Malware Attack

View previous topic View next topic Go down

Malware Attack

Post by NeedsHelp on Fri Dec 26, 2008 10:06 pm

I have recently been infected with Malware on my system. The computer that was infected is set up on a network in which another computer on the network was infected. I have been able to download Malwarebytes and Superspyware as well as Ccleaner and Spybot on my networked computer and ran the scans. The initial scans on the networked computer weren't able to clean the files fully. However, when I ran the scans in Safemode w/o networking they were able to clean the networked computer fully. Now when I go to the computer where the Malware originated from it won't allow me to download Superantispyware, Spybot, Adaware, or CCleaner. It does allow me to download Malwarebytes but when I click on it to open it nothing happens. I can find Malwarebytes running in my proccesses but nothing is happening. I have downloaded Spybot, Superantispyware and CCleaner to a pen drive and installed them onto the infected computer. It won't allow Spybot to connect to its server to install, and when I click on Superantispyware to open it it says this program is not working. I tried to download Hijackthis and it keeps redirecting me to another website(as it did with Superantispyware and the other anti malware programs). The only way I could download hijackthis is if I copied and pasted the download site into the address bar. However, when I try to install Hijackthis it doesn't do anything.

My Norton Antivirus 2009 can not update its virus definitions either cause it says it can not connect to the server, and when I run a scan with Norton it only scans 3190 objects then says its complete. When I try to run check disk it says that Windows can not perform this task. I repeatedly get random internet pop ups of random internet sites and when I try to type in antispyware websites I get referred to a search engine and if I click on the links I get redirected to random sites sometimes having nothing to do with what I am looking for. The only spyware program I am able to run is Adaware but half way through the scan it says it has a unhandled exception and if I click on it then it locks up Adaware. I can also run CCleaner but that is the only thing I can run. I have cleared the Host file but still get redirected on the internet. When I reboot my system in normal mode the C:/Windows/System32 file opens and then I get an error message that Norton can not connect to the server. If I let it sit at the desktop for a little bit it will open up a web page randomly.

Right now while I am sending this message I am in Safe Mode with Networking. It seems that running the computer in safemode is the only way I can keep it somewhat stable but I can't even run the antispyware in safemode and even Adaware messes up half way through. I still get redirected on the internet while in safemode and I was even lucky to get to this website while in safemode since in normal mode anything that may help gets redirected or doesn't work. This is my tasklist /svc in safemode.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>tasklist /svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 800 N/A
csrss.exe 856 N/A
winlogon.exe 880 N/A
services.exe 936 Eventlog
lsass.exe 948 N/A
svchost.exe 1140 DcomLaunch, TermService
svchost.exe 1316 RpcSs
svchost.exe 1468 Browser, CryptSvc, Dhcp, helpsvc,
lanmanserver, lanmanworkstation, Netman,
SharedAccess, srservice, winmgmt, WZCSVC
svchost.exe 1560 Dnscache
svchost.exe 1676 LmHosts
explorer.exe 2004 N/A
ctfmon.exe 832 N/A
iexplore.exe 1440 N/A
mbam-setup.exe 1964 N/A
HJTInstall.exe 272 N/A
HJTInstall.exe 1220 N/A
taskmgr.exe 552 N/A
cmd.exe 192 N/A
tasklist.exe 1432 N/A
wmiprvse.exe 1736 N/A

C:\Documents and Settings\Administrator>


And here is my Tasklist from Safemode:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>tasklist /svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 800 N/A
csrss.exe 856 N/A
winlogon.exe 880 N/A
services.exe 936 Eventlog
lsass.exe 948 N/A
svchost.exe 1140 DcomLaunch, TermService
svchost.exe 1316 RpcSs
svchost.exe 1468 Browser, CryptSvc, Dhcp, helpsvc,
lanmanserver, lanmanworkstation, Netman,
SharedAccess, srservice, winmgmt, WZCSVC
svchost.exe 1560 Dnscache
svchost.exe 1676 LmHosts
explorer.exe 2004 N/A
ctfmon.exe 832 N/A
iexplore.exe 1440 N/A
mbam-setup.exe 1964 N/A
HJTInstall.exe 272 N/A
HJTInstall.exe 1220 N/A
taskmgr.exe 552 N/A
cmd.exe 192 N/A
tasklist.exe 1432 N/A
wmiprvse.exe 1736 N/A

C:\Documents and Settings\Administrator>



I am not sure if the tasklists help or anything I did notice however that while running in normal mode on my proccesses that services is the one that is running the most usages the entire time(anywhere from 50% to 65%)

NeedsHelp
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2008-12-26
OS : WindowsXP

View user profile

Back to top Go down

Re: Malware Attack

Post by Belahzur on Fri Dec 26, 2008 10:10 pm

Hello.
I see the HJT install on the tasklist, so please post a Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware Attack

Post by NeedsHelp on Fri Dec 26, 2008 10:15 pm

Here is my Hijackthis log. I was only able to open it by clicking Run instead of Save when Downloading it. Note: Keep in mind this is from Safe Mode.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:11 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
C:\WINDOWS\system32\services.exe
C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\hijackgpthis[2].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Windows Media Player\ctfmon.exe,
O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)
O2 - BHO: (no name) - {03624266-b818-4b9e-8273-70b1f10224a2} - C:\WINDOWS\system32\wifufulu.dll
O2 - BHO: Symantec Intrusion Prevention - {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mlJDtuuR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: {280c01e0-c8c7-9dfb-1814-7c6bf17c089a} - {a980c71f-b6c7-4181-bfd9-7c8c0e10c082} - C:\WINDOWS\system32\exxxzh.dll
O2 - BHO: (no name) - {E03FC8C7-1621-4440-8F10-C71A634E6AE5} - C:\WINDOWS\system32\khfGvstR.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\INNATC~1\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [CTEMON.EXE] "" /h
O4 - HKLM\..\Run: [giwonezevo] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s
O4 - HKLM\..\Run: [045f814a] rundll32.exe "C:\WINDOWS\system32\gadonesi.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [giwonezevo] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [giwonezevo] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\WINDOWS\system32\juyadewi.dll,exxxzh.dll
O20 - Winlogon Notify: mlJDtuuR - C:\WINDOWS\SYSTEM32\mlJDtuuR.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Norton AntiVirus (norton antivirus) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 7643 bytes

NeedsHelp
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2008-12-26
OS : WindowsXP

View user profile

Back to top Go down

Re: Malware Attack

Post by Belahzur on Fri Dec 26, 2008 10:23 pm

Hello.
I don't mind safe mode, we have anough detail to remove what we can see, and doing this will remove then hidden cause of the problem.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Windows Media Player\ctfmon.exe,
    O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)
    O2 - BHO: (no name) - {03624266-b818-4b9e-8273-70b1f10224a2} - C:\WINDOWS\system32\wifufulu.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mlJDtuuR.dll
    O2 - BHO: {280c01e0-c8c7-9dfb-1814-7c6bf17c089a} - {a980c71f-b6c7-4181-bfd9-7c8c0e10c082} - C:\WINDOWS\system32\exxxzh.dll
    O2 - BHO: (no name) - {E03FC8C7-1621-4440-8F10-C71A634E6AE5} - C:\WINDOWS\system32\khfGvstR.dll
    O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\INNATC~1\LOCALS~1\Temp\winlogin.exe
    O4 - HKLM\..\Run: [CTEMON.EXE] "" /h
    O4 - HKLM\..\Run: [giwonezevo] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s
    O4 - HKLM\..\Run: [045f814a] rundll32.exe "C:\WINDOWS\system32\gadonesi.dll",b
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKUS\S-1-5-19\..\Run: [giwonezevo] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [giwonezevo] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: C:\WINDOWS\system32\juyadewi.dll,exxxzh.dll
    O20 - Winlogon Notify: mlJDtuuR - C:\WINDOWS\SYSTEM32\mlJDtuuR.dll
    O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.


