Virus help

[noir07]

hi everybody i'm new here, have recently been having problems with viruses and was wondering if anybody could help. i downloaded malwarebytes performed a scan and found 16 viruses which i quanrantined. here is the log below:



Malwarebytes

Database version: 6079

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

16/03/2011 21:21:30
mbam-log-2011-03-16 (21-21-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 321113
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> 4020 -> No action taken.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> 3948 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KCSCPW1HKH (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A9YA3MI1CF (Trojan.Downloader) -> Value: A9YA3MI1CF -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU (Backdoor.Bot) -> Value: HKCU -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> No action taken.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> No action taken.
c:\programdata\apzsefw75smoe87y1b\apzsefw75smoe87y1b\1.0.0.0\service.exe (Trojan.Autorun) -> No action taken.
c:\Users\Stephen\AppData\Roaming\microsoft\Run.exe (Trojan.Autorun) -> No action taken.
c:\Users\Stephen\AppData\Roaming\Winlogon.exe (Trojan.Agent) -> No action taken.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> No action taken.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> No action taken.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> No action taken.
c:\Users\Stephen\AppData\Roaming\install\iexplorer.exe (Backdoor.Bot) -> No action taken.




i'm quite worried about passwords and account informaiton being accessed, any help would be greatly appreciated, thanx all

 

[Golden]

Hi,

I notice from your scan log that no action was taken on these files. You need to re-run a FULL SCAN and then let Malwarebytes either quarantine/delete these infected items. Once you do that, re-post the scan log.

Also, tell us which anti-malware you have installed on your system, apart from Malwarebytes.

Regards,
Golden

 

[Jacee]

c:\Users\Stephen\AppData\Roaming\install\iexplorer.exe (Backdoor.Bot) -> No action taken.


What is a Backdoor.Bot?
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability ... It is also a password stealer, and can harvest confidential data from the computer.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

More info can be found below:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security | DSLReports.com, ISP Information
When should I re-format? How should I reinstall?
When should I re-format? How should I reinstall? Security | DSLReports.com, ISP Information
If you choose to format and reinstall see this link for instructions:
Windows: reformat and reinstall - Cyberwalker.com

 

[I be he]

Sandboxie is your friend

 

[Golden]

Sandboxie is your friend

Sandbox won't help now, user has already been infected.

 

[noir07]

hi thank you all for the replies, here is the log with the quarantined actions takes:

Database version: 6079

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

16/03/2011 21:21:36
mbam-log-2011-03-16 (21-21-36).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 321113
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> 4020 -> Unloaded process successfully.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> 3948 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KCSCPW1HKH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A9YA3MI1CF (Trojan.Downloader) -> Value: A9YA3MI1CF -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU (Backdoor.Bot) -> Value: HKCU -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\programdata\apzsefw75smoe87y1b\apzsefw75smoe87y1b\1.0.0.0\service.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Roaming\microsoft\Run.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Roaming\Winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Roaming\install\iexplorer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

i also performed a ESET scan and here were the results:

C:\ProgramData\apZsefW75Smoe87y1B\apZsefW75Smoe87y1B\1.0.0.0\servace.exe probably a variant of Win32/Agent.LGHJRFD trojan cleaned by deleting - quarantined
C:\Users\Stephen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\3dc414c1-18ee68a9 Java/TrojanDownloader.OpenConnection.AA trojan deleted - quarantined
C:\Users\Stephen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\26cf81da-737c1a0a Java/TrojanDownloader.OpenConnection.AA trojan deleted - quarantined
C:\Users\Stephen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\7061701b-47cdf919 probably a variant of Java/Agent.AF trojan deleted - quarantined


i currently use webroot, one problem i have been facing is that security centre keeps disabling itself everytime i start it.

 

[Jacee]

Did you change all your passwords using a different computer, that you know is clean?

Let's flush the bad DNS cache and restore MS's Hosts file:
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click to run as Administrator. Your computer will reboot itself.

 

[noir07]

hi thanx for the reply i have changed all the passwords,
is flushing bad dns through command prompt? also could you please direct me how to restore ms hosts file,
again thank you for all the help

 

[Jacee]

Follow my above instructions to copy and paste the batch file on notepad.
It will do the work for you.

 

[noir07]

i did that and my computer has rebooted, however the problems are still continuing, and firefox keeps directing me to other website than i was intending to go on, i would do a system restore but security centre won't open so i cant, any advice on what to do next?

 

[noir07]

bump

 

[ickymay]

boot into safe mode by pressing F8 on bootup and run malwarebytes , also I suggest unninstall webroot and install MSE then run a scan ?

make sure at the end of each scan anything found is deleted and or quarantined ?

boot back into windows and disable all your addons in firefox and let us know if you still get the redirects ?

Also does this happen in Internet Explorer ?

Let us know what symptoms your experiencing now ?

 

[Jacee]

Download JavaRa and run it to get rid of all old Java applications. |MG| JavaRA 1.16 Beta Download


Now, update Java.

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "Java Runtime Environment (JRE) 6u24 allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.

After you've done the above, Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[noir07]

thanks for all the replies, so far i rebooted my pc in safe mode, makware bytes didnt find anything but webroot found the following :
Troj/JavaDL-BK
Mal/Autoinf-C

i disabled FF addons, FF and IE seem to be affected and get redirected to sites like gimmeanswers. chrome seems to be ok.
also security centre in services keeps disabling itslef.

i tried to run combofix but keep getting an error telling me that its corrupeted. also with hijack this i get an error saying:
"for some reason your system denied write access to the host file. if any hijacked domains are in this file, hijack this may not be able to fiz this."

 

[Jacee]

Right click on the .exe file then choose to "Run As Adminstrator".

 

[noir07]

ok so i finally managed to run combo fix i have attached the log to this post thanks

 

[noir07]

here is the HiJack this log as well, thank you

 

[Jacee]

The combofix .txt is incomplete .. can you copy all of it please?

Also have this file scanned C:\Windows\SysWow64\c_286036.dll
here VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 37 AntiVirus Engines!
or here Jotti's malware scan

Save the report, copy and paste the results back here.

 

[noir07]

hi thanx for the reply sorry about that here is the complete log

 

[noir07]

i couldnt find the file c_286036.dll in C:\Windows\SysWow64

edit
i found it by using the search but it says i am not aloud to open without admin permission