Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Multi Virus Issues


  • Please log in to reply

#1
Dymond69

Dymond69

    New Member

  • Member
  • Pip
  • 1 posts
Sorry for the long post, but I wanted to give you as much details as I can.

On 12/8/07 my son went on myspace and to a friends profile. On this friends profile, my son said it required him to download a script to view the video. He accepted the alert from Symantec, and the video played. 5 hours later that same morning I had 103 alerts for a download.trojan, 53 web page popups, and a redirect to a anti-virus software to download because my system is infected. It had a red circle icon by my clock, with a white x in it. I went into safe mode, with system restore turned off and ran scans.

Smitfraud-C., Smitfraud-C.MSVPS and Zlob.Downloader.vcd

Symantec Security 10 Log
Trojan.Zlob,Quarantined,3,hpdf34f3f,File,C:\WINDOWS\Temp\
Trojan.Zlob,Quarantined,3,hpdf34f3b,File,C:\WINDOWS\Temp\
Trojan Horse,Quarantined,2,e404d.dll,File,C:\WINDOWS\system32\
Trojan Horse,Quarantined,1,blank.htm,File,C:\WINDOWS\system32\
SecurityRisk.Cmdow
(all files quarantined, and removed)

Spybot search & Destroy Log
Win32.Tiny.abk: System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Microsoft Inet Service

MalwareAlarm: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-448539723-299502267-725345543-1003\Software\MalwareAlarm

Smitfraud-C.: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\MSVPS.MSVPSApp

Zlob.Downloader.vcd: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
(all files quarantined, and removed)

I ran both programs again, including
http://www.kaspersky...anforvirus.html
http://housecall.trendmicro.com/
http://www.bitdefend...can/licence.php

System is cleaned.

That evening, it occured again. This time, I went into my c:\windows directory, and c:\windows\system32
I select details, and last modified and I seen files that were not there before.

blopenvtok.dll
leorop.dll
nopzet.dll
retnsrp.dll

I ran scans again, and nothing detected them. I did a online search for them, and found several sites listing it as a viruses.

I booted in safe mode, and manually removed them. I downloaded AVG and ran a scan, and it detected nothing.
When I booted normally, spybot teatimer detected a security alert for my registry. I denied changes, few minutes later
I had alerts that covered my entire desktop. I manually shut off my computer, and booted in save mode.
nopzet.dll and leorop.dll, duplicated over 100+ times each in my registry. I manually removed them.
I ran symantecs, spybot, AVG, spyhunter and nothing found.
I rebooted back normal, and ran the following scans online.

http://www.kaspersky...anforvirus.html
http://housecall.trendmicro.com/
http://www.bitdefend...can/licence.php

Nothing was found.
But when I did a whole disk clean up and rebooted, my pc was lagging again.
I downloaded 3 programs

SUPERAntiSpyware
Counterspy
TojanHunter

Counterspy detected:

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Quarantined

Registry entries detected
HKEY_USERS\S-1-5-21-448539723-299502267-725345543-1003\SOFTWARE\WGET
GUID="{197DF30A-8245-4C9D-9D9C-05995E546EC8}"
dateTimeStampUTC 2007-12-15T14:13:05
name="Bifrost"
quarantineId="{D14BAB69-F811-4CC1-9390-33661D950EF9}"
author="EvilEyeSoftware.com"

Trojan.FakeAlert
{3F905790-A8A0-4D9F-BEC8-F6C81E0DD38C}
C:\WINDOWS\Downloaded Program Files\webinst.dll

Trojan.HideWindow
{80C50742-1AC1-4D74-AFA8-2FFF06D6E121}
C:\WINDOWS\system32\cmdow.exe
(all files quarantined, and removed)


Rebooting, ran all the scans again.

SUPERAntiSpyware Detected:

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}
HKCR\CLSID\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}
HKCR\CLSID\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}\InProcServer32
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}
HKCR\CLSID\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}

Trojan.Media-Codec/V4
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#E404Helper [ {ce12db14-95c4-4874-bd07-7fb58658d011} ]
(all files quarantined, and removed)

I than ran

f-secure, bitdefender, ca.com, UnHackMe, Kaspersky, symantec, spybot, superantispyware, counterspy
FixVundo, silent runners, ad-aware, ccleaner.

BitDefender Online Scanner - Real Time Virus Report

C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe
Infected with: Trojan.Generic.59793

F:\mirc\mirc32.exe
Infected with: Backdoor.Mirc.BV

F:\Software\River_Past.zip=>River_Past/CoreAAC-1.2.0.575-3.exe
Infected with: Trojan.Downloader.Zlob.NI


Symantec Trojan.Vundo Removal Tool 1.5.0
The process "IEXPLORE.EXE" might be affected by the threat. It has been suspended.
The process "IEXPLORE.EXE" might be affected by the threat. It has been terminated.

C:\System Volume Information: (not scanned)
F:\System Volume Information: (not scanned)

Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 54920
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral processes suspended: 1
The number of viral threads terminated: 0
The number of registry entries fixed: 0

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2007 at 10:35 AM

Application Version : 3.9.1008

Core Rules Database Version : 3362
Trace Rules Database Version: 1361

Scan type : Custom Scan
Total Scan Time : 00:32:59

Memory items scanned : 414
Memory threats detected : 0
Registry items scanned : 5213
Registry threats detected : 2
File items scanned : 24598
File threats detected : 0

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}

Trojan.Media-Codec/V4
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#E404Helper [ {ce12db14-95c4-4874-bd07-7fb58658d011} ]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}
is empty. Did a search for {F08487B1-AFEC-45CF-B2E9-D05DEE137D22} items found: 6 including what Super found.
Manually deleted all keys found.

Trojan.Media-Codec/V4
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#E404Helper [ {ce12db14-95c4-4874-bd07-7fb58658d011} ]
is empty. Did a search for {F08487B1-AFEC-45CF-B2E9-D05DEE137D22} items found: 1 including what Super found.
Manually deleted all keys found.


Ran scans again, and all was clean. Rebooted, and continued using Internet Explore.
However this time, CounterSpy does not detect iexplore.exe and ask if I want to allow to use or
qarantine. I used it, and this morning counterspy did it's normal scanning and found AGAIN

Scan History Details
Start Date: 12/19/2007 2:00:07 AM
End Date: 12/19/2007 2:31:46 AM
Total Time: 31 Min 39 Sec
Detected security risks

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Quarantined

Registry entries detected
HKEY_USERS\S-1-5-21-448539723-299502267-725345543-1003\SOFTWARE\WGET

I have been working on this since 12/8/07. I ran all the virus scans before posting. And it seems "Bifrost Backdoor" keeps coming back. I went this time to registry, looked for that entry. It's empty, nothing is in the values or data.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:19 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
F:\mirc\mirc32.exe
C:\Program Files\Opera 9\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Flash Decompiler\iebt.dll (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.c...pport/acpir.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194377847671
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_02) -
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-sec...3beta/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://members.drive...de=toolkit_lite
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7843 bytes



3ivx D4 4.5.1 (remove only)
AC3Filter (remove only)
Ad-Aware SE Professional
Adobe Photoshop 5.5
Adobe Reader 6.0.1
Adobe Shockwave Player
Alien Skin Eye Candy 5 Impact
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
Allok Video Joiner 3.2.0807
Allok Video to FLV Converter 4.2.0709
Artistic Effects by Lokas Software
Auto Gordian Knot 2.45
AviSynth 2 (remove only)
AviSynth 2.5
Axialis IconWorkshop 5.0
BuibuiPhoto 1.32
CamStudio
CamStudio Lossless Codec
CCleaner (remove only)
CoreFLAC Audio Decoder+Source Filter (remove only)
CuteFTP 5.0 XP
DivX Author
DivX Codec
DivX Content Uploader
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DLA
DriverGuide Toolkit
Drivers Install For Linksys Easylink Advisor
DVD Decrypter (Remove Only)
DVD Shrink 3.2
dvdSanta 3.42
Easy Video Joiner 5.21
Flash Decompiler
GoldWave v4.24
GPL MPEG-1/2 DirectShow Decoder Filter
HijackThis 2.0.2
Intel® Extreme Graphics Driver
Intel® PRO Network Connections 12.3.31.0
iTunes
Jasc Paint Shop Pro 8
Java™ 6 Update 2
Kaspersky Online Scanner
Kate's Video Joiner 3.0.3
Linksys EasyLink Advisor 1.6 (0032)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash 5
Macromedia Flash MX
Macromedia Flash Player 8
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft FrontPage 98
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
mIRC
Moyea FLV Downloader version 1.11.0.9
Moyea FLV Player version 1.0.0.36
Moyea FLV to Video Converter version 1.15.1.11
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
neroxml
OpenOffice.org 2.3
Opera 9
Paint Shop Pro 7
QuickTime
River Past MPEG-2 Booster Pack
River Past MPEG-4 Booster Pack
River Past Video Cleaner Pro
SkinStudio
SoundMAX
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
SWiSHmax
Symantec Client Security
System Spyware Interrogator
Ultra QuickTime Converter 1.0.6
UltraISO 8.0 Premium Edition
Uniblue Registry Booster
VeohTV BETA
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
WinRAR archiver
Xvid 1.1.2 final uninstall
XviD MPEG4 Video Codec (remove only)
ZoneAlarm
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP