PDA

View Full Version : Several Infections present that Spybot will not Remove


Shinsetsu777
2008-09-15, 15:44
Problem:-
I have several infections present on my computer that Spybot is unable to remove and are causing the following problems.

> When Windows is run in normal mode shortly after I log on the systems crashes and reboots.
> A couple of links are produced on my desktop (Namely 'CASINO' and 'QUALITY PORN')
> Because I cannot log into Windows normally I am unable to get access to the internet

Spybot Report:-
MyWay.MySearch: [SBI $CF55900D] Program directory (Directory, fixing failed)
C:\Program Files\MySearch\

MyWay.MyWebSearch: [SBI $B49B53A0] Program directory (Directory, fixing failed)
C:\Program Files\MySearch\bar\

WildTangent: [SBI $3A3BDC07] Program directory (Directory, fixing failed)
C:\WINDOWS\wt\

WildTangent: [SBI $76830867] Program directory (Directory, fixing failed)
C:\WINDOWS\wt\wtupdates\

WildTangent: [SBI $AEA200D6] Program directory (Directory, fixing failed)
C:\WINDOWS\wt\wtupdates\WireControl\

Altnet: [SBI $3C8FED45] Program directory (Directory, fixing failed)
c:\Program Files\Altnet\

Sumom.A: [SBI $95DB4DB6] Program directory (Directory, fixing failed)
C:\WINDOWS\system32\P2P Networking\

Virtumonde.dll: [SBI $8E1ED839] Library (File, fixed)
C:\WINDOWS\system32\ddcBQjGv.dll

Virtumonde.dll: [SBI $0EAADE49] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74633F37-CF9D-4EFD-B548-D847566866FC}

Virtumonde.dll: [SBI $0EAADE49] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74633F37-CF9D-4EFD-B548-D847566866FC}

HiJack This Log:-Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:32, on 15/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Gareth\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPGServiceTool] C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE /Minimize
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Sound] svdhost.exe
O4 - HKLM\..\Run: [\YUR735.exe] C:\Windows\system32\YUR735.exe
O4 - HKLM\..\Run: [\YUR736.exe] C:\Windows\system32\YUR736.exe
O4 - HKLM\..\Run: [\YUR737.exe] C:\Windows\system32\YUR737.exe
O4 - HKLM\..\Run: [\YUR738.exe] C:\Windows\system32\YUR738.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [\YUR73E.exe] C:\Windows\system32\YUR73E.exe
O4 - HKLM\..\Run: [8014eb89] rundll32.exe "C:\WINDOWS\system32\wnyfkfye.dll",b
O4 - HKLM\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5992] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3882] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9338] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5566] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7185] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5254] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0_EN\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [MoneyInsights] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe"
O4 - HKCU\..\Run: [EVEMon] "C:\Program Files\EVEMon\EVEMon.exe" -startMinimized
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [\YUR735.exe] C:\Windows\system32\YUR735.exe
O4 - HKCU\..\Run: [\YUR736.exe] C:\Windows\system32\YUR736.exe
O4 - HKCU\..\Run: [\YUR737.exe] C:\Windows\system32\YUR737.exe
O4 - HKCU\..\Run: [\YUR738.exe] C:\Windows\system32\YUR738.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKCU\..\Run: [\YUR73E.exe] C:\Windows\system32\YUR73E.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9861] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2884] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4090] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6829] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4686] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1010] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1408] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3046] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB697] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4843] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4986] command /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1909] cmd /c del "C:\WINDOWS\system32\ddcBQjGv.dll"
O4 - Startup: CCC - Advanced.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.exe
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Gareth\Application Data\IMVUClient\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Gareth\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - AppInit_DLLs: adhbge.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 9021 bytes
Shaba
2008-09-17, 12:33
Hi Shinsetsu777

Your HijackThis is temp folder so that is the first thing to correct:

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Shaba
2008-09-22, 11:49
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.