1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\Program Files\Windows Media Player\ctfmon.exe
C:\WINDOWS\system32\wifufulu.dll
C:\WINDOWS\system32\mlJDtuuR.dll
C:\WINDOWS\system32\exxxzh.dll
C:\WINDOWS\system32\khfGvstR.dll
C:\WINDOWS\system32\mezutilo.dll
C:\WINDOWS\system32\gadonesi.dll
C:\WINDOWS\system32\juyadewi.dll
C:\WINDOWS\system32\exxxzh.dll
C:\WINDOWS\SYSTEM32\mlJDtuuR.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware Attack

Post by NeedsHelp on Fri Dec 26, 2008 10:41 pm

Here is my Avenger.txt:
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSqavb.sys
Driver disabled successfully.

Rootkit scan completed.


Error: file "C:\Program Files\Windows Media Player\ctfmon.exe" not found!
Deletion of file "C:\Program Files\Windows Media Player\ctfmon.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wifufulu.dll" not found!
Deletion of file "C:\WINDOWS\system32\wifufulu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\mlJDtuuR.dll" deleted successfully.
File "C:\WINDOWS\system32\exxxzh.dll" deleted successfully.
File "C:\WINDOWS\system32\khfGvstR.dll" deleted successfully.
File "C:\WINDOWS\system32\mezutilo.dll" deleted successfully.
File "C:\WINDOWS\system32\gadonesi.dll" deleted successfully.
File "C:\WINDOWS\system32\juyadewi.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\exxxzh.dll" not found!
Deletion of file "C:\WINDOWS\system32\exxxzh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\SYSTEM32\mlJDtuuR.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\mlJDtuuR.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

NeedsHelp
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2008-12-26
OS : WindowsXP

View user profile

Back to top Go down

Re: Malware Attack

Post by Belahzur on Fri Dec 26, 2008 10:44 pm

Okay.
MBAM setup will run now.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware Attack

Post by NeedsHelp on Fri Dec 26, 2008 11:11 pm

Here is my Malwarebytes Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1551
Windows 5.1.2600 Service Pack 2

12/26/2008 6:10:53 PM
mbam-log-2008-12-26 (18-10-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 75346
Time elapsed: 17 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 36

Memory Processes Infected:
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\winlogin.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljdtuur (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03624266-b818-4b9e-8273-70b1f10224a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03624266-b818-4b9e-8273-70b1f10224a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\giwonezevo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\045f814a (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Inn at Canal Square\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\mlJDtuuR.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdpvvtfn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nftvvpdm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xaolthdb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdhtloax.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\winlogin.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\ekejy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\backups\backup-20081226-173045-365.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\backups\backup-20081226-173045-188.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\backups\backup-20081226-173045-343.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC1.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC6.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\1381594722.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\2359097710.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\mecnwsaxro.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\nrxoacsewm.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\saxwcormen.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\reomwnsacx.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP383\A0021329.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwrlbf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkse73hedfdgf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\momjabuo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkwtw.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoeqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSosvn.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qnyrendu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnMgDu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSqavb.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\b7308796.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ssqqOfcy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inn at Canal Square\Local Settings\Temp\TDSS8370.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSsbhc.log (Trojan.TDSS) -> Quarantined and deleted successfully.

NeedsHelp
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2008-12-26
OS : WindowsXP

View user profile

Back to top Go down

Re: Malware Attack

Post by Belahzur on Fri Dec 26, 2008 11:27 pm

Hello.
That should of cleared alot of the junk.
Just one last lookaround.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware Attack

Post by Doctor Inferno on Sun Feb 08, 2009 9:29 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum