Working on a computer with a bad one...
Page 1 of 5 123 ... LastLast
Results 1 to 15 of 67

Thread: Working on a computer with a bad one...

  1. #1
    Join Date
    May 2009
    Posts
    33

    Working on a computer with a bad one...

    Hello there,

    Whomever wishes to assist, I have stumbled across NVRSK.DLL / WOWFX.DLL trojan package. I thought a simple safe mode boot with AVG would have fixed the problem... Alas, I am wrong. What steps are needed to remove this virus, or should I look at doing an outright format?

    Trojan Horse Downloader.Generic8.AIQH
    Trojan Horse Agent.ALBH

    Thanks in advance!
    Last edited by artificer88; May 3rd, 2009 at 04:34 AM. Reason: Gotta add the thanks in advance :)

  2. #2
    photolady's Avatar
    photolady is offline Lifetime Friend of Site Staff
    Join Date
    Mar 2002
    Location
    At my computer, cruising VDR and watching your back
    Posts
    23,412
    Please follow the instruction below.

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under Configuration and Preferences, click the Preferences button.
    * Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Scan for tracking cookies.
    - Terminate memory threats before quarantining.

    * Click the Close button to leave the control center screen.
    * Back on the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.

    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
    NOTE: Tracking cookies can be omitted from the log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button..
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    4. Download, install, and run HijackThis:
    http://www.snapfiles.com/get/hijackthis.html
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    (Above layout courtesy of Broni)

  3. #3
    Join Date
    May 2009
    Posts
    33
    Thanks for the quick reply, am working on your steps now... but safe mode boots only sometimes and usually finds itself stuck on avgrkx86.sys... anyway to disable it from starting?

    Also, I have a few system files booting that shouldn't be... tdrpm174.sys and snman380.sys...
    Last edited by artificer88; May 3rd, 2009 at 02:10 PM.

  4. #4
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    avgrkx86.sys is related to AVG antivirus. Try temporarily disabling it or if absolutely necessary uninstalling it until we're done the scans/cleaning if it's interfering with the process.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  5. #5
    Join Date
    May 2009
    Posts
    33
    I have disabled AVG, but still have no luck booting into safe mode.... it now lags on Mup.sys.

  6. #6
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    Then just continue on in regular mode for now.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  7. #7
    Join Date
    May 2009
    Posts
    33
    Okay, thanks.

    I'll post the logs as soon as everything is good and done. Should be a few hours at this rate.

    Thanks once again for your assistance.

  8. #8
    Join Date
    May 2009
    Posts
    33
    Okay, got the SAS log... but when I tried to remove all the threats, my computer BSOD'ed and informed me that Windows Logon Manager had terminated unexpectedly... is this problem larger than I originally anticipated?

    Log:
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/03/2009 at 05:42 PM

    Application Version : 4.26.1002

    Core Rules Database Version : 3875
    Trace Rules Database Version: 1823

    Scan type : Complete Scan
    Total Scan Time : 01:18:03

    Memory items scanned : 471
    Memory threats detected : 4
    Registry items scanned : 4624
    Registry threats detected : 76
    File items scanned : 344169
    File threats detected : 77

    Adware.Vundo/Variant-0201a
    C:\WINDOWS\SYSTEM32\AHUYFSRR.DLL
    C:\WINDOWS\SYSTEM32\AHUYFSRR.DLL

    Adware.Vundo/Variant-F13
    C:\WINDOWS\SYSTEM32\JFOKZM.DLL
    C:\WINDOWS\SYSTEM32\JFOKZM.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ea1723e4-f56e-4c13-b55d-bd419b257e98}
    HKCR\CLSID\{EA1723E4-F56E-4C13-B55D-BD419B257E98}
    HKCR\CLSID\{ea1723e4-f56e-4c13-b55d-bd419b257e98}\inprocserver32
    HKCR\CLSID\{ea1723e4-f56e-4c13-b55d-bd419b257e98}\inprocserver32#ThreadingModel
    C:\WINDOWS\SYSTEM32\PYYAUQQE.DLL

    Trojan.Dropper/Sys-NV
    C:\WINDOWS\SYSTEM32\NVRSK.DLL
    C:\WINDOWS\SYSTEM32\NVRSK.DLL

    Trojan.Vundo-Variant/Small-GEN
    C:\WINDOWS\SYSTEM32\WVULLCDT.DLL
    C:\WINDOWS\SYSTEM32\WVULLCDT.DLL

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
    HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
    HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
    HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\RQRJATUS.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
    HKU\s-1-5-21-1659004503-1637723038-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
    HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

    Trojan.Vundo-Variant/NextGen
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce12cb62-5ad7-466b-b9be-13148ffdfc62}
    HKCR\CLSID\{CE12CB62-5AD7-466B-B9BE-13148FFDFC62}
    HKCR\CLSID\{CE12CB62-5AD7-466B-B9BE-13148FFDFC62}\inprocserver32
    HKCR\CLSID\{CE12CB62-5AD7-466B-B9BE-13148FFDFC62}\inprocserver32#ThreadingModel

    Trojan.Downloader/ZLob
    HKU\s-1-5-21-1659004503-1637723038-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\inprocserver32
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\inprocserver32#ThreadingModel
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\progid
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\programmable
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\typelib
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\versionindependentprogid
    HKCR\y537.y537mgr.1
    HKCR\y537.y537mgr.1\CLSID
    HKCR\y537.y537mgr
    HKCR\y537.y537mgr\CLSID
    HKCR\y537.y537mgr\CurVer
    HKCR\TypeLib\{E63648F7-3933-440E-AAAA-A8584DD7B7EB}
    C:\WINDOWS\SYSTEM32\796525\796525.DLL

    Trojan.Unknown Origin
    HKLM\Software\AGProtect
    HKLM\Software\AGProtect#Cfg
    C:\WINDOWS\SYSTEM32\AZTON.MT
    C:\WINDOWS\TEMP\C3775038.EXE
    C:\XIPR.EXE
    C:\XMRGYCJ.EXE

    Trojan.DNSChanger-Codec
    HKLM\Software\1
    HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
    HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
    HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
    HKLM\Software\6
    HKLM\Software\6#31AC70412E939D72A9234CDEBB1AF5867B
    HKLM\Software\6#31897356954C2CD3D41B221E3F24F99BBA
    HKLM\Software\6#31C2E1E4D78E6A11B88DFA803456A1FFA5
    HKLM\Software\7
    HKLM\Software\7#31AC70412E939D72A9234CDEBB1AF5867B
    HKLM\Software\7#31897356954C2CD3D41B221E3F24F99BBA
    HKLM\Software\7#31C2E1E4D78E6A11B88DFA803456A1FFA5
    HKLM\Software\8
    HKLM\Software\8#31AC70412E939D72A9234CDEBB1AF5867B
    HKLM\Software\8#31897356954C2CD3D41B221E3F24F99BBA
    HKLM\Software\8#31C2E1E4D78E6A11B88DFA803456A1FFA5
    HKLM\Software\9
    HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
    HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
    HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

    Trojan.VideoCach/Gen
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version

    Adware.E404 Helper/Hij
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

    Adware.Vundo Variant/Rel
    HKLM\SOFTWARE\Microsoft\FCOVM
    HKLM\SOFTWARE\Microsoft\RemoveRP

    Trojan.Unclassified/UserInit-Fake
    C:\USERINIT.EXE

    Unclassified.Unknown Origin/System
    C:\WINDOWS\SYSTEM32\DIGEST32.DLL

  9. #9
    Join Date
    May 2009
    Posts
    33
    MBAM Log:
    Malwarebytes' Anti-Malware 1.36
    Database version: 1945
    Windows 5.1.2600 Service Pack 3

    5/3/2009 7:52:04 PM
    mbam-log-2009-05-03 (19-52-04).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 107473
    Time elapsed: 8 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 19
    Registry Values Infected: 4
    Registry Data Items Infected: 8
    Folders Infected: 3
    Files Infected: 16

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\ahuyfsrr.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\wvUlLcDt.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjatus (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0d13b27-3e59-41bd-ac22-9fb56d1d5a9f} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{d0d13b27-3e59-41bd-ac22-9fb56d1d5a9f} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d0d13b27-3e59-41bd-ac22-9fb56d1d5a9f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a02db310 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvullcdt -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvullcdt -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\wowfx.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: wowfx.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digest32.dll -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\altcmd (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\rqRJAtuS.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wvUlLcDt.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\tDcLlUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tDcLlUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ahuyfsrr.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\rrsfyuha.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\796525\796525.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\xmrgycj.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VCTOMFKW\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wowfx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\altcmd\altcmd.inf (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\altcmd\uninstall.bat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\t55ft2692f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\azton.mt (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\digest32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\userinit.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

  10. #10
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Malwarebytes database version is seriously outdated.
    You need to update it, and re-run the scan.

  11. #11
    Join Date
    May 2009
    Posts
    33
    I tried to update MBAM; however, it will not allow me to update it. The servers are blocked, as is most internet activity.

    Also, how can I upload the GMER logfile, as it is over 20000 characters


    HJT Log:
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:22:17 PM, on 5/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mnlcip4.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mnlcip4.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Logitech\SetPoint II\SetpointII.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
    C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
    D:\Games\Stardock\Impulse\Now\ImpulseNow.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mnlcip4.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    J:\2n78c3mf.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O2 - BHO: C:\WINDOWS\system32\jkshfuiehi.dll - {c2ba40a1-74f3-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\jkshfuiehi.dll (file missing)
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ToolBoxFX] "c:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
    O4 - HKLM\..\Run: [Windows System Update] C:\WINDOWS\TEMP\CSRSS.EXE
    O4 - HKLM\..\Run: [Language_Shortcut] C:\WINDOWS\TEMP\IEXPLORE.EXE
    O4 - HKLM\..\Run: [SYSTRAY_UPDATE] C:\WINDOWS\TEMP\systray.exe
    O4 - HKLM\..\Run: [RUNDLL32] C:\WINDOWS\TEMP\rundll32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Steam] "D:\Games\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mnlcip4.exe
    O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mnlcip4.exe
    O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: ImpulseNow.lnk = D:\Games\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Global Startup: SetPointII.lnk = ?
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\jkshfuiehi.dll (file missing)
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
    O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
    
    --
    End of file - 9079 bytes

  12. #12
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    attach the log file to a new post.

    Also pls just copy paste the other log files into the post without any special formatting etc.

    Makes it easier to read. Thanks.

    EDIT- never mind.. I see now that you can't post it any other way because of too many image tags.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  13. #13
    Join Date
    May 2009
    Posts
    33
    Posting GMER. Tried another method of updating mbam and it failed... how else can I get it up to date?
    Attached Files Attached Files

  14. #14
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    You could try a manual update... on another computer (if necessary) download the database file here..

    http://www.gt500.org/malwarebytes/database.jsp

    and put it on a thumb drive or cd etc.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  15. #15
    Join Date
    May 2009
    Posts
    33
    Got a new MBAM logfile.
    Attached Files Attached Files

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •