BID

Hi I updated a V-share plugin and got infected. Scanned and got this: Malwarebytes' Anti-Malware 1.36 Database version: 1994 Windows 5.1.2600 Service Pack 3 17/04/2009 21:07 mbam-log-2009-04-17 (21-07-16).txt Scan type: Full Scan (C:\|) Objects scanned: 199216 Time elapsed: 1 hour(s), 18 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 87 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digiwet.dll -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272488.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272489.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272490.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272491.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272492.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272558.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272559.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272560.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272561.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1324\A0272562.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\i386si.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN1F.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN2B.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN31.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN42.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN43.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN44.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN47.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN48.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN4A.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN4B.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN4C.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN4D.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN4E.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN4F.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN50.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN51.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN52.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN54.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN56.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN57.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN58.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN59.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN5B.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN5C.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN5D.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN5E.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN5F.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN60.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN61.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN62.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN63.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN64.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN66.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN67.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN68.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN69.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN73.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN74.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN76.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN77.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN7D.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN7F.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN80.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN81.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN86.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN8E.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN91.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN93.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BN97.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNA5.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNAB.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNB0.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNB8.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNC6.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNEA.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF0.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF1.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF2.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF3.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF6.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF7.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF8.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNF9.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\Local Settings\Temp\BNFE.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Andrew\list.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\digiwet.dll (Trojan.Agent) -> Quarantined and deleted successfully. On my other area I came across a gdown item. Grateful for suggestions as what to do next. Bid

Hi, Full scans on C: on each of our logins and nothing showed. Still not too sure but the PC seems to be working okay. Not knocked out by the latest Firefox though... Many thanks for your time and help. Take care Andrew j

Good stuff, thanks

Sorry, one more thing before I hit the sack. Should I run the ATF cleaner and aswMBR on each account? cheers BID

That's good to know, thank you. I'll run full scans on all of the accounts over the weekend and see how it goes. Again, many thanks for your help and time. Good weekend to you.

Sorry for not being clear. On my PC with XP, we each have our own user account. I scanned my son's first, it took over 3 hours, detected the trojan, removed it and then, having rebooted found it on my wife's user account... so I'm not really sure if the PC is clear. BID

Hi I'm running XP and yesterday I ran Malwarebytes on my son's login and got this: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6302 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 07/04/2011 21:29 mbam-log-2011-04-07 (21-29-46).txt Scan type: Full scan (C:\|) Objects scanned: 275681 Time elapsed: 3 hour(s), 2 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{1032B52C-7D89-F9F5-EF0A-1635B28AD9BA} (Trojan.ZbotR.Gen) -> Value: {1032B52C-7D89-F9F5-EF0A-1635B28AD9BA} -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) which was successfully deleted. I shut down and restarted and ran a scan on my wife's login and got the same.. which made me wonder. Thanks for your time. Aj

Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6304 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 08/04/2011 18:50 mbam-log-2011-04-08 (18-50-48).txt Scan type: Quick scan Objects scanned: 191825 Time elapsed: 5 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

aswMBR version 0.9.4 Copyright© 2011 AVAST Software Run date: 2011-04-08 18:35:50 ----------------------------- 18:35:50.109 OS Version: Windows 5.1.2600 Service Pack 3 18:35:50.109 Number of processors: 2 586 0x604 18:35:50.125 ComputerName: DBM0QN1J UserName: Andrew 18:35:50.578 Initialize success 18:35:52.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e 18:35:52.046 Disk 0 Vendor: ST3160023AS 8.12 Size: 152587MB BusType: 3 18:35:54.062 Disk 0 MBR read successfully 18:35:54.062 Disk 0 MBR scan 18:35:56.062 Disk 0 scanning sectors +312496380 18:35:56.078 Disk 0 scanning C:\WINDOWS\system32\drivers 18:36:01.140 Service scanning 18:36:02.281 Disk 0 trace - called modules: 18:36:02.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 18:36:02.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a85a250] 18:36:02.312 3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> [0x8a85a7b8] 18:36:02.312 5 iomdisk.sys[ba3a0bc3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a88bb00] 18:36:02.312 Scan finished successfully

Hello Pretty new here. Clearly something up with my PC, jusched.exe keeps on reporting an error, then IE and Firefox started to redirect. Earlier today MSE detected Alureon and deleted it... since then have been allowed to download AV software but nothing detected. Can't see any folders in my Program Files folders. Replaced IE with FF but IE icon was replaced in start up by FF... Not looking good. Open to any offers of help. BID.