Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Operating Memory Trojan, a variant of Win32/kryptik ORT


  • Please log in to reply
17 replies to this topic

#1 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2011 - 07:56 PM

I was doing some work the other day on my computer and clicked on an encyclopedia brittanica article. Next thing I knew I had tons of viruses and trojans (typical antivirus stuff where they offer you protection for money, all that). I've dealt with these before a bit on my own, so I messed around and fixed a few things. Specifically I went to this link: http://www.bleepingcomputer.com/forums/topic346136.html
and followed everything from MBRCheck to Goored. Things were looking good as I got rid of a rootkit virus, but then SuperAntiSpyware told me I had a trojan variant of Win32/Kryptic in my operating memory, and GooredFix kept crashing before doing anything. So I'm stuck. Luckily Malware Bytes is up so it's blocking Google Redirect, which actually isn't attacking very often.

Some of the highlights of my various scans:
Malware Bytes keeps coming up clean (weird).
Hitman Pro keeps telling me that my internet is running on a proxy. It was saying I had a rootkit error and 6 unfixable trojans, but between eset and tdskiller these went away.
Eset fixed all that other stuff (got rid of two instances of win32/Antimalwaredoctor/ae/gen/application and got rid of two instances of Kryptic in other areas of my computer) but then told me that I had the one Kryptic trojan in me operating memory.

And I'll leave you with all that for now. Tell me what I should do from here if you can please!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 07 June 2011 - 08:18 PM

Hello,i moved this from XP to Am I Infected.
Let's run RKILL and MBAM.


RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.

^^

If you get an alert that Rkill is "infected", ignore it. The alert is just a fake warning given by the rogue software which tries to terminate programs that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.


Try this with RKill.... download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Do not reboot your computer after running rkill as the malware programs will start again.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2011 - 08:57 PM

Did em!

RKill:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 06/07/2011 at 21:55:19.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINNT\system32\wbem\wmiprvse.exe


--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is:

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


Rkill completed on 06/07/2011 at 21:55:31.




and MBAM:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6804

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/7/2011 9:49:56 PM
mbam-log-2011-06-07 (21-49-48).txt

Scan type: Quick scan
Objects scanned: 178622
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\INPUT MANAGER (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LOCAL ACCOUNT AUTHORITY SERVICE (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PLUG MANAGER (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Input Manager\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Account Authority Service\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Plug Manager\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Tim\local settings\application data\Input.bat (Trojan.Agent) -> No action taken.
c:\documents and settings\Tim\local settings\application data\localaccountauthority.bat (Trojan.Agent) -> No action taken.
c:\documents and settings\Tim\local settings\application data\Plug.bat (Trojan.Agent) -> No action taken.


Computer is running okay.

#4 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2011 - 09:03 PM

I should note that MBAM quarantined those items after reset (not sure why it says no action taken)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:52 AM

Posted 07 June 2011 - 09:21 PM

You probably copied the log before you clicked Remove Selected. Things should be a lot better now.
We should now run an online scan.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2011 - 11:29 PM

No malware found! That's promising since the last time I ran it it gave the operating memory issue.

#7 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2011 - 10:15 AM

Things seem better this morning as Startup. I was getting a popup that told me the computer couldn't find C:\Documents at Startup, but it didn't appear this morning. And MBAM found nothing! So things seem much better.

Hitman still found some issues though. It keeps telling me my internet is running on a proxy, but once I fix that it's fine until I restart the computer.

The other issues are that two items read "upload failed" in Hitman. Specifically they are:

qzhh06eyb.exe from C:\Documents and Settings\User\Application Data

and

setup.exe from C:\WINNT\Temp\rnss

Are any of those a big deal? Hitman doesn't do anything with them and I wasn't sure if they were problems or something.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 08 June 2011 - 03:56 PM

For the Proxy issue.
Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Unfortunately yes that can be a Virut issue
http://www.threatexpert.com/report.aspx?md5=057226c52e11df382831852b62ef330d

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2011 - 07:59 PM

Did the proxy first. It was unchecked already.

Kapersky found a lot:
Autoscan: malfunction (events: 1, objects: 0, time: Unknown)
6/8/2011 5:16:58 PM Task started
Autoscan: stopped 1 hour ago (events: 4, objects: 0, time: 00:00:58)
6/8/2011 6:59:12 PM Task stopped
6/8/2011 6:58:11 PM Task started
6/8/2011 6:34:13 PM Task stopped
6/8/2011 6:31:31 PM Task started
Autoscan: completed 1 minute ago (events: 81, objects: 163003, time: 00:39:53)
6/8/2011 6:59:49 PM Task started
6/8/2011 7:33:04 PM Task stopped
6/8/2011 7:53:31 PM Task started
6/8/2011 8:03:52 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0F901071.doc/CryptFF
6/8/2011 8:03:52 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1B4C44AE.doc/CryptFF
6/8/2011 8:03:52 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\07C37AC9.doc/CryptFF
6/8/2011 8:04:37 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0F901071.doc/CryptFF
6/8/2011 8:04:37 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0F901071.doc/CryptFF
6/8/2011 8:04:38 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\07C37AC9.doc/CryptFF
6/8/2011 8:04:38 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\07C37AC9.doc/CryptFF
6/8/2011 8:04:38 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C7E3A32.doc/CryptFF
6/8/2011 8:04:38 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C956018.doc/CryptFF
6/8/2011 8:04:38 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1B4C44AE.doc/CryptFF
6/8/2011 8:04:38 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1B4C44AE.doc/CryptFF
6/8/2011 8:04:38 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1CAD10E7.doc/CryptFF
6/8/2011 8:04:45 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C956018.doc/CryptFF
6/8/2011 8:04:46 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C7E3A32.doc/CryptFF
6/8/2011 8:04:46 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C956018.doc/CryptFF
6/8/2011 8:04:46 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C7E3A32.doc/CryptFF
6/8/2011 8:04:46 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1D6A02B2.doc/CryptFF
6/8/2011 8:04:46 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1F8D4960.doc/CryptFF
6/8/2011 8:04:52 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1D6A02B2.doc/CryptFF
6/8/2011 8:04:52 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1D6A02B2.doc/CryptFF
6/8/2011 8:04:52 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1F8D4960.doc/CryptFF
6/8/2011 8:04:52 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\20EF095D.doc/CryptFF
6/8/2011 8:04:52 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1F8D4960.doc/CryptFF
6/8/2011 8:04:52 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1CAD10E7.doc/CryptFF
6/8/2011 8:04:52 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1CAD10E7.doc/CryptFF
6/8/2011 8:04:53 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\282119C6.doc/CryptFF
6/8/2011 8:04:53 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\284F6594.doc/CryptFF
6/8/2011 8:04:59 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\20EF095D.doc/CryptFF
6/8/2011 8:05:00 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\284F6594.doc/CryptFF
6/8/2011 8:05:00 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\284F6594.doc/CryptFF
6/8/2011 8:05:00 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\20EF095D.doc/CryptFF
6/8/2011 8:05:00 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\282119C6.doc/CryptFF
6/8/2011 8:05:00 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\282119C6.doc/CryptFF
6/8/2011 8:05:00 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2F5539D7.doc/CryptFF
6/8/2011 8:05:00 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2AD73F09.doc/CryptFF
6/8/2011 8:05:00 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\461F2EC5.doc/CryptFF
6/8/2011 8:05:03 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2F5539D7.doc/CryptFF
6/8/2011 8:05:04 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2F5539D7.doc/CryptFF
6/8/2011 8:05:06 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2AD73F09.doc/CryptFF
6/8/2011 8:05:07 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2AD73F09.doc/CryptFF
6/8/2011 8:05:07 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A75655C.doc/CryptFF
6/8/2011 8:05:07 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\461F2EC5.doc/CryptFF
6/8/2011 8:05:07 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\461F2EC5.doc/CryptFF
6/8/2011 8:05:07 PM Detected: Trojan.Win32.Crypt.o C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\50DD4787.dll/CryptFF
6/8/2011 8:05:11 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A75655C.doc/CryptFF
6/8/2011 8:05:12 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A75655C.doc/CryptFF
6/8/2011 8:05:12 PM Detected: Trojan-Downloader.Win32.ConHook.l C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\58606118.dll/CryptFF
6/8/2011 8:05:12 PM Detected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\65695185.class/CryptFF
6/8/2011 8:06:00 PM Deleted: Trojan-Downloader.Win32.ConHook.l C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\58606118.dll
6/8/2011 8:06:00 PM Deleted: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\65695185.class
6/8/2011 8:06:01 PM Detected: Trojan.Java.ClassLoader.ak C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\657F07B1.class/CryptFF
6/8/2011 8:06:03 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\661946CB.doc/CryptFF
6/8/2011 8:06:04 PM Deleted: Trojan.Win32.Crypt.o C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\50DD4787.dll
6/8/2011 8:06:04 PM Detected: Trojan.Java.ClassLoader.z C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\71FF7928.class/CryptFF
6/8/2011 8:06:11 PM Deleted: Trojan.Java.ClassLoader.ak C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\657F07B1.class
6/8/2011 8:06:13 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\661946CB.doc/CryptFF
6/8/2011 8:06:13 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\661946CB.doc/CryptFF
6/8/2011 8:06:13 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\721177E0.doc/CryptFF
6/8/2011 8:06:13 PM Deleted: Trojan.Java.ClassLoader.z C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\71FF7928.class
6/8/2011 8:06:13 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7AD74437.doc/CryptFF
6/8/2011 8:06:13 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7B847578.doc/CryptFF
6/8/2011 8:06:17 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\721177E0.doc/CryptFF
6/8/2011 8:06:18 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7AD74437.doc/CryptFF
6/8/2011 8:06:18 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\721177E0.doc/CryptFF
6/8/2011 8:06:18 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7AD74437.doc/CryptFF
6/8/2011 8:06:18 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DCE73E7.doc/CryptFF
6/8/2011 8:06:18 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7B847578.doc/CryptFF
6/8/2011 8:06:18 PM Detected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7F79585B.doc/CryptFF
6/8/2011 8:06:18 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7B847578.doc/CryptFF
6/8/2011 8:06:20 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DCE73E7.doc/CryptFF
6/8/2011 8:06:20 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DCE73E7.doc/CryptFF
6/8/2011 8:06:23 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7F79585B.doc/CryptFF
6/8/2011 8:06:23 PM Disinfected: Virus.MSWord.Thus.ew C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7F79585B.doc/CryptFF
6/8/2011 8:32:06 PM Detected: not-a-virus:AdWare.Win32.WhiteSmoke.heur C:\WINNT\Temp\rnss\setup.exe/UPX
6/8/2011 8:32:06 PM Detected: HEUR:Exploit.Script.Generic C:\WINNT\Temp\Acr8BDB.tmp/data0000
6/8/2011 8:32:06 PM Detected: HEUR:Exploit.Script.Generic C:\WINNT\Temp\Acr7D09.tmp/data0000
6/8/2011 8:33:17 PM Deleted: not-a-virus:AdWare.Win32.WhiteSmoke.heur C:\WINNT\Temp\rnss\setup.exe
6/8/2011 8:33:28 PM Task completed


And here's Hijack this:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:57:47 PM, on 6/8/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

EDIT: Removed HJT Log

Edited by boopme, 08 June 2011 - 08:14 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 08 June 2011 - 08:29 PM

OK, looks good .. It just found all the Kryptic in your Nortons quarantine,they are not new.

Looks clean to me, Is it running normal now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2011 - 08:53 PM

Still seems fine. I re-did Hitman. The setup problem is now gone (yesss!), but the qzhh06eyb.exe in C:\documentsandsettings\user\application data is still failing to upload. And the proxy server thing is still there.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:52 AM

Posted 08 June 2011 - 09:07 PM

Lets run GMER as that file is possible trouble...

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by boopme, 08 June 2011 - 09:07 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2011 - 02:47 PM

Gmer results:
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-09 15:46:51
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-22FJA0 rev.13.03G13
Running: bd1p68lt.exe; Driver: C:\DOCUME~1\Tim\LOCALS~1\Temp\fwdoapog.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\MRESP50 \Device\MRESP50 F78A21E2

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1216665254-155995919-3145557496-1005@RefCount 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 09 June 2011 - 03:15 PM

I think it's a malware orphan.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. >> qzhh06eyb.exe
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Guest_SpastikMooss_*

Guest_SpastikMooss_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2011 - 10:00 PM

I meant it only shows up in Hitman. I ran autoruns anyway and didn't see anything. But my computer seems to be running fine - no popups, no errors, all looking good. The Hitman search results still say qzhh06eyb.exe in C:\documentsandsettings\user\application data is failing to upload and that my internet is running on a proxy server. But neither seems to be really affecting my computer, so if neither of those is a real bad thing then that works for me!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users