alice Posted June 30, 2008 ID:21455 Share Posted June 30, 2008 Please help me. I hope this is what you need...I am able to delete the trojon, but then when I restart the comp. and do the scan again, it will be back.Malwarebytes' Anti-Malware 1.19Database version: 899Windows 5.1.2600 Service Pack 36:25:10 PM 6/29/2008mbam-log-6-29-2008 (18-25-10).txtScan type: Quick ScanObjects scanned: 43305Time elapsed: 17 minute(s), 24 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)*************************************************************************************;***********************************************************************************************************************************************************************************ANALYSIS: 2008-06-29 22:34:28PROTECTIONS: 1MALWARE: 22SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================AVG Anti-Virus 8.0 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650}00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Trafficmp-Cookie_25_06_2008_23_40_33.asq15300139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.casalemedia.com_25_06_2008_23_40_30.asq1682700139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@doubleclick[1].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.DoubleClick_25_06_2008_23_40_31.asq1194200139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@atdmt[2].txt00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.FastClick.com_25_06_2008_23_40_32.asq482700145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.TribalFusion.com_25_06_2008_23_40_33.asq29200145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Mediaplex.com_25_06_2008_23_40_32.asq3239100147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.ClickBank_25_06_2008_23_40_31.asq49100160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Cookies\alice carnes@findwhat[1].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Cookies\alice carnes@ad.yieldmanager[2].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@ad.yieldmanager[1].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_25_06_2008_23_40_28.asq2650000168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.BS.Serving-Sys_25_06_2008_23_40_30.asq2328100168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@server.iad.liveperson[2].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@advertising[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Cookies\alice carnes@advertising[2].txt00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@adrevolver[3].txt00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.adrevolver_25_06_2008_23_40_29.asq2935800170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_25_06_2008_23_40_28.asq633400170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.RealMedia.com_25_06_2008_23_40_33.asq390200170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Cookies\alice carnes@realmedia[1].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.QuestionMarket.com_25_06_2008_23_40_33.asq1460400171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@questionmarket[1].txt00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.adrevolver_25_06_2008_23_40_29.asq2696200184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Local Settings\Temp\Cookies\alice carnes@adrevolver[1].txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_25_06_2008_23_40_28.asq1916900293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\alice carnes.ALICE-1AECCEB26\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.AdDynamix_25_06_2008_23_40_29.asq24464;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;===================================================================================================================================================================================;===================================================================================================================================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:41:40 PM, on 6/29/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\winlogon.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\svchost.exeC:\WINDOWS2\System32\svchost.exeC:\WINDOWS2\Explorer.EXEC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS2\system32\ctfmon.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\PROGRA~1\AVG\AVG8\avgam.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {108474A5-CEC4-40E1-98AB-E11B5A2A3F36} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {13788958-91B3-4F7B-8974-AD545F273548} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {18E5C3BB-5C14-4E46-9777-C3DA147042DC} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {3CB9A8AC-77C3-4F0E-A7A9-018733CEB512} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {57F3561D-9CCD-47FA-BB9B-DD939FB4FB4A} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {8941EE6E-A79B-4C51-92A2-BE08E1FB73E3} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {8C08F6AF-D3D6-4A1F-8D0D-9C11DD744D96} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {8F76AD5D-10A5-402F-8F1A-00402D807317} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: (no name) - {AE082777-1419-4E41-8A54-715C9A40BD0D} - (no file)O2 - BHO: (no name) - {E34B41FA-8CDB-4207-B085-234FE050A7B5} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: {c5daf727-f025-3c18-e744-70cd36ce7d0f} - {f0d7ec63-dc07-447e-81c3-520f727fad5c} - (no file)O2 - BHO: (no name) - {F3070ACD-9C0B-4C43-9557-FF2ED0BFF271} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {FBF7ADFC-F555-49FB-B257-54DEAB9CE485} - C:\WINDOWS2\system32\cmcfg3.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS2\bdoscandel.exeO9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS2\bdoscandel.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exeO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209055317833O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)--End of file - 5312 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted June 30, 2008 ID:21462 Share Posted June 30, 2008 Hi Alice, please upload this file C:\WINDOWS2\system32\cmcfg3.dll to here http://uploads.malwarebytes.org/ you'll need to zip it for this site.Also please send it here http://www.virustotal.com/ it shouldn't be zipped for this one. Please post the report from Virus Total. Link to post Share on other sites More sharing options...
alice Posted June 30, 2008 Author ID:21470 Share Posted June 30, 2008 File cmcfg3.dll received on 06.24.2008 23:57:00 (CET)Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - TR/ATRAPS.Gen Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - Suspicious File eTrust-Vet - - Win32/Kvol!generic Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - Virus.Trojan.Win32.Pakes.cdw Kaspersky - - - McAfee - - - Microsoft - - Trojan:Win32/Boaxxe.B NOD32v2 - - probably a variant of Win32/Agent.NSG Norman - - - Panda - - Suspicious file Prevx1 - - Fraudulent Security Program Rising - - Trojan.Clicker.Win32.Delf.mm Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - PAK_Generic.005 VBA32 - - - VirusBuster - - Rootkit.Podnuha.Gen.2 Webwasher-Gateway - - Trojan.ATRAPS.Gen Link to post Share on other sites More sharing options...
JeanInMontana Posted June 30, 2008 ID:21482 Share Posted June 30, 2008 Hi Alice. Please open HJT and run a scan only. Place a check next to the following items and then click fix.O2 - BHO: (no name) - {108474A5-CEC4-40E1-98AB-E11B5A2A3F36} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {13788958-91B3-4F7B-8974-AD545F273548} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {18E5C3BB-5C14-4E46-9777-C3DA147042DC} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {3CB9A8AC-77C3-4F0E-A7A9-018733CEB512} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {57F3561D-9CCD-47FA-BB9B-DD939FB4FB4A} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {8941EE6E-A79B-4C51-92A2-BE08E1FB73E3} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {8C08F6AF-D3D6-4A1F-8D0D-9C11DD744D96} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {8F76AD5D-10A5-402F-8F1A-00402D807317} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {AE082777-1419-4E41-8A54-715C9A40BD0D} - (no file)O2 - BHO: (no name) - {E34B41FA-8CDB-4207-B085-234FE050A7B5} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: {c5daf727-f025-3c18-e744-70cd36ce7d0f} - {f0d7ec63-dc07-447e-81c3-520f727fad5c} - (no file)O2 - BHO: (no name) - {F3070ACD-9C0B-4C43-9557-FF2ED0BFF271} - C:\WINDOWS2\system32\cmcfg3.dllO2 - BHO: (no name) - {FBF7ADFC-F555-49FB-B257-54DEAB9CE485} - C:\WINDOWS2\system32\cmcfg3.dllO23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Reboot into Safe Mode by tapping the F8 key as soon as you reboot and choosing the Safe Mode option from the menu. You will have to use your up/down keys to do this as the mouse will not work at this point. Once booted the desktop will be very different and most of your programs will not be running. This is normal, stay calm.Create a folder on your desktop, name it AliceTestFiles.Now open C:\ Windows and find the following files:C:\WINDOWS2\system32\services.exeC:\WINDOWS2\Explorer.EXEC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\svchost.exeC:\WINDOWS2\system32\winlogon.exeC:\WINDOWS2\System32\smss.exe Copy and paste each one into the AliceTestFiles folder and once you have done this to all, zip the folder by right clicking and choosing from the context menu "send to zipped folder". Upload this folder again to the Malwarebytes upload please. Reboot to normal.Your system is badly infected. You need to notify banks, credit card companies and any other institutions dealing with sensitive information on your machine. Change all passwords. I can continue to try and help you but at this point with what I'm seeing we can only be positive of a clean up with a system reformat. I'm willing to continue, but it's your decision. If you wish to continue please do this.Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall.Post the Combofix and a new HJT log please.You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 6, 2008 ID:21980 Share Posted July 6, 2008 Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts