Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Curse Winfixer!


  • This topic is locked This topic is locked
17 replies to this topic

#1 cloudmd

cloudmd

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 05 January 2006 - 01:39 PM

I tried looking at the other boards about this problem but each post seemed like a diffrent moethod then the next. I guess the problem differs with each HiJackThis log. Anyways I'd really appreciate the help on taking care of htis problem. Heres the log:

Logfile of HijackThis v1.98.2
Scan saved at 10:33:28 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\smncs.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Mya\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: (no name) - {EBFD4578-D8E7-8D60-BACF-F43D065F76B3} - C:\WINDOWS\system32\anmxi.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134546244878
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 05 January 2006 - 06:09 PM

Hello,

First of all, you are still using a previous version of hijackthis..so please update your version by starting hijackthis,
click on the 'misc tools'>Check for update online. Download the new version (1.99.1), unzip it and make sure you put it in an permanent folder.
(If the update option doesn't work, please download your new version here

Please post a new log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cloudmd

cloudmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 05 January 2006 - 09:40 PM

Thanks for telling me. heres my new Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:01 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\smncs.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\banmanpro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mya\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: (no name) - {EBFD4578-D8E7-8D60-BACF-F43D065F76B3} - C:\WINDOWS\system32\anmxi.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134546244878
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: gebyy - C:\WINDOWS\SYSTEM32\gebyy.dll
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 06 January 2006 - 03:57 AM

download VirtumundoBeGone from:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop

* reboot your system
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new hijackthislog.

I also want to know what it is, so can you go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:\windows\banmanpro.exe

Click submit and let it scan.
Post the results also in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cloudmd

cloudmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 06 January 2006 - 01:34 PM

Ok I scanned the banmanpro.exe and came up with this:

Service load: 0% 100%

File: banmanpro.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 ec0fdfb79807b480019806a499f7c8b4
Packers detected: -
Scanner results
AntiVir Found Trojan/Click.VB.KC.3
ArcaVir Found Trojan.Clicker.Vb.Kc
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Popuper
F-Prot Antivirus Found nothing
Fortinet Found Adware/VB
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.VB.kc
NOD32 Found a variant of Win32/TrojanClicker.VB.KC
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Clicker.Win32.VB.kc

When I ran virtumondobegone.exe I got this:

[01/06/2006, 12:16:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mya\Desktop\VirtumundoBeGone.exe" )
[01/06/2006, 12:16:52] - Detected System Information:
[01/06/2006, 12:16:52] - Windows Version: 5.1.2600, Service Pack 2
[01/06/2006, 12:16:52] - Current Username: Mya (Admin)
[01/06/2006, 12:16:52] - Windows is in NORMAL mode.
[01/06/2006, 12:16:52] - Searching for Browser Helper Objects:
[01/06/2006, 12:16:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 12:16:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 12:16:52] - BHO 3: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object)
[01/06/2006, 12:16:52] - ALERT: Found ATLDistrib Object!
[01/06/2006, 12:16:52] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[01/06/2006, 12:16:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 12:16:52] - Checking for HKLM\...\Winlogon\Notify\gebyy
[01/06/2006, 12:16:52] - Found: HKLM\...\Winlogon\Notify\gebyy - This is probably Virtumundo.
[01/06/2006, 12:16:52] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[01/06/2006, 12:16:52] - BHO list has been changed! Starting over...
[01/06/2006, 12:16:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 12:16:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 12:16:52] - BHO 3: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object)
[01/06/2006, 12:16:52] - ALERT: Found ATLDistrib Object!
[01/06/2006, 12:16:52] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[01/06/2006, 12:16:52] - ALERT: Found MSEvents Object!
[01/06/2006, 12:16:52] - BHO 5: {EBFD4578-D8E7-8D60-BACF-F43D065F76B3} ()
[01/06/2006, 12:16:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 12:16:52] - Checking for HKLM\...\Winlogon\Notify\anmxi
[01/06/2006, 12:16:52] - Key not found: HKLM\...\Winlogon\Notify\anmxi, continuing.
[01/06/2006, 12:16:52] - Finished Searching Browser Helper Objects
[01/06/2006, 12:16:52] - *** Detected ATLDistrib Object
[01/06/2006, 12:16:52] - *** Detected MSEvents Object
[01/06/2006, 12:16:52] - Trying to remove ATLDistrib Object...
[01/06/2006, 12:16:53] - Terminating Process: IEXPLORE.EXE
[01/06/2006, 12:16:54] - Terminating Process: RUNDLL32.EXE
[01/06/2006, 12:16:54] - Disabling Automatic Shell Restart
[01/06/2006, 12:16:54] - Terminating Process: EXPLORER.EXE
[01/06/2006, 12:16:54] - Suspending the NT Session Manager System Service
[01/06/2006, 12:16:54] - Terminating Windows NT Logon/Logoff Manager

Here is my new HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:19 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\smncs.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mya\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: MSEvents Object - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: (no name) - {EBFD4578-D8E7-8D60-BACF-F43D065F76B3} - C:\WINDOWS\system32\anmxi.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134546244878
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: gebyy - C:\WINDOWS\SYSTEM32\gebyy.dll
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 06 January 2006 - 01:47 PM

Hello,

Did you reboot after running Virtumudobegone? Looks like the fix didn't do anything in here...
Unless Microsoft antispyware was interfering...

Let's clean up a bit more first...

First delete: C:\windows\banmanpro.exe

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\smncs.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system must reboot now.

After reboot...

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - Default URLSearchHook is missing
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: MSEvents Object - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: (no name) - {EBFD4578-D8E7-8D60-BACF-F43D065F76B3} - C:\WINDOWS\system32\anmxi.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: gebyy - C:\WINDOWS\SYSTEM32\gebyy.dll
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Some entries won't get fixed.. that is normal. Also, if your bitdefender gives an alert that something at startup has been modified, allow this instead of blocking this.

Run the Virtumundobegone a second time.
Please REBOOT afterwards and post the Virtumundobegone-log together with a new hijackthislog after reboot.

Edit... also perform this removaltool:

http://www.jayloden.com/AIMFix.exe

Edited by miekiemoes, 06 January 2006 - 01:54 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 06 January 2006 - 02:13 PM

By the way.. I just researched the other infection you are also dealing with and I strongly recommend you disconnect your internet immediately. Only connect it for downloading the tools and posting the logs.

The reason is because you are also dealing with this:

http://www.sophos.com/virusinfo/analyses/w32tilebotck.html

Having this on your system infects other systems as well and steals your personal information including passwords etc..

Your system is badly compromised and I hope we can fix all the damage it already caused. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 cloudmd

cloudmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 06 January 2006 - 03:12 PM

Holy Crap no way! how did that get on my computer?!!?

Well what do you suggest I do to get rid of it?

anyway heres the new hijackTHIS! log:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:38 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mya\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134546244878
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

and heres the vunmondo log:


[01/06/2006, 12:16:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mya\Desktop\VirtumundoBeGone.exe" )
[01/06/2006, 12:16:52] - Detected System Information:
[01/06/2006, 12:16:52] - Windows Version: 5.1.2600, Service Pack 2
[01/06/2006, 12:16:52] - Current Username: Mya (Admin)
[01/06/2006, 12:16:52] - Windows is in NORMAL mode.
[01/06/2006, 12:16:52] - Searching for Browser Helper Objects:
[01/06/2006, 12:16:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 12:16:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 12:16:52] - BHO 3: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object)
[01/06/2006, 12:16:52] - ALERT: Found ATLDistrib Object!
[01/06/2006, 12:16:52] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[01/06/2006, 12:16:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 12:16:52] - Checking for HKLM\...\Winlogon\Notify\gebyy
[01/06/2006, 12:16:52] - Found: HKLM\...\Winlogon\Notify\gebyy - This is probably Virtumundo.
[01/06/2006, 12:16:52] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[01/06/2006, 12:16:52] - BHO list has been changed! Starting over...
[01/06/2006, 12:16:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 12:16:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 12:16:52] - BHO 3: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object)
[01/06/2006, 12:16:52] - ALERT: Found ATLDistrib Object!
[01/06/2006, 12:16:52] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[01/06/2006, 12:16:52] - ALERT: Found MSEvents Object!
[01/06/2006, 12:16:52] - BHO 5: {EBFD4578-D8E7-8D60-BACF-F43D065F76B3} ()
[01/06/2006, 12:16:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 12:16:52] - Checking for HKLM\...\Winlogon\Notify\anmxi
[01/06/2006, 12:16:52] - Key not found: HKLM\...\Winlogon\Notify\anmxi, continuing.
[01/06/2006, 12:16:52] - Finished Searching Browser Helper Objects
[01/06/2006, 12:16:52] - *** Detected ATLDistrib Object
[01/06/2006, 12:16:52] - *** Detected MSEvents Object
[01/06/2006, 12:16:52] - Trying to remove ATLDistrib Object...
[01/06/2006, 12:16:53] - Terminating Process: IEXPLORE.EXE
[01/06/2006, 12:16:54] - Terminating Process: RUNDLL32.EXE
[01/06/2006, 12:16:54] - Disabling Automatic Shell Restart
[01/06/2006, 12:16:54] - Terminating Process: EXPLORER.EXE
[01/06/2006, 12:16:54] - Suspending the NT Session Manager System Service
[01/06/2006, 12:16:54] - Terminating Windows NT Logon/Logoff Manager

[01/06/2006, 13:55:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mya\Desktop\VirtumundoBeGone.exe" )
[01/06/2006, 13:55:30] - Detected System Information:
[01/06/2006, 13:55:30] - Windows Version: 5.1.2600, Service Pack 2
[01/06/2006, 13:55:30] - Current Username: Mya (Admin)
[01/06/2006, 13:55:30] - Windows is in NORMAL mode.
[01/06/2006, 13:55:30] - Searching for Browser Helper Objects:
[01/06/2006, 13:55:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 13:55:30] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 13:55:30] - BHO 3: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object)
[01/06/2006, 13:55:30] - ALERT: Found ATLDistrib Object!
[01/06/2006, 13:55:30] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[01/06/2006, 13:55:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 13:55:30] - Checking for HKLM\...\Winlogon\Notify\gebyy
[01/06/2006, 13:55:30] - Found: HKLM\...\Winlogon\Notify\gebyy - This is probably Virtumundo.
[01/06/2006, 13:55:30] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[01/06/2006, 13:55:30] - BHO list has been changed! Starting over...
[01/06/2006, 13:55:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 13:55:30] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 13:55:30] - BHO 3: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object)
[01/06/2006, 13:55:30] - ALERT: Found ATLDistrib Object!
[01/06/2006, 13:55:30] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[01/06/2006, 13:55:30] - ALERT: Found MSEvents Object!
[01/06/2006, 13:55:30] - Finished Searching Browser Helper Objects
[01/06/2006, 13:55:30] - *** Detected ATLDistrib Object
[01/06/2006, 13:55:30] - *** Detected MSEvents Object
[01/06/2006, 13:55:30] - Trying to remove ATLDistrib Object...
[01/06/2006, 13:55:31] - Terminating Process: IEXPLORE.EXE
[01/06/2006, 13:55:32] - Terminating Process: RUNDLL32.EXE
[01/06/2006, 13:55:32] - Disabling Automatic Shell Restart
[01/06/2006, 13:55:32] - Terminating Process: EXPLORER.EXE
[01/06/2006, 13:55:32] - Suspending the NT Session Manager System Service
[01/06/2006, 13:55:32] - Terminating Windows NT Logon/Logoff Manager
[01/06/2006, 14:01:00] - Re-enabling Automatic Shell Restart
[01/06/2006, 14:01:00] - File to disable: C:\WINDOWS\system32\geeba.dll
[01/06/2006, 14:01:00] - Renaming C:\WINDOWS\system32\geeba.dll -> C:\WINDOWS\system32\geeba.dll.vir
[01/06/2006, 14:01:00] - File successfully renamed!
[01/06/2006, 14:01:00] - Removing HKLM\...\Browser Helper Objects\{93C6313C-9DB4-4694-8BD0-E378C573A9AD}
[01/06/2006, 14:01:00] - Removing HKCR\CLSID\{93C6313C-9DB4-4694-8BD0-E378C573A9AD}
[01/06/2006, 14:01:00] - Adding Kill Bit for ActiveX for GUID: {93C6313C-9DB4-4694-8BD0-E378C573A9AD}
[01/06/2006, 14:01:00] - Deleting ATLEvents/MSEvents Registry entries
[01/06/2006, 14:01:00] - Removing HKLM\...\Winlogon\Notify\geeba
[01/06/2006, 14:01:00] - Trying to remove MSEvents Object...
[01/06/2006, 14:01:01] - Terminating Process: IEXPLORE.EXE
[01/06/2006, 14:01:02] - Terminating Process: RUNDLL32.EXE
[01/06/2006, 14:01:02] - Disabling Automatic Shell Restart
[01/06/2006, 14:01:02] - Terminating Process: EXPLORER.EXE
[01/06/2006, 14:01:02] - Suspending the NT Session Manager System Service
[01/06/2006, 14:01:02] - Terminating Windows NT Logon/Logoff Manager
[01/06/2006, 14:01:02] - Re-enabling Automatic Shell Restart
[01/06/2006, 14:01:02] - File to disable: C:\WINDOWS\system32\gebyy.dll
[01/06/2006, 14:01:02] - Renaming C:\WINDOWS\system32\gebyy.dll -> C:\WINDOWS\system32\gebyy.dll.vir
[01/06/2006, 14:01:02] - File successfully renamed!
[01/06/2006, 14:01:02] - Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/06/2006, 14:01:02] - Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/06/2006, 14:01:02] - Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/06/2006, 14:01:02] - Deleting ATLEvents/MSEvents Registry entries
[01/06/2006, 14:01:02] - Removing HKLM\...\Winlogon\Notify\gebyy
[01/06/2006, 14:01:02] - Searching for Browser Helper Objects:
[01/06/2006, 14:01:02] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 14:01:02] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2006, 14:01:02] - Finished Searching Browser Helper Objects
[01/06/2006, 14:01:02] - Finishing up...
[01/06/2006, 14:01:02] - A restart is needed.
[01/06/2006, 14:01:36] - Attempting to Restart via STOP error (Blue Screen!)

I ran the aimfixer too already.

Everything running good so far...... I'm worried about the worm.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 06 January 2006 - 03:18 PM

Hello,

Well, I already have good news for you.... we did make improvement here.
Winfixer is gone and the tilebot is also gone, because I know AIMfix deals with this one also, as well as with the related registry keys it created.

But! I want you to run an online scan with Kaspersky also, because I really want that system clean again and Kaspersky will show leftovers if still present. The online Kaspersky scan doesn't delete the files it found, that's why I want you to post the log it creates so we can deal with it manually afterwards. I'll give instructions for the online scan below.

But first, before performing the scan, perform next:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 cloudmd

cloudmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 06 January 2006 - 06:17 PM

Wow more viruses found!

Heres the results of the scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 06, 2006 17:15:22
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/01/2006
Kaspersky Anti-Virus database records: 169495
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 53803
Number of viruses found: 19
Number of infected objects: 97
Number of suspicious objects: 0
Duration of the scan process: 5343 sec

Infected Object Name - Virus Name
C:\AGEU_SilentSudokuInstaller.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\AGEU_SilentSudokuInstaller.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\AGEU_SilentSudokuInstaller.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DEFWDUJ\banmanpro[1].exe Infected: Trojan-Clicker.Win32.VB.kc
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G9EFSTUF\drapu[1].exe/EXE-file Infected: Trojan-Downloader.Win32.ConHook.w
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G9EFSTUF\drapu[1].exe Infected: Trojan-Downloader.Win32.ConHook.w
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G9EFSTUF\MediaGateway[1].exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WP67CX2B\enewsletterpro[1].exe Infected: Trojan.Win32.StartPage.aha
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YNSNWQPW\AGEU_SilentSudokuInstaller[1].exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YNSNWQPW\AGEU_SilentSudokuInstaller[1].exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YNSNWQPW\AGEU_SilentSudokuInstaller[1].exe Infected: Trojan-Dropper.Win32.VB.kk
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YNSNWQPW\draq[1].exe Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\Mya\.housecall\Quarantine\01FB3C0F-12ED-4F6A-9707-582B04.bac_a03940 Infected: Trojan.Win32.StartPage.aw
C:\Documents and Settings\Mya\.housecall\Quarantine\08346378-5273-4D45-8471-B622E4.bac_a03940 Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\Documents and Settings\Mya\.housecall\Quarantine\28121849-F4FC-4535-9E7D-50DD4E.bac_a03940 Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\Documents and Settings\Mya\.housecall\Quarantine\83C30497-471B-4B00-AEF8-6B987B.bac_a03940 Infected: Trojan.Win32.StartPage.aw
C:\Documents and Settings\Mya\.housecall\Quarantine\C2D5E576-C516-4FB6-8109-46E38B.bac_a03940 Infected: Trojan.Win32.StartPage.aw
C:\Documents and Settings\Mya\.housecall\Quarantine\D2DE8B3A-020B-4456-8FA7-708F6D.bac_a03940 Infected: Trojan.Win32.StartPage.aw
C:\Documents and Settings\Mya\.housecall\Quarantine\timessquare.exe.bac_a03940 Infected: Trojan.Win32.StartPage.aw
C:\Documents and Settings\Mya\.housecall\Quarantine\timessquare[1].exe.bac_a03940 Infected: Trojan.Win32.StartPage.aw
C:\Documents and Settings\Mya\Desktop\aimfix_quarantine\20004_smncs.exe.bak Infected: Backdoor.Win32.SdBot.xd
C:\Documents and Settings\Mya\My Documents\backups\backup-20060106-135245-695.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\Documents and Settings\Mya\My Documents\backups\backup-20060106-135246-485.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\mg1.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Yazzle Sudoku\Sudoku.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007228.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007243.exe Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007244.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007245.exe Infected: Trojan.Win32.Runner.h
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007246.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007247.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP48\A0007249.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP49\A0007407.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP50\A0007477.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP50\A0007479.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP50\A0007479.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP50\A0007479.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP50\A0007479.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP50\A0007482.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP54\A0007667.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP57\A0007875.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP58\A0008003.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP58\A0008003.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP58\A0008004.exe Infected: not-a-virus:AdWare.Win32.VB.n
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP58\A0008043.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP59\A0008070.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP59\A0009070.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP59\A0009071.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP60\A0009083.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP61\A0011126.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP61\A0011127.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP61\A0011127.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP61\A0011128.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP61\A0011132.dll Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP62\A0012161.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP62\A0013152.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013362.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013363.exe Infected: Trojan-Downloader.Win32.PurityScan.ax
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013364.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013364.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013365.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013367.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013367.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP69\A0013368.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP74\A0018482.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP74\A0018483.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP74\A0018483.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP74\A0018484.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP74\A0018484.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP74\A0019471.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP76\A0020564.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP76\A0020580.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP76\A0022582.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP76\A0022590.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP76\A0022590.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP76\A0022592.dll Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP78\A0024622.exe Infected: Trojan-Clicker.Win32.VB.kc
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP78\A0024632.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP78\A0024634.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\System Volume Information\_restore{C6D6C3A7-AF06-433C-8567-0A102E8F9671}\RP78\A0024643.exe Infected: Backdoor.Win32.SdBot.xd
C:\WINDOWS\enewsletterpro.exe Infected: Trojan.Win32.StartPage.aha
C:\WINDOWS\system32\awtqr.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\awtsr.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\gebyy.dll.vir Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\jkhfg.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\mljjj.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\mllmm.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\pmkhg.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\pmkhi.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\ssqpm.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\ssqrs.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\ssttr.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\vtsqo.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\vturp.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\vturr.dll Infected: Trojan-Downloader.Win32.ConHook.w
C:\WINDOWS\system32\vtutq.dll Infected: Trojan-Downloader.Win32.ConHook.w

Scan process completed.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 06 January 2006 - 06:47 PM

Hello,

Ok, good you performed that scan. :thumbsup:

I'll let you delete the files manually now..

First of all, some can be hidden system files, so we need to reveal them.
To do this:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now delete the CONTENTS of next folders:

C:\Documents and Settings\Mya\.housecall\Quarantine
C:\Documents and Settings\Mya\Desktop\aimfix_quarantine
C:\Documents and Settings\Mya\My Documents\backups

On top in your addressbar in explorer (not Internet explorer) as you can see here in the screenshot: http://www.epocnova.com/programs/PC_Mobile...ts/Explorer.gif
you'll see an adressbar on top.
Now copy and paste next entry in that addressbar:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

This will open the Content.IE5-folder
Delete everything present in there except for index.dat, because you won't be able to delete it anyway, but that's ok.

Then search for and delete next files:

C:\AGEU_SilentSudokuInstaller.exe
C:\WINDOWS\enewsletterpro.exe
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vtutq.dll
C:\mg1.exe
C:\Program Files\Yazzle Sudoku <== folder

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Post a new hijackthis afterwards in your next reply as a final checkup to see if everything stayed clean in there. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 cloudmd

cloudmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 06 January 2006 - 09:51 PM

THats strange. none of the files in the System32 folder, you told me to delete, exist. Also C:/dra.exe is still there. I could not delete the files in the C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 07 January 2006 - 01:24 AM

Hi, did you show you hidden files and folders?

Especially this part is important:

Uncheck the Hide protected operating system files (recommended) option.

You mention C:/dra.exe, didn't see that in one of your logs.
Can you upload that file here?

http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:/dra.exe

Click submit and let it scan.
Post the results in your next reply with a new hijackthislog.

For the Content.IE-folder, inside there are a couple of folders. The most important thing is that next must get deleted in the Content.IE-folder:

Subfolder: 0DEFWDUJ\banmanpro[1].exe
Subfolder: G9EFSTUF\drapu[1].exe
Subfolder: G9EFSTUF\MediaGateway[1].exe
Subfolder: WP67CX2B\enewsletterpro[1].exe
Subfolder: YNSNWQPW\AGEU_SilentSudokuInstaller[1].exe
Subfolder: YNSNWQPW\draq[1].exe

But in a Content.IE folder, everything may get deleted in there, because it is a tempfolder. So delete the entire subfolders 0DEFWDUJ, G9EFSTUF, WP67CX2B and YNSNWQPW in there.

Can you post a new hijackthislog also?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 cloudmd

cloudmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 07 January 2006 - 02:10 AM

I was able to delete those files you told me to delete in the system32 folder. I tried uploading the dra.exe file but i get a error:something about my firewall or a malware is preventing it from uploading. Also i was able to delete most of the files in the internet temperary folder but the files called dra.exe[1], dra.exe[2], etc etc. could not be deleted.

heres my new hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 1:06:57 AM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mya\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134546244878
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:56 PM

Posted 07 January 2006 - 08:50 AM

Hello, I already know what this C:\dra.exe is. It's a trojan downloader.
Can you delete it from your C:\ ?

Then after deleting it, try to delete those ones also from your temporary Internet Folder.
If that doesn't work, try it in safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users