PDA

View Full Version : asking for help



TwistedMike
2009-05-28, 01:38
i am sorry if this is the wrong place for this but i would like somebody to take a look at this:
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/27/2009 6:30:59 PM
mbam-log-2009-05-27 (18-30-59).txt

Scan type: Quick Scan
Objects scanned: 76620
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 2
Registry Data Items Infected: 14
Folders Infected: 4
Files Infected: 25

Memory Processes Infected:
C:\WINDOWS\system32\508.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Default\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ipfw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ipfw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipfw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1fd79a59-37b1-459b-9097-09f9fab8a523} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b97f9125-71a1-48d0-b920-f140ef8de809} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b6ae55bf-4617-93ef-6ea4-4e52199ca591} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ip_fw (Trojan.Backdoor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ip_fw (Trojan.Backdoor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ip_fw (Trojan.Backdoor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1fb524b4-0e60-429e-a9d6-7adaf84b1993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{aa4c4521-3ca8-4fef-bae3-df8ab94bc0e2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{aa4c4521-3ca8-4fef-bae3-df8ab94bc0e2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c47c525a-6736-4d12-a1f4-9981118d0e3f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1fb524b4-0e60-429e-a9d6-7adaf84b1993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{aa4c4521-3ca8-4fef-bae3-df8ab94bc0e2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{aa4c4521-3ca8-4fef-bae3-df8ab94bc0e2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c47c525a-6736-4d12-a1f4-9981118d0e3f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1fb524b4-0e60-429e-a9d6-7adaf84b1993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{aa4c4521-3ca8-4fef-bae3-df8ab94bc0e2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{aa4c4521-3ca8-4fef-bae3-df8ab94bc0e2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c47c525a-6736-4d12-a1f4-9981118d0e3f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.136,85.255.112.145 -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Default\Application Data\Privacy components (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\keys (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\temp (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\508.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\avicodecpl.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7664.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\ip_fw.sys (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases\cg.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases\mw.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases\rd.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases\sc.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases\sm.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\dbases\sp.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\keys\cg.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\keys\rd.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\keys\sc.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\keys\sp.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\temp\settings.ini (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
c:\documents and settings\Default\application data\privacy components\temp\spfilter (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nod64.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxcvuisvqrvuvjyyhipmmcxrnbdixmakeec.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxcvybxilglmqsnmyspfwrphjkolwgwjyam.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\gxvxccoxejwpjppejupdxoihayijauhwroswl.sys (Trojan.Agent) -> Quarantined and deleted successfully.

tashi
2009-05-28, 05:12
Hello TwistedMike,

Same as before: http://forums.spybot.info/showthread.php?p=295699#post295699 ;)

Please follow the instructions to produce a HJT log and post it into a new topic with a link back to this one. :)

Cheers.