).

Thanks

#6 jazzermonty

jazzermonty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 02 April 2011 - 05:17 PM

So I ran the ESET tool (hat tip to Woofsta) and this is the report:

C:\ISP\AOL\stdnet_updater.exe	probably a variant of Win32/StartPage.LWOOMNQ trojan
C:\ISP\AOL\comps\acs\acssetup.exe	probably a variant of Win32/StartPage.LWOOMNQ trojan
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL	a variant of Win32/Toolbar.MyWebSearch application
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL	Win32/Toolbar.AskSBar application
C:\Qoobox\Quarantine\C\Users\jazzermonty\Total_Video_Converter_v3.50.exe.vir	multiple threats
C:\Qoobox\Quarantine\C\Users\jazzermonty\AppData\Local\wieclic.dll.vir	a variant of Win32/Cimag.GN trojan
C:\Qoobox\Quarantine\C\Users\jazzermonty\AppData\Roaming\E7EBB75DC2ABBBBF66A57424BDACF532\enemies-names.txt.vir	Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Users\jazzermonty\AppData\Roaming\E7EBB75DC2ABBBBF66A57424BDACF532\local.ini.vir	Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\jazzermonty\Total_Video_Converter_v3.50.exe	multiple threats
C:\Users\jazzermonty\WinX.DVD.Ripper.Platinum.v5.9.2.Incl.Key.rar	a variant of Win32/Injector.BDJ trojan
C:\Users\jazzermonty\Acker.DVD.to.AVI.Converter.v2.0.26.WinAll.Incl.KeyGen-NeoX\keygen.exe	a variant of Win32/Keygen.AM application
C:\Users\jazzermonty\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110330233926549.rsc	Win32/Olmarik.ARI trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\146c3768-7ece2527	a variant of Java/TrojanDownloader.OpenStream.NBM trojan
Operating memory	Win32/Toolbar.AskSBar application

Ooops

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 AM

Posted 04 April 2011 - 01:24 AM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users