Infected

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)
Tue Nov 03 18:42:50 2009

18:42:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Windows\System32\logevent.dll|C:\Windows\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
 
as an added note, after the reboot, I am now getting constant popups from SecurityTool. An apparent bogus virus scanner that has infected my pc.
 
as another update, I tried running malwarebytes again to see if it would work now that I was able to boot in normal mode and I was able to get it to run.
 
Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 6.0.6000

11/3/2009 9:28:22 PM
mbam-log-2009-11-03 (21-28-22).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 316936
Time elapsed: 1 hour(s), 17 minute(s), 4 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 18
Registry Values Infected: 14
Registry Data Items Infected: 4
Folders Infected: 6
Files Infected: 80

Memory Processes Infected:
C:\Windows\system32\sdra64.exe (Spyware.Zbot) -> Unloaded process successfully.
C:\Windows\msa.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Users\Frank\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\Windows\System32\tepusiga.dll (Trojan.Vundo) -> Delete on reboot.
c:\Windows\System32\hulowadu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\hisekeke.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\borababu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{04163e5a-bd34-4186-b017-367e3be500fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3eca3ef6-6aa3-4872-acb2-6519243a7f06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesiwomeh (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06180217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06180217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86247532 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17173726 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81995840 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38488233 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{04163e5a-bd34-4186-b017-367e3be500fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bifevepin (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3eca3ef6-6aa3-4872-acb2-6519243a7f06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kefohevov (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wologenipi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\06180217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\86247532 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\17173726 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\81995840 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\38488233 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\Windows\System32\hulowadu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\ProgramData\06180217\06180217.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\06180217\06180217.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\86247532\86247532.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\86247532\86247532.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\17173726\17173726.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\17173726\17173726.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\81995840\81995840.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\38488233\38488233.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\System32\tepusiga.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\hisekeke.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\borababu.dll (Trojan.Vundo) -> Delete on reboot.
C:\ProgramData\gelarijo\gelarijo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\jukohani\jukohani.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\kapekabo\kapekabo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\mimegepa\mimegepa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\mosujiki\mosujiki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\parifoma\parifoma.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\rivoyera\rivoyera.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\sijoluja\sijoluja.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\ProgramData\tidifara\tidifara.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\timinebe\timinebe.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\ProgramData\wakozawa\wakozawa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\yiyasafo\yiyasafo.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Windows\System32\lipemeye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\denufudu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\domijifu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\doyanavo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jepayala.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mazimiru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mazimiru.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\pevapiye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pofegohu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vimoveta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wifufulu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wigenupa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wonupago.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pidokobo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\Temp\B7CC.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\B885.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\D5C5.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\D90F.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\DB8F.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\F407.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1515.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1BD0.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1DEE.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1E97.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2098.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2253.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\244B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\24DE.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2705.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\272B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2A2C.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2ABF.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2DA7.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2EF8.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3193.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\31D8.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3594.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\359B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\38F0.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3CB3.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3D30.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3F60.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\423D.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\6FEC.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\742A.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\771B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\7DAE.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\Windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Users\Frank\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Windows\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Windows\msa.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Frank\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 
Doesn't look too good. Backdoor/keylogger/password stealer there.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
 
I would like to reformat and reinstall but I am nervous. I want to preserve pictures, music, media but do so without preserving the virus. Having never reformatted before, is it possible to safely preserve this stuff?

Is there a forum resource such as this for the reformatting, re installation process that can help someone new to it such as me?

Do you have any other advice for me?

Shabba, I really do appreciate your time and energy here, helping me with this problem. I cant thank you enough.
 
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top