Help - Unable to launch IE or FF - unable to run DDS

Update - ESET Running

I rebooted in safe mode and reran combofix

That allowed me to regain functionality of IE

I am running the ESet now...

Will let you know the results


Thank You

Lee
 
ESET Update

ESET is still running and at 37% complete

So far it has found 5 infected files

(1) Win32/Adware.Yontoo.A.application
(4) Win32/Bagle.gen.zip.worm


Lee
 
ESEY Finished - Log file

KEN545

ESET Finished running, the log file is below...

***************
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMuollo1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity5.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PBHotbarShoppingReport16.zip Win32/Bagle.gen.zip worm
C:\Program Files\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application
****************

How is it with all the programs we have run we are still finding viruses?

Thanks Again

Lee
 
There is no one silver bullet, this stuff hides

Most of it was removed by Spybot and is sitting in the Recovery folder, you need to open Spybot and go to that folder and remove it all


You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

C:\Program Files\Yontoo Layers\YontooIEClient.dll<--This file
C:\AOL Instant Messenger\AIM.exe<--This file


If the site is busy you can try this one
http://virusscan.jotti.org/en
 
Update - virustotal scan etc.

I removed all items in the Spybot recovery

I checked my computer and my settings already match those described

Following are the results of the virustotal scan:

YontooIEClient.dll
********************
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: YontooIEClient.dll
Submission date: 2011-05-11 19:01:16 (UTC)
Current status: queued queued (#33) analysing finished


Result: 5/ 42 (11.9%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.05.12.00 2011.05.11 -
AntiVir 7.11.7.240 2011.05.11 -
Antiy-AVL 2.0.3.7 2011.05.11 -
Avast 4.8.1351.0 2011.05.11 -
Avast5 5.0.677.0 2011.05.11 -
AVG 10.0.0.1190 2011.05.11 Generic4.BJMH
BitDefender 7.2 2011.05.11 -
CAT-QuickHeal 11.00 2011.05.11 -
ClamAV 0.97.0.0 2011.05.11 -
Commtouch 5.3.2.6 2011.05.11 -
Comodo 8664 2011.05.11 -
DrWeb 5.0.2.03300 2011.05.11 -
Emsisoft 5.1.0.5 2011.05.11 Adware.Win32.Yontoo.A!A2
eSafe 7.0.17.0 2011.05.11 -
eTrust-Vet 36.1.8320 2011.05.11 -
F-Prot 4.6.2.117 2011.05.11 -
F-Secure 9.0.16440.0 2011.05.11 -
Fortinet 4.2.257.0 2011.05.11 -
GData 22 2011.05.11 -
Ikarus T3.1.1.103.0 2011.05.11 -
Jiangmin 13.0.900 2011.05.11 -
K7AntiVirus 9.103.4624 2011.05.11 -
Kaspersky 9.0.0.837 2011.05.11 -
McAfee 5.400.0.1158 2011.05.11 -
McAfee-GW-Edition 2010.1D 2011.05.11 -
Microsoft 1.6802 2011.05.11 -
NOD32 6114 2011.05.11 Win32/Adware.Yontoo.A
Norman 6.07.07 2011.05.11 -
Panda 10.0.3.5 2011.05.11 -
PCTools 7.0.3.5 2011.05.11 -
Prevx 3.0 2011.05.11 Medium Risk Malware
Rising 23.57.02.05 2011.05.11 -
Sophos 4.65.0 2011.05.11 -
SUPERAntiSpyware 4.40.0.1006 2011.05.11 -
Symantec 20101.3.2.89 2011.05.11 -
TheHacker 6.7.0.1.195 2011.05.11 -
TrendMicro 9.200.0.1012 2011.05.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.11 -
VBA32 3.12.16.0 2011.05.11 Adware.Yontoo.a
VIPRE 9255 2011.05.11 -
ViRobot 2011.5.11.4453 2011.05.11 -
VirusBuster 13.6.349.0 2011.05.11 -
Additional informationShow all
MD5 : 5f64ba4352c817acbacfe5eae0f90907
SHA1 : cba30233a62cda1fd82a515891aa91acd9bd8986
SHA256: 17a997737de14e41ea89b89e926d293a2030b612e44eeb7b7c87d8047afa4fc4


AIM.exe
***************************
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: AIM.exe
Submission date: 2011-05-11 19:05:42 (UTC)
Current status: queued (#35) queued (#36) analysing finished


Result: 5/ 42 (11.9%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.05.12.00 2011.05.11 -
AntiVir 7.11.7.240 2011.05.11 -
Antiy-AVL 2.0.3.7 2011.05.11 -
Avast 4.8.1351.0 2011.05.11 -
Avast5 5.0.677.0 2011.05.11 -
AVG 10.0.0.1190 2011.05.11 -
BitDefender 7.2 2011.05.11 -
CAT-QuickHeal 11.00 2011.05.11 -
ClamAV 0.97.0.0 2011.05.11 -
Commtouch 5.3.2.6 2011.05.11 -
Comodo 8664 2011.05.11 -
DrWeb 5.0.2.03300 2011.05.11 Adware.Aws
eSafe 7.0.17.0 2011.05.11 Win32.Looked.P
eTrust-Vet 36.1.8320 2011.05.11 -
F-Prot 4.6.2.117 2011.05.11 -
F-Secure 9.0.16440.0 2011.05.11 -
Fortinet 4.2.257.0 2011.05.11 -
GData 22 2011.05.11 -
Ikarus T3.1.1.103.0 2011.05.11 -
Jiangmin 13.0.900 2011.05.11 -
K7AntiVirus 9.103.4624 2011.05.11 -
Kaspersky 9.0.0.837 2011.05.11 -
McAfee 5.400.0.1158 2011.05.11 -
McAfee-GW-Edition 2010.1D 2011.05.11 -
Microsoft 1.6802 2011.05.11 -
NOD32 6114 2011.05.11 Win32/Adware.WBug.A
Norman 6.07.07 2011.05.11 -
nProtect 2011-05-11.02 2011.05.11 -
Panda 10.0.3.5 2011.05.11 -
PCTools 7.0.3.5 2011.05.11 -
Prevx 3.0 2011.05.11 -
Rising 23.57.02.05 2011.05.11 -
Sophos 4.65.0 2011.05.11 DataApp
SUPERAntiSpyware 4.40.0.1006 2011.05.11 -
Symantec 20101.3.2.89 2011.05.11 -
TheHacker 6.7.0.1.195 2011.05.11 -
TrendMicro 9.200.0.1012 2011.05.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.11 -
VBA32 3.12.16.0 2011.05.11 Win32.Adware.WBug.A
VIPRE 9255 2011.05.11 -
ViRobot 2011.5.11.4453 2011.05.11 -
VirusBuster 13.6.349.0 2011.05.11 -
Additional informationShow all
MD5 : 2816c9d1c6fb95c534540222aff48f20
SHA1 : 953615d05c69fb328820291d52a55be8c5615943
SHA256: 4b13d273eb8f04580926a2048b7234e8eb172debe2e2b717a9bdcdd2a28b1a09
ssdeep: 98304:LD1pAHP10sA4UUaBWO2lliuIrLdD6vPFphtr3S:9oPqsA4UZBpvPLMvPFztbS
File size : 4466776 bytes
First seen: 2006-08-30 04:15:17
Last seen : 2011-05-11 19:05:42
TrID:
Wise Installer executable (97.5%)
Win32 Executable Generic (1.0%)
Win32 Dynamic Link Library (generic) (0.9%)
Generic Win/DOS Executable (0.2%)
DOS Executable Generic (0.2%)
sigcheck:
publisher....: America Online
copyright....: America Online
product......: n/a
description..: Setup
original name: n/a
internal name: n/a
file version.: 5.9.3702
comments.....: n/a
signers......: America Online, Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 0:49 09/12/2004
verified.....: -

PEiD: Wise Installer Stub
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1000
timedatestamp....: 0x370D108F (Thu Apr 08 20:24:47 1999)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1FE, 0x200, 5.55, f155a70bb31aab4a8c58b0f9d57db03c
.rdata, 0x2000, 0x215, 0x400, 2.84, 6f58ca49378072d460147a07b96a95fd
.data, 0x3000, 0x14, 0x200, 0.27, e146e7c47bdf7b7c953201f0721505e1
.rsrc, 0x4000, 0x441000, 0x440600, 8.00, 58999a71d90d70e610523cfef901ca0a

[[ 2 import(s) ]]
KERNEL32.dll: CreateFileMappingA, WaitForSingleObject, CreateProcessA, GetCommandLineA, CloseHandle, UnmapViewOfFile, WriteFile, MapViewOfFile, DeleteFileA, GetTempFileNameA, GetTempPathA, CreateFileA, GetShortPathNameA, GetModuleFileNameA
USER32.dll: wsprintfA

ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 512
CompanyName: America Online
EntryPoint: 0x1000
FileFlagsMask: 0x003f
FileOS: Windows 16-bit
FileSize: 4.3 MB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.9.3702
FileVersionNumber: 5.9.3702.0
ImageVersion: 0.0
InitializedDataSize: 4460032
LanguageCode: English (U.S.)
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductVersionNumber: 5.9.3702.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1999:04:08 22:24:47+02:00
UninitializedDataSize: 0
XX: |,LegalCopyright
XXXXXXXXXXXXXXXXXXXXXXXX: ,FileDescription
ricaOnline: XXXXXXXXXXXXXXXXXXXXXXXXXXX
up: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



VT Community
 
C:\Program Files\Yontoo Layers
C:\AOL Instant Messenger

I would uninstall both these programs, give me a break, who uses AOL anymore :)


What I would like you to do is use your computer for a day or two and then post back and let me know how its running
 
Update

KEN545

Aol Instant messanger and Yontoo both deleted. I actually "shredded" them with McAfee Data protection set to its most secure level... so they should be gone.

I have rebooted and all came up OK this time, everything running.

I agree I probably at this point just need to run with it a couple of days to see what happens.

I need to take it on the road anyway as I have an out of town interview tomorrow and won't be back until Saturday. Should be a good test.

So probably sometime Saturday or Sunday I will give you an update if that will work.

Can you keep the thread open until then since it is past the 3 days?

I really appreciate all the effort you have put into this for me. Do the donations go to you or the site?

Thank You Very Much :-)

Lee
 
No problem Lee, my pleasure, sure, I will keep the thread open until you return. The donations go to Safer and thats fine with me
 
Update - some good, some not so good

KEN545

Well... everything ran fine until this afternoon.

I let the computer go into hybernation for the first time this afternoon and when I woke it up I was locked out of IE...

I ran the following:

TDSKiller
rkill
useRiNiT
WinlOgOn
OTE
Combofix

Rebooted and ran FixMBR during boot

Rebooted again

Now it works again fine.

Maybe I got ahead of myself, but figured running the same processes through that did the job the first time might get things up and running again.

So... Is their any way to "flush" out the hybernation file? Or am I jumping to a conclusion that the virus is "embedded" in the hybernation file?

Anyway.

I'm interested in your take on this.

Thank You

Lee
 
I have never been a fan of Hibernation, have seen it cause all sorts of problems. Take it out of Hibernation and just have it go to sleep
 
Yes, you can go to the Control Panel under Power Options and reset it. Have it just go to stand by or sleep. You can change it to shut off your monitor after a certain time period also if you wish, but stay away from Hibernation
 
You must log in or register to reply here.
Back
Top