Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-Nullo [short] need help removing


  • Please log in to reply
20 replies to this topic

#1 alittlehelp

alittlehelp

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 27 July 2011 - 06:43 PM

Hello and Thank you in advance for assistance and consideration.

I started receiving strange popups and fake alerts on my Dell laptop, running XP SP3 (all up to date) today.
AVG(9) alerted and supposedly blocked the virus. I don't believe I clicked on any of the fake popups - but apparently "Nullo"(?)was rather persistent and still managed to take hold, preventing SAS or MBam to run.
I ran Rkill which managed to stop the popups long enough for SAS to run and quarantine (part of) the virus. MBAM initially isolated the virus in quarantine. Running AVG recently - reports clean.
These tools have proven very effective in the past - unfortunately I fear some residual damage was done by this virus(?):

1. Fire Wall was disabled (but I managed to restore it through command prompt(NETSH FIREWALL RESET))
2. Automatic Updates has been disabled by the events and I can't get it to restore/turn on through control panel or security center.
3. Windows Security shield looms red in the systems tray warning of potential vulnerability.
4. strange browser/google search behavior
5. Restore Points fail - I attempted to do a Restore Point - it took an exorbitant amount of time but the pc eventualy rebooted and returned a "unable to restore to 7.23.2011" message. I checked the AV quarantines and found this entry in SAS' recent quarentine log:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E664F1E-6B02-46D7-9E8D-2EA9593F0B5C}\RP287\A0024345.EXE

Does this mean my Restore Points have been infected as well?


I've attched the log from the first Malwarebytes scan:
-------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7298

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/27/2011 3:28:39 PM
mbam-log-2011-07-27 (15-28-39).txt

Scan type: Quick scan
Objects scanned: 142399
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4036860489 (Trojan.FakeAlert) -> Value: 4036860489 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\cfa.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\cfa.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\cfa.exe" -a "C:\Program Files\Intern) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\local settings\application data\cfa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\us\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

------------------------------------------------------

A more recent MBAM log reports back clean. but the pc continues to behave otherwise and FireFox 3.6.+ Google links do not function on click or else redirect to "server not found".

I ran the TDSSkiller steps here: (http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller) and did indeed find and terminate : \Device\Harddisk0\DR0 (RootKit.win32.TDSS.tdl4)

I can post the full scan if needed.


I found a post from another BC having the same issues:
http://www.bleepingcomputer.com/forums/topic411624.html

Unfortunately nothing has worked. I'm not sure of the severity or compromised security of the affected pc and have kept it disconnected from the router as I type this from a different computer.


If there are any BC techs that can help, I would appreciate it.

Thanks in advance!

Edited by alittlehelp, 27 July 2011 - 10:30 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 27 July 2011 - 10:03 PM

You should refrain from using restore point at this moment as some of them may be infected.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 27 July 2011 - 10:47 PM

hello Broni, and thanks for the response!
I will have to pick up and post the scans results tomorrow. It's late here (11:45 pm)early meeting in the morning :(

thanks for your continued attention to this post. I'll update results in the afternoon.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 27 July 2011 - 10:52 PM

No problem :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 28 July 2011 - 12:53 PM

Hi Broni,

I've attached the scan logs as requested.
I did receive an odd virus threat alert from AVG while running MBAM. I wasn't able to create a screen capture to include in this post but the AVG Threat Alert stated: AVG Resident Shield Alert - Multiple threat detection - (2 counts were listed for the same file)-
File: C:\Windows\oapclu.dll
Infection: Trojan horse Generic23 CCPA

Process name: C:\program files\MalwareBytes' Anti Malware\mbam.exe
Proces ID: 1324
Detection on Open

This is the first time AVG has ever suspected MBAM of being a threat. It may be a false report. However, the "offending" .dll in question, now resides in the AVG Resident Shield Vault. Upon re-start, I get a windows error stating: Error Loading C:\Windows\oapclu.dll - The Specified Module Could Not Be Found. Yet Malwarebytes still seems to function/opens/scans normally.
I've included the AVG log in this post, as well. Please advise.


Security Check:

------------------------

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.3.181.14
Adobe Reader 8.2.6
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

----------------------------------------------

MiniToolBox:

----------------------
MiniToolBox by Farbar
Ran by us (administrator) on 28-07-2011 at 11:23:24
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default diroctory========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : ann-21aed451aa6 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel® PRO/Wireless 2915ABG Network Connection Physical Address. . . . . . . . . : 00-13-CE-29-D6-A3 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 172.16.0.49 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.16.0.1 DHCP Server . . . . . . . . . . . : 172.16.0.1 DNS Servers . . . . . . . . . . . : 172.16.0.1 Lease Obtained. . . . . . . . . . : Thursday, July 28, 2011 11:18:57 AM Lease Expires . . . . . . . . . . : Friday, July 29, 2011 11:18:57 AMDNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.0.1

Name: google.com
Addresses: 74.125.91.105, 74.125.91.106, 74.125.91.104, 74.125.91.147
74.125.91.103, 74.125.91.99

Pinging google.com [74.125.91.99] with 32 bytes of data:Reply from 74.125.91.99: bytes=32 time=38ms TTL=46Reply from 74.125.91.99: bytes=32 time=38ms TTL=46Ping statistics for 74.125.91.99: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 38ms, Maximum = 38ms, Average = 38msDNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.0.1

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76

Pinging yahoo.com [67.195.160.76] with 32 bytes of data:Reply from 67.195.160.76: bytes=32 time=34ms TTL=51Reply from 67.195.160.76: bytes=32 time=33ms TTL=51Ping statistics for 67.195.160.76: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 33ms, Maximum = 34ms, Average = 33msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 ce 29 d6 a3 ...... Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.49 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 172.16.0.49 172.16.0.49 25
172.16.0.49 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.49 172.16.0.49 25
224.0.0.0 240.0.0.0 172.16.0.49 172.16.0.49 25
255.255.255.255 255.255.255.255 172.16.0.49 172.16.0.49 1
Default Gateway: 172.16.0.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/27/2011 08:30:43 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt> with error: This network connection does not exist.

Error: (07/27/2011 08:30:43 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt> with error: The connection with the server was terminated abnormally

Error: (07/27/2011 08:20:29 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (07/27/2011 08:20:29 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

Error: (07/27/2011 08:02:18 PM) (Source: ESENT) (User: )
Description: Catalog Database (1188) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb was partially detached. Error -1032 encountered updating database headers.

Error: (07/27/2011 08:02:18 PM) (Source: ESENT) (User: )
Description: Catalog Database (1188) Unable to write a shadowed header for file C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb. Error -1032.

Error: (07/27/2011 08:02:18 PM) (Source: ESENT) (User: )
Description: svchost (1188) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (07/27/2011 04:34:09 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/27/2011 02:00:17 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt> with error: This network connection does not exist.

Error: (07/27/2011 02:00:17 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt> with error: The connection with the server was terminated abnormally


System errors:
=============
Error: (07/28/2011 11:12:45 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:12:39 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:12:31 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:12:24 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:12:18 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:12:11 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:12:05 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:11:58 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:11:51 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2011 11:11:44 AM) (Source: 0) (User: )
Description: \Device\CdRom0


Microsoft Office Sessions:
=========================
Error: (07/27/2011 08:30:43 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crtThis network connection does not exist.

Error: (07/27/2011 08:30:43 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crtThe connection with the server was terminated abnormally

Error: (07/27/2011 08:20:29 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (07/27/2011 08:20:29 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe connection with the server was terminated abnormally

Error: (07/27/2011 08:02:18 PM) (Source: ESENT)(User: )
Description: Catalog Database1188C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032

Error: (07/27/2011 08:02:18 PM) (Source: ESENT)(User: )
Description: Catalog Database1188C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032

Error: (07/27/2011 08:02:18 PM) (Source: ESENT)(User: )
Description: svchost1188C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (07/27/2011 04:34:09 PM) (Source: Application Hang)(User: )
Description: iexplore.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (07/27/2011 02:00:17 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crtThis network connection does not exist.

Error: (07/27/2011 02:00:17 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crtThe connection with the server was terminated abnormally


========================= Memory info: ===================================

Percentage of memory in use: 35%
Total physical RAM: 2039.36 MB
Available physical RAM: 1321.84 MB
Total Pagefile: 3935.94 MB
Available Pagefile: 3252.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.3 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:37.22 GB) (Free:20.97 GB) NTFS
2 Drive d: (trojanfix7.28.11) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\ANN-21AED451AA6

Administrator Guest HelpAssistant
SUPPORT_388945a0 us


== End of log ==

----------------------------------------------


MBAM:
-----------------
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7298

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/28/2011 11:33:22 AM
mbam-log-2011-07-28 (11-33-22).txt

Scan type: Quick scan
Objects scanned: 155677
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------


GMER:
--------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-28 13:01:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK4026GAX rev.PA102D
Running: vdxb2mum.exe; Driver: C:\DOCUME~1\us\LOCALS~1\Temp\fwdcipod.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\DRIVERS\gtipci21.sys entry point in "init" section [0xB9975A80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A6C05D20
Device \FileSystem\Fastfat \Fat A6BFE60A

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

-----------------------------------------------------


AVG:
--------------

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Trojan horse Generic23.CCPA";"c:\WINDOWS\oapclu.dll";"Moved to Virus Vault";"7/28/2011, 11:32:28 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic23.CCPA";"c:\WINDOWS\oapclu.dll";"Moved to Virus Vault";"7/28/2011, 11:30:36 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic23.CBYG";"c:\Documents and Settings\us\Application Data\Adobe\plugs\KB733925062.exe";"Moved to Virus Vault";"7/27/2011, 9:33:57 AM";"file";"C:\DOCUME~1\us\LOCALS~1\Temp\snreacwomx.tmp"
"Trojan horse SHeur3.CLFX";"c:\Documents and Settings\us\Application Data\Adobe\plugs\KB733898562.exe";"Moved to Virus Vault";"7/27/2011, 9:33:55 AM";"file";"C:\DOCUME~1\us\LOCALS~1\Temp\snreacwomx.tmp"
"Trojan horse Generic23.CBYG";"c:\Documents and Settings\us\Application Data\Adobe\plugs\KB733922953.exe";"Moved to Virus Vault";"7/27/2011, 9:33:54 AM";"file";"C:\DOCUME~1\us\LOCALS~1\Temp\snreacwomx.tmp"
"Trojan horse Generic23.CBYG";"c:\Documents and Settings\us\Application Data\Adobe\plugs\KB733922953.exe";"Object is inaccessible.";"7/27/2011, 9:33:54 AM";"file";"C:\DOCUME~1\us\LOCALS~1\Temp\snreacwomx.tmp"
"Trojan horse SHeur3.CLFX";"c:\Documents and Settings\us\Application Data\Adobe\plugs\KB733897765.exe";"Moved to Virus Vault";"7/27/2011, 9:33:54 AM";"file";"C:\DOCUME~1\us\LOCALS~1\Temp\snreacwomx.tmp"
"Trojan horse SHeur3.CLFX";"c:\Documents and Settings\us\Application Data\Adobe\plugs\KB733897687.exe";"Moved to Virus Vault";"7/27/2011, 9:33:54 AM";"file";"C:\DOCUME~1\us\LOCALS~1\Temp\snreacwomx.tmp"

------------------------------------------


Thanks in advance for your help!

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 28 July 2011 - 05:14 PM

oapclu.dll is definitely not a MBAM file, so I'm not sure why AVG associated it with MBAM.

Upon re-start, I get a windows error stating: Error Loading C:\Windows\oapclu.dll - The Specified Module Could Not Be Found.

Let's fix it...

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

Posted Image

Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):
Posted Image

======================================================================

Then it looks like you have "hosts" file missing.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

Posted Image

When done:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 28 July 2011 - 07:42 PM

My link


--------------------------------------------------------------------------------------------------------------


SystemLook:
-------------------

SystemLook 04.09.10 by jpshortstuff
Log created at 20:37 on 28/07/2011 by us
Administrator - Elevation successful

========== dir ==========


C:\windows\system32\drivers\etc - Parameters: "(none)"

---Files---
hosts --a---- 711 bytes [00:34 29/07/2011] [00:28 29/07/2011]
lmhosts.sam --a---- 3683 bytes [12:00 04/08/2004] [12:00 04/08/2004]
networks --a---- 407 bytes [12:00 04/08/2004] [12:00 04/08/2004]
protocol --a---- 799 bytes [12:00 04/08/2004] [12:00 04/08/2004]
services --a---- 7116 bytes [12:00 04/08/2004] [12:00 04/08/2004]

---Folders---
None found.

-= EOF =-


thanks!

Edited by alittlehelp, 28 July 2011 - 08:18 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 28 July 2011 - 08:35 PM

Good :)

I can see more "baddies" in your Autoruns log.

Re-run Autoruns, click on "Logon" tab.
UN-check following items:

+ "Jroqotucejaqa"
+ "Ddoquqidefa"


Restart computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :file
    c:\windows\upotoqihojiseciy.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 28 July 2011 - 08:58 PM

unchecked: jroqotucejaqa and ddoquqidefa in autoruns and didn't get the windows missing "oapclu.dll" warning on reboot :)

-------------------------------------------------------------

SystemLook 04.09.10 by jpshortstuff
Log created at 21:49 on 28/07/2011 by us
Administrator - Elevation successful

========== file ==========

c:\windows\upotoqihojiseciy.dll - File found and opened.
MD5: 66210C544A8DDC75A293E8F9A790CF7B
Created at 12:00 on 04/08/2004
Modified at 00:12 on 14/04/2008
Size: 354816 bytes
Attributes: --a----
No version information available.

-= EOF =-

BTW, I've been doing the repairs while the infected pc is off line and downloading the progs from a non infected computer and copying them over to the infected via CD-RW or floppy... just so you know :)

thanks

Edited by alittlehelp, 28 July 2011 - 09:03 PM.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 28 July 2011 - 09:08 PM

Good :)

Go ahead and manualy delete the above file:
c:\windows\upotoqihojiseciy.dll

Then....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 28 July 2011 - 09:21 PM

It seems that I cannot manually delete upotoqihojiseciy.dll (i.e: select/delete, rightclick/delete, drag to recycle bin) I get a message prompt: "Acess is denied - make sure the disk is not full or write protected and that the file is not in use".

I ran autoruns again and found that under the logon tab, jroqotucejaqa made a copy of itself with a checked box.
So now there are two jroqotucejaqa in autoruns.

Please advise.

thanks for your patience.

Edited by alittlehelp, 28 July 2011 - 09:43 PM.


#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 28 July 2011 - 09:30 PM

Download, and install Unlocker: http://cedrick.collomb.perso.sfr.fr/unlocker/
Restart computer.
It'll install under right click menu.

Open Windows Explorer.
Navigate to offending folder/file.

Right click on a folder/file. Click Unlocker
Select Delete from drop-down menu:

Posted Image

Click OK.
A folder/file will refuse to be deleted, but Unlocker will give you an option to delete on reboot:

Posted Image

Click Yes.
Restart computer.

==============================================================

If the above doesn't work, try...

LockHunter: http://lockhunter.com/

FileASSASSIN: http://www.snapfiles.com/get/fileassassin.html

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 28 July 2011 - 10:58 PM

Hey Broni,

Thanks for the tip on Unlocker! It reminded me of a great tool already found in Malwarebytes - File Assassin and worked like a charm for deleting the upotoqihojiseciy.dll.


ESET scan:
-----------------
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Program Files\Yontoo Layers Runtime\YontooIEClient_2.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:30 AM

Posted 28 July 2011 - 11:05 PM

Update Internet Explorer to version 8. Version 6 is obsolete and thus dangerous.

==============================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

================================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 29 July 2011 - 12:06 AM

Thanks Broni,
I never use IE but just finished updating it (IE8).

I was hoping by updating IE, might resolve this nagging issue with Security Center and the inability to reset Auto Updates to the On position.

The security center still, will not allow me to turn on automatic updates. It shows that it is turned on via control panel\automatic updates; but off in security center. I continue to receive error messages when i try to turn it on in SC: "Security Center could not change your Automatic Update Settings. Try changing these settings in control panel..."etc.

I've tried updating from Microsoft's updates web site but it crashes constantly stating that the website encountered a problem. Receiving updates directly from Microsoft site has been impossible.

Any thoughts on the Security Center/Automatic Updates issue?

I've updated Adobe Acrobat Reader. I'm currently running a scan and will continue with the rest of updates tomorrow.

thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users