Thread: Severely infected laptop
View Single Post
Old 10-18-2008, 12:38 AM   #3 (permalink)
T3hk1w1
New Member
 
Join Date: Sep 2008
Location: Vermont
Posts: 13
Default
I reread the section Respital linked to, so here are the logs. There are 2 different logs from today. I haven't been able to find logs from my antispyware programs.

-log 1, from this morning(cleared up most of my problems)
*********
Malwarebytes' Anti-Malware 1.28
Database version: 1234
Windows 5.1.2600 Service Pack 3

10/17/2008 10:50:35 AM
mbam-log-2008-10-17 (10-50-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129104
Time elapsed: 48 minute(s), 48 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 5
Registry Keys Infected: 22
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 34

Memory Processes Infected:
C:\Documents and Settings\*********\lsass.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\Program Files\webHancer\Programs\whagent.exe (Adware.Webhancer) -> Unloaded process successfully.
C:\WINDOWS\system32\tcntktdm.exe (Adware.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\fxwwnofp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvTjghi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\webHancer\Programs\webhdll.dll (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whiehlpr.dll (Adware.Webhancer) -> Delete on reboot.
C:\WINDOWS\system32\wvUkHWQH.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{e0da6733-5c9a-46bc-ba1f-7f4998a173d5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvukhwqh (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e0da6733-5c9a-46bc-ba1f-7f4998a173d5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{eaefd89a-ed49-4779-9f64-91209d3c74a4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{eaefd89a-ed49-4779-9f64-91209d3c74a4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\TypeLib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.Webhancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.Webhancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.Webhancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.Webhancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\agadoo (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{074a48e3-b8d6-e6bf-c613-5c7e2486ef87} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{074a48e3-b8d6-e6bf-c613-5c7e2486ef87} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5297e6be-b783-45c7-fed4-e018ca096cfc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5297e6be-b783-45c7-fed4-e018ca096cfc} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\547389a1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\lsa shellu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\webhancer agent (Adware.Webhancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{e0da6733-5c9a-46bc-ba1f-7f4998a173d5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\{008d4bda-7a3b-d8d3-4c8d-474405265cb8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\exploreupdsched (Adware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuvtjghi -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuvtjghi -> Delete on reboot.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\wvUkHWQH.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvTjghi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ihgjTvut.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ihgjTvut.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fxwwnofp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pfonwwxf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\webhdll.dll (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whiehlpr.dll (Adware.Webhancer) -> Delete on reboot.
C:\Documents and Settings\*********\lsass.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\*********\Local Settings\Temporary Internet Files\Content.IE5\STMRG9EF\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whinstaller.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BE09218-8252-43DC-BF82-B4FA2F91E2F9}\RP164\A0019301.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BE09218-8252-43DC-BF82-B4FA2F91E2F9}\RP164\A0019336.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7BE09218-8252-43DC-BF82-B4FA2F91E2F9}\RP164\A0020369.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvTmkhE.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nys3\iPU560I.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\license.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\readme.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\sporder.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luhotgwvwlyjvb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tcntktdm.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gside.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dwwnw64r.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\*********\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\Documents and Settings\*********\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aiehpjlpnk.dll (Adware.BHO) -> Delete on reboot.

***********
Log 2, from this afternoon
***********

Malwarebytes' Anti-Malware 1.28
Database version: 1234
Windows 5.1.2600 Service Pack 3

10/17/2008 4:33:54 PM
mbam-log-2008-10-17 (16-33-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129488
Time elapsed: 48 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\agadoo (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5297e6be-b783-45c7-fed4-e018ca096cfc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5297e6be-b783-45c7-fed4-e018ca096cfc} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\{008d4bda-7a3b-d8d3-4c8d-474405265cb8} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
__________________
Main | Secondary
iBook G4 14" | Lenovo R61u 14"
Mac OS 10.4.11 | Windows XP SP3
PowerPC 1.42GHz | Core 2 Duo T8300 2.4GHz
Radeon 9550 32MB | NVIDIA Quadro NVS 140M 128MB
60GB 4200RPM | 140GB SATA 5400RPM
1.5GB PC2700 | 2GB DDR2
Last edited by T3hk1w1; 10-20-2008 at 04:32 AM.
T3hk1w1 is offline   Reply With Quote