Tech Support Forum - View Single Post - Virus trouble

**TheBruce1** · 07-13-2009, 03:19 AM

Hello again

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

=======

You have several variants of Bot virus showing in your log. Even though the Virus has been identified and can be killed, because of it's backdoor functionality, there is no way to be sure what information has been stolen from your system. If you do any banking or have recently paid for goods or services online you will need to change all passwords where applicable and it would be wise to contact your bank or credit card company to inform them of your situation. This also applies to passwords for any confidential sites you use such as Paypal, Ebay, Email etc... The infection you have has the ability to download and execute files, log keystrokes, Redirect connections, Sniff sent packets for information & Steal personal information so it is a very serious threat.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Sometimes it's for the best to backup valued documents, format the machine, and start over. That is what I would advise. See this topic by our colleague, miekiemoes, entitled:

Where to draw the line

Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

========

P2P

P2P - I see you have P2P software (µTorrent, Vuze, Vuze Launcher and Vuze Toolbar) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

=========

Click > Start > Control Panel > Add or Remove Programs and uninstall the following programs (:

Full Tilt Poker<---See Here for more information.
Viewpoint Media Player<---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Additional Information Here

=========

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393454-small-spyware-problem-worsening.html

Collect::
C:\WINDOWSBOOTs.exe
C:\fomg.exe
C:\b4ooo4ot.exe
c:\windows\test2.exe
c:\windows\boooot.exe
C:\346yturtkkh.exe
C:\yerhjpeddf.exe
C:\yerhjdf.exe
C:\yerhjhjdf.exe
C:\73485ygjuer.exe
C:\yuegyuer.exe
c:\windows\Cursors\supdate.exe
c:\windows\system32\rvjxxmyc.exe

Folder::
c:\windows\Jva
c:\program files\LimeWire
c:\documents and settings\eightY-D\Application Data\LimeWire
c:\program files\AskBarDis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]

Driver::
ASKService
ASKUpgrade
ServicesZ
Windows Services Agent

DDS::
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

========
Log Required
C:\Combofix.txt

07-13-2009, 03:19 AM	#4 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,158 OS: XP	Re: Virus trouble - deleting files? Hello again Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear. ======= You have several variants of Bot virus showing in your log. Even though the Virus has been identified and can be killed, because of it's backdoor functionality, there is no way to be sure what information has been stolen from your system. If you do any banking or have recently paid for goods or services online you will need to change all passwords where applicable and it would be wise to contact your bank or credit card company to inform them of your situation. This also applies to passwords for any confidential sites you use such as Paypal, Ebay, Email etc... The infection you have has the ability to download and execute files, log keystrokes, Redirect connections, Sniff sent packets for information & Steal personal information so it is a very serious threat. You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Sometimes it's for the best to backup valued documents, format the machine, and start over. That is what I would advise. See this topic by our colleague, miekiemoes, entitled: Where to draw the line Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused. ======== P2P P2P - I see you have P2P software (µTorrent, Vuze, Vuze Launcher and Vuze Toolbar) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections. References for the risk of these programs are Here, Here and Here. ========= Click > Start > Control Panel > Add or Remove Programs and uninstall the following programs (: Full Tilt Poker<---See Here for more information. Viewpoint Media Player<---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 Additional Information Here ========= Open notepad and copy/paste the text in the quotebox below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393454-small-spyware-problem-worsening.html Collect:: C:\WINDOWSBOOTs.exe C:\fomg.exe C:\b4ooo4ot.exe c:\windows\test2.exe c:\windows\boooot.exe C:\346yturtkkh.exe C:\yerhjpeddf.exe C:\yerhjdf.exe C:\yerhjhjdf.exe C:\73485ygjuer.exe C:\yuegyuer.exe c:\windows\Cursors\supdate.exe c:\windows\system32\rvjxxmyc.exe Folder:: c:\windows\Jva c:\program files\LimeWire c:\documents and settings\eightY-D\Application Data\LimeWire c:\program files\AskBarDis Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=- [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine] Driver:: ASKService ASKUpgrade ServicesZ Windows Services Agent DDS:: uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s Save this as CFscript* Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s). ======== Log Required C:\Combofix.txt __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating