Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My WINDOWS VISTA is infected


  • This topic is locked This topic is locked
6 replies to this topic

#1 PatriceJ

PatriceJ

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 17 April 2012 - 12:39 PM

Hello,

I just recently joined here, because I am in need of assistance with my computer. Some days ago my windows vista became infected .. Gradually after two days the virus had wiped out/ or hidden ALL of my programs and default items. Also whenever I try to install or run a program to remove a virus, it redirects and then disappears, then this pops up (view downloads : windows internet explorer). It asks do you want to run, and I click run .. but this message flashes "the publisher of this program couldn't be verified" or "access denied". Another thing I can mention is that when I first log on, multiple (view downloads) pops up asking if I want to run or save this program ..... these are some that have come up on my screen

igfxpers.exe
jusched.exe
rundll32.exe
sidebar.exe
apsdaemon.exe
hpwuschd2.exe
& ccapp.exe

Last thing I should mention is that I only have access to mozilla firefox internet, and prior to getting this serious virus I do have Malwarebytes.[ But it is now hidden ..so I can't see/ nor run it] To anyone out there that can help me fix this, please help. I would GREATLY appreciate it. Thank you -

BC AdBot (Login to Remove)

 


#2 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:08 AM

Posted 17 April 2012 - 12:42 PM

First step is to boot into safe mode with networking and install mbam from a flash drive then once thats done update the database and run a full scan and post the log here
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#3 PatriceJ

PatriceJ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 17 April 2012 - 10:37 PM

Thank you firemaster1337. After I get my flash drive, and run mbam I will post the log.

#4 PatriceJ

PatriceJ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 09 May 2012 - 07:56 PM

It's been forever since i've been on here. But all that time my computer has been infected. I don't have a flash drive, but I was able to finally run Malwarebytes. I got it to run through Chameleon. Here are some of the logs from yesterday and today.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.08.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
[administrator]

5/8/2012 6:15:30 PM
mbam-log-2012-05-08 (18-15-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231779
Time elapsed: 40 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\sis315.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 5
HKLM\SYSTEM\CurrentControlSet\Services\NetworkLog (Trojan.Downloader) -> Quarantined and deleted successfully.
HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 6
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|bcbfbbebbfdfacdct (Trojan.Agent) -> Data: "C:\ProgramData\bcbfbbebbfdfacdct.exe" -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^^ -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\NetworkLog|ImagePath (Trojan.Downloader) -> Data: C:\Windows\svcs.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\Windows\System32\sis315.dll (RootKit.0Access.H) -> Delete on reboot.
C:\ProgramData\bcbfbbebbfdfacdct.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\svcs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (TrojanProxy.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\gcpxemihceavbwaoweqqr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\hrvxtrodbchfjgkcvoy.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\lniawatsmxvvwlywgcbdgqfav.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\onwfmabmzyjajcemmbyexx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\urqatzfoptoe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\vuhplyqfyvtn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\agaxbwunuqtxsxeice.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\cwjxaodrckfq.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\dvzzxwaltecjwmsvyoxgtiffv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\\WiNlOgOn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

(end)

_________________________________________________________________________________________________________________________

www.malwarebytes.org

Database version: v2012.05.09.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
[administrator]

5/8/2012 10:44:43 PM
mbam-log-2012-05-08 (22-44-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231622
Time elapsed: 35 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\asapiw2k.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\System32\asapiw2k.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

_____________________________________________________________________________________________________

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.09.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
[administrator]

Protection: Disabled

5/9/2012 12:06:31 PM
mbam-log-2012-05-09 (12-06-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 456039
Time elapsed: 5 hour(s), 25 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\asp.net.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\asp.net.dll (RootKit.0Access.H) -> Delete on reboot.
C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\19677d88-10f88b1b (Trojan.Agent.VZGen) -> Quarantined and deleted successfully.
C:\Windows\System32\hwpsgt.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

(end)

___________________________________________________________________________________________________________

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.09.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
[administrator]

Protection: Disabled

5/9/2012 7:20:32 PM
mbam-log-2012-05-09 (19-20-32).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 164673
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\PSI_SVC_2.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\System32\PSI_SVC_2.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

______________________________________________________________________________________________

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.09.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
[administrator]

Protection: Disabled

5/9/2012 7:49:11 PM
mbam-log-2012-05-09 (19-49-11).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223514
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\OEM02Vfx.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\System32\OEM02Vfx.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

...............................................................................................................................................

Even though Malwarebytes has removed several malicious objects, a serious virus is still on my computer. Any recommendations ? Thank you

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,858 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:08 AM

Posted 11 May 2012 - 01:11 PM

Hello,

One of the infections MBAM found requires specialized assistance to clear up.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 PatriceJ

PatriceJ
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 12 May 2012 - 07:30 PM

THANKS SO MUCH, Orange Blossom !!!

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,858 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:08 AM

Posted 12 May 2012 - 11:11 PM

Hello,

You're welcome. I see your new topic here: http://www.bleepingcomputer.com/forums/topic453432.html has been picked up. To avoid potential confusion, I'm closing this topic.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users