dekadai Posted May 18, 2010 ID:252133 Share Posted May 18, 2010 This is the second time this week that my anti-virus software (sunbelt VIPRE) has told me that I'm infected. This morning, when I ran the scan, it said I was infected by both Trojan.Win32.Generic!BT and VirTool.Win32.Obfuscator.ah!a (v). I ran Malwarebytes the first time and was very certain that the threat was gone, but it came back. Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4108Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.189045/17/2010 2:42:32 PMmbam-log-2010-05-17 (14-42-32).txtScan type: Quick scanObjects scanned: 123303Time elapsed: 14 minute(s), 24 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:C:\Users\Mimi\AppData\Local\qunieyqih\twksblptssd.exe (Rogue.AntispywareSoft) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfougxkm (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\Mimi\AppData\Local\qunieyqih\twksblptssd.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.C:\Users\Mimi\AppData\Local\Temp\xwensormac.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Mimi\AppData\Local\Temp\wgvyd.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.C:\Users\Mimi\AppData\Local\Temp\gmfrxpgv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Users\Mimi\AppData\Local\asam.exe (Trojan.Agent) -> Delete on reboot.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:24:19 PM, on 5/18/2010Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18904)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\HP\HP Software Update\hpwuschd2.exeC:\Windows\System32\rundll32.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\DAP\DAP.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\system32\taskeng.exeC:\Program Files\Zecter\ZumoDrive\zumodrive.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Windows\System32\notepad.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Windows\system32\SearchFilterHost.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnbR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnbR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnbR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLLO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [updatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"O4 - HKLM\..\Run: [sBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"O4 - HKLM\..\Run: [ZumoDrive] "C:\Program Files\Zecter\ZumoDrive\ZumoLauncher.lnk"O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -schedulerO4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUPO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [ZumoDrive] C:\Program Files\Zecter\ZumoDrive\ZumoLauncher.lnkO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htmO8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htmO8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_93C8148BBB233F43.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO13 - Gopher Prefix: O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exeO23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exeO23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exeO23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exeO23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exeO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exeO23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe--End of file - 8242 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted May 18, 2010 Staff ID:252172 Share Posted May 18, 2010 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.-screen317 Link to post Share on other sites More sharing options...
dekadai Posted May 18, 2010 Author ID:252212 Share Posted May 18, 2010 Here are the results for the scans.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4113Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.189045/18/2010 6:15:53 PMmbam-log-2010-05-18 (18-15-53).txtScan type: Quick scanObjects scanned: 123286Time elapsed: 6 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)DDS scan results DDS (Ver_10-03-17.01) - NTFSx86 Run by Mimi at 18:20:02.99 on Tue 05/18/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_15Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted May 19, 2010 Staff ID:252305 Share Posted May 19, 2010 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
dekadai Posted May 19, 2010 Author ID:252322 Share Posted May 19, 2010 I did the two scans but after combatfix finished, it wouldn't allow me to access any programs via windows explorer. It kept saying something about the program I'm trying to access was selected for deletion. I am now running in safe mode.Here the new DDS log:DDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by Mimi at 21:47:09.34 on Tue 05/18/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_15Microsoft Link to post Share on other sites More sharing options...
dekadai Posted May 19, 2010 Author ID:252339 Share Posted May 19, 2010 Fixed the error. All I had to do was reboot. Link to post Share on other sites More sharing options...
Staff screen317 Posted May 20, 2010 Staff ID:252888 Share Posted May 20, 2010 Hi,Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
dekadai Posted May 24, 2010 Author ID:255382 Share Posted May 24, 2010 Wow, that f-secure online scanner took a while. But here's the scan results. and here's the securitycheck results. Results of screen317's Security Check version 0.99.4 Windows Vista Service Pack 2 (UAC is enabled) Internet Explorer 7 Out of date! Error creating install.txt after 3 tries! Trying alternate method... `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! VIPRE Antivirus WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner Java 6 Update 15 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10.0.45.2 ```````````````````````````````` Process Check: objlist.exe by Laurent **** AppData Local Temp\OnlineScanner\Anti-Virus\fsgk32.exe **** AppData Local Temp\OnlineScanner\Anti-Virus\fssm32.exe **** AppData Local temp\fsonlinescanner.exe ````````````````````````````````DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) ``````````End of Log````````````f_secure.rtf Link to post Share on other sites More sharing options...
Staff screen317 Posted May 24, 2010 Staff ID:255434 Share Posted May 24, 2010 Hi,Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):Java Link to post Share on other sites More sharing options...
dekadai Posted May 29, 2010 Author ID:258381 Share Posted May 29, 2010 I'm sorry it's taken so long to reply back. I installed java 6.20 but a virus java:djewers-c [trj] was found. Link to post Share on other sites More sharing options...
Staff screen317 Posted June 2, 2010 Staff ID:260370 Share Posted June 2, 2010 Found by what? And where??Are you currently experiencing any symptoms of infection? Link to post Share on other sites More sharing options...
Staff screen317 Posted June 15, 2010 Staff ID:267615 Share Posted June 15, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts