2 replies to this topic

[tommy454]

Hello, I am a nOOb at this level of a Virus. I have in the past used Malwarebytes and it worked... Now, I started getting this AV 2009 software saying I need to scan my computer and so on. I tried to delete it but I could not find it. So I tried to do a system restore. It would not let me. I tried to google av 2009 and spyware, it sent me to other sites. I tried to run my Malwarebytes and it would not run, I tried Spybot and adaware no luck. I tried Macafee, it locked up. I downloaded malware on a thumb drive from my sons computer an tried to download it and it would not load it said to many secrets?;? I got a SATA to USB enclosure and was able to use my sons computer to scan my HDD thur an enclosure with Malware. It came back with 5 viruses.

1. Rootkit.agent
2.Trojan.TDSS\UACdjvwdapo.dll
3.Trojan.TDSS\UACtfnlkydo.dll
4.Trojan.TDSS\UACCynkrdoea.dll
5.Trojan.TDSS\UACCyxcnttmp.dll

also, Everytime I reboot save mode or regular I always get:

Googleupdate.exe - Application error
The exception Break Point
A breakpoint has been reached
(0x80000003) occurred in the application at location 0x00406eef.


I finally was able to run DDS this is the result:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 22:48:13.09 on Fri 04/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.627 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ergodex\bin\ergomon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [system tool] c:\windows\sysguard.exe
mRun: [ErgoMon] "c:\program files\ergodex\bin\ergomon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5402/mcfscan.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5x36ymwb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mysjrcc.sjrcc.edu/cp/home/loginf|about:blank
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R2 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2006-8-12 24576]
R3 ErgoDvr;Ergodex DX1;c:\windows\system32\drivers\ergodvr.sys [2005-4-19 25771]
S2 gupdate1c90952fb2422ec;Google Update Service (gupdate1c90952fb2422ec);c:\program files\google\update\GoogleUpdate.exe [2008-8-28 133104]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [2005-7-2 48128]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]

=============== Created Last 30 ================

2009-04-03 22:27 3,067,000 a------- C:\ComboFix.exe
2009-04-03 17:36 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-02 13:35 10,752 a------- c:\windows\DCEBoot.exe
2009-04-02 10:22 2,577 a------- c:\windows\system32\config.bak
2009-04-02 10:22 2,577 a------- c:\windows\config.nt
2009-04-02 10:22 1,688 a------- c:\windows\system32\autoexec.bak
2009-04-02 10:22 1,688 a------- c:\windows\autoexec.nt
2009-04-02 10:20 <DIR> --d----- C:\AV-CLS
2009-04-01 21:22 <DIR> --d----- c:\program files\CCleaner
2009-04-01 19:23 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 19:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 19:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 20:35 <DIR> --d----- c:\program files\Audacity

==================== Find3M ====================

2009-01-31 21:12 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-22 20:37 22,328 ac------ c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2005-01-28 16:02 63,576 ac------ c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2005-01-08 23:23 723 ac------ c:\program files\INSTALL.LOG
2003-07-31 05:53 147,456 ac------ c:\windows\inf\EL2K_XP.sys
2003-07-31 05:50 448,768 ac------ c:\windows\inf\EL2K_N64.sys
2003-07-31 05:43 147,456 ac------ c:\windows\inf\EL2K_2K.sys
2001-05-03 00:49 201,216 ac------ c:\documents and settings\administrator\Love Meter.Exe
2001-05-03 00:48 518,656 ac------ c:\documents and settings\administrator\MahJong.exe
2001-05-03 00:40 273,920 ac------ c:\documents and settings\administrator\Darts.exe
2001-05-03 00:36 164,352 ac------ c:\documents and settings\administrator\Checkers.exe
2001-05-03 00:32 269,824 ac------ c:\documents and settings\administrator\Brick Breakers.exe

============= FINISH: 22:49:19.98 ===============



Please Help...

Attached Files

•  Attach.txt   12.79K   22 downloads

[tommy454]

Quote

MPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

I just seen this in another post. I Just removed my P2P...

[tommy454]

This helped alot:

CLB Rootkit infection AKA: TDSS,UAC Rootkit

Here is my mbam log:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

4/4/2009 12:20:33 AM
mbam-log-2009-04-04 (00-20-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 185229
Time elapsed: 26 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACedvjapao.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACjpspjdvg.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACtoituooy.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACwomimdwj.log (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\UACbejwqjkl.sys (Trojan.Agent) -> No action taken.