Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo, Backdoor, and Adclicker trojan [RESOLVED]


  • This topic is locked This topic is locked

#16
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OK I was just about to reboot and reinstall Java. Should I do this first?
  • 0

Advertisements


#17
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Don't proceed until it is gone please.
Just do the kaspersky bit then we will go from there.
  • 0

#18
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
As it is downloading the new tool this popped up (this is what I was talking about before)

SysGuard: Tracking process found.

Malicious code found at "0x17DA839A" address. Data interception cannot be stopped.

I'll keep running the Kaspersky. Just wanted to update you on what popup I was talking about.
  • 0

#19
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is ok we deleted that file but it has come back.
No worries it will be over soon.
Go ahead with KAspersky.
  • 0

#20
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OK. Looks like it is going to be a while. It is estimating a finish time of 11:45 PM (EST) and it keeps climbing.
  • 0

#21
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
uh, is it normal for it to take this long? It has been scanning for almost 30 minutes, has only 1% scanned, and now it is saying it won't be done until Tuesday morning (and counting)??? Is that time going to reduce as the scan goes on?
  • 0

#22
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
crisis averted. it is going faster now. guess i de-jinxed it. :)
  • 0

#23
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
ugh. so, it has been nearly 3 hours and the scan is not yet halfway done. Is it normal to take this long? Its fine if it is, I'm just paranoid. Thanks. :)
  • 0

#24
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes depending on how many files you have.
Just let it finish and post only the infected part of the log.
  • 0

#25
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Sigh. It has been scanning for 21 hours and it is still not done. It seems that every time one of the fake warnings I was talking about earlier pop up, it slows the scan down to almost a crawl. I am sitting by it now so I can X out every time they pop up.

Also, you only want me to post the "detected" part, right? I'm getting a lot of updates from teh Kasperksy window about certain things being password protected, whatever that's about.

Almost done, I hope. :)
  • 0

Advertisements


#26
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hooray! It is done. Also, in addition to the "malicious code" fake warnings, I got probably a dozen "Services.exe has stopped working" And a few about "Explorer.exe" all throughout the scan. The last "services.exe" one came just as the scan finished.

Here is the detected part of the log:

Scan
----
Scanned: 391109
Detected: 8
Untreated: 0
Start time: 8/17/2008 9:43:42 PM
Duration: 21:36:29
Finish time: 8/18/2008 7:20:11 PM


Detected
--------
Status Object
------ ------
will be deleted when the computer is restarted: riskware not-a-virus:FraudTool.Win32.XPShield.h File: C:\Program Files\Windows Media Player\Network Sharing\sishdd.dll
deleted: Trojan program Trojan-Downloader.Win32.BHO.pe File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80007.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.BHO.pe File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80002\4CEE7D94.VBN//CryptZ
deleted: riskware not-a-virus:FraudTool.Win32.XPShield.d File: C:\Documents and Settings\Owner.Beth\Local Settings\temp\SysNotifier.exe
deleted: riskware not-a-virus:FraudTool.Win32.XPShield.d File: C:\WINDOWS\SysNotifier.exe
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: D:\i386\Apps\App00577\comps\toolbar\toolbr.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: D:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP8\A0000773.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: D:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP8\A0000773.exe//WiseSFXDropper
  • 0

#27
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Just got another popup that says "Civsc.exe" This program has performed an illegal operation and will be shut down.
  • 0

#28
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
And another fake warning balloon "Your computer might be at risk: Antivirus software might not be installed. Click this balloon to fix this problem."
  • 0

#29
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You do not have to post so much once will be enough.


Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Directory"
    • Enter Drive eg.. C:\
  • In the box labeled "File"
    • Enter this file name Civsc.exe
  • Now click on the "Search" button
  • Once the utility has found the files click on "Export"
  • A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
  • NOTE: The notepad is saved on your C:\ drive as "Export.txt"
============
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#30
Cooper199

Cooper199

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Filesearch froze both times I tried to run it - got stuck on an hourglass and then went to "Not Responding."

Here is the smitfraud log:

(PS Sorry about the over posting. I was just trying to post them as they happened before I forgot what the messages said. :) )

SmitFraudFix v2.338

Scan done at 20:07:34.97, Mon 08/18/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.Beth


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.Beth\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNER~1.BET\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11g Network Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162

Description: Broadcom 802.11g Network Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162
DNS Server Search Order: 68.87.64.196

HKLM\SYSTEM\CCS\Services\Tcpip\..\{504BCE80-FB77-495A-A721-9B3859A89194}: DhcpNameServer=68.87.68.162 68.87.74.162 68.87.64.196
HKLM\SYSTEM\CCS\Services\Tcpip\..\{50DAE8E6-BDF4-45C4-98F1-B422B30BF794}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{504BCE80-FB77-495A-A721-9B3859A89194}: DhcpNameServer=68.87.68.162 68.87.74.162 68.87.64.196
HKLM\SYSTEM\CS1\Services\Tcpip\..\{50DAE8E6-BDF4-45C4-98F1-B422B30BF794}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{504BCE80-FB77-495A-A721-9B3859A89194}: DhcpNameServer=68.87.68.162 68.87.74.162 68.87.64.196
HKLM\SYSTEM\CS3\Services\Tcpip\..\{50DAE8E6-BDF4-45C4-98F1-B422B30BF794}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162 68.87.64.196
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162 68.87.64.196
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162 68.87.64.196


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP