Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Very unusual problem [Solved]

Started by jhn-e-bee , Mar 21 2010 05:10 PM

Page 6 of 9
4
5
6
7
8

This topic is locked

#76
jhn-e-bee

Posted 24 March 2010 - 06:43 PM

Member

Topic Starter
Member
89 posts

Still won't update. Just started quick scan, get back in a couple of mins.

#77
jhn-e-bee

Posted 24 March 2010 - 06:45 PM

Member

Topic Starter
Member
89 posts

How about another drwebcureit or kaspersky, it seemed to get a bit better after doing them?

#78
jhn-e-bee

Posted 24 March 2010 - 06:51 PM

Member

Topic Starter
Member
89 posts

21 infections!

Heres the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/25/2010 12:47:02 AM
mbam-log-2010-03-25 (00-47-01).txt

Scan type: Quick Scan
Objects scanned: 104581
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ulwobcy (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows hosts controller (Worm.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Windows_HOSTS_CONTROLLER (Worm.Kolab) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms virtual cls (Net.Worm) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\intime (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\reup (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\waittokillservicet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\fonts\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\asr_46864.exe (Worm.IRCBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\heqxdc.dll (Worm.Conficker) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0BMH8JUZ\mdfiyw[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\unwise_.exe (Worm.IRCBot) -> Delete on reboot.
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Quarantined and deleted successfully.

#79
jhn-e-bee

Posted 24 March 2010 - 07:10 PM

Member

Topic Starter
Member
89 posts

just managed to get avg to download the files it needed, started to install and it failed after a few minutes. It gave me a report log on why it failed. let me know if that is any use to you.

Going to download avast instead as I am getting AV sites again.

I will check back in a bit, I guess you probably gone to bed. See you tommorow, Thanks.

#80
jhn-e-bee

Posted 24 March 2010 - 07:20 PM

Member

Topic Starter
Member
89 posts

have successfully DL Avast and set it up. have started full scan. infection was flagged up after about 2 seconds, lets see how this goes!

#81
Rorschach112

Posted 25 March 2010 - 06:45 AM

Ralphie

Retired Staff
47,710 posts

honestly I think we may be getting near a format

do the avast, dr. web cureit, and kaspersky scans and post those logs

#82
jhn-e-bee

Posted 25 March 2010 - 07:20 AM

Member

Topic Starter
Member
89 posts

Good morning(or afternoon), I sat up all night doing updates and scans. did kaspersky and avast, MBAM and left it doing dr webcureit scan. For some reason The system had gone on standby while I was asleep. when I started it was still doing the drwebcureit scan, it is very slow, I will let it finish. give me a minute and i will post the other scan results.

#83
Rorschach112

Posted 25 March 2010 - 07:29 AM

Ralphie

Retired Staff
47,710 posts

ok cool

#84
jhn-e-bee

Posted 25 March 2010 - 08:27 AM

Member

Topic Starter
Member
89 posts

this has gone really slow, drwebcureit is still going and is taking ages.

here are the logs from MBAM, avast and kaspersky. I cannot get avast as a txt file so I have taken an image, thats the only way I seem to be able to get it to you.

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/25/2010 2:27:04 AM
mbam-log-2010-03-25 (02-27-04).txt

Scan type: Quick Scan
Objects scanned: 104785
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Windows_HOSTS_CONTROLLER (Worm.Kolab) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\intime (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\reup (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\waittokillservicet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\fonts\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Avast:

Posted Image

Kaspersky:

I think kaspersky deleted the log when I closed it down. I will have to do it again(it took about 2 hours too)

#85
jhn-e-bee

Posted 25 March 2010 - 11:10 AM

Member

Topic Starter
Member
89 posts

Drwebcureit is still going(about 5 hours now). Should I carry on?

It has found a couple of infections though.

Edited by jhn-e-bee, 25 March 2010 - 11:10 AM.

#86
Rorschach112

Posted 25 March 2010 - 11:24 AM

Ralphie

Retired Staff
47,710 posts

yep carry on, sadly these scans take a while, but they the best chance of cleaning it

#87
jhn-e-bee

Posted 25 March 2010 - 12:21 PM

Member

Topic Starter
Member
89 posts

Finally:

Drwebcureit:

ComboFix.exe\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\jhn barrett\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe;C:\Documents and Settings\jhn barrett\Desktop;Archive contains infected objects;Moved.;
A0003866.exe;C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP4;BackDoor.IRC.Bot.166;Deleted.;
A0003881.exe\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP4\A0003881.exe;Probably BATCH.Virus;;
A0003881.exe;C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP4;Archive contains infected objects;Moved.;

And thats it!

#88
Rorschach112

Posted 25 March 2010 - 12:26 PM

Ralphie

Retired Staff
47,710 posts

hi

Download Flash_Disinfector.exe from here and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services
Windows Hosts Controller
:Reg

:Files
c:\windows\fonts\*.exe
c:\windows\system32\asr_*.exe
c:\windows\system32\man*.exe
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Open OTL paste this in the custom scan box

c:\windows\fonts\*.exe
c:\windows\system32\*.exe
netsvcs

click run scan post that log