Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Attack! Task Manager Has Been Disabled.. C And D Drives Not Visible

Started by vin2988 , Jul 11 2008 05:50 AM

  • Please log in to reply
6 replies to this topic

#1 vin2988

vin2988

    New Member

  • Members
  • Pip
  • 7 posts

Posted 11 July 2008 - 05:50 AM

when i click ctrl+alt+del it says task manager has been disabled by your administrator

my start menu has become empty.. the programs link itself has disappeared.. when i open 'my computer' i cannot see the 'c' or 'd' drives... 'e' and 'f' drives are visible

i also get annoying pop-ups all the time.. the pop says "windows security alert... windows has detected spyware and malware.. etc etc "
and another comes near task bar " system has detected virus activities etc.. please use recommended antispyware program"
and another pop up saying "spyware alert.. worm.win32netbooster detected on your machine etc etc"

i have 3 new internet shortcuts on my desktop.. they are error cleaner, privacy protector and spyware and malware protector..

and one more thing .. there is a message "VIRUS ALERT" right next to my system time..

my internet is slow as well and keeps disconnecting

please help

Edited by vin2988, 11 July 2008 - 06:03 AM.

 

  • BC Ads
  • BleepingComputer.com

#2 DaChew

DaChew

    Visiting Alien

  • BC Advisor
  • PipPipPipPipPipPip
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop

Posted 11 July 2008 - 06:25 AM

When a computer is this infected, it's best if we know what operating system you have and what anti-malware programs are already installed, so we can try to help you get control back.

See if you can install MBAM and start the process

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#3 vin2988

vin2988

    New Member

  • Members
  • Pip
  • 7 posts

Posted 11 July 2008 - 07:20 AM

THANKS A LOT!!

I HAVE WINDOWS XP SERVICE PACK 2

I DID A SCAN USING MBAM .. IT SHOWED AROUND 113 INFECTIONS.. I REMOVED ALL THE INFECTIONS.. AND NOW THE SYSTEM APPEARS ALRIGHT! I AGAIN DID A RESCAN AFTER REBOOTING MY SYSTEM.. THERE ARE 3 INFECTIONS WHICH ARE NOT GETTING CLEARED! I AM NOT HAVING ANY APPARENT PROBLEMS THOUGH... MY START MENU IS BACK TO NORMAL AND 'C' AND 'D' DRIVES HAVE BECOME VISIBLE AND THERE ARE NO MORE POP-UPS..

I ALSO DOWNLOADED XP_CodecRepair.inf AND INSTALLED IT FROM THIS LINK http://downloads.andymanchesta.com/Removal...CodecRepair.inf

MY LOG AFTER THE FIRST SCAN :

Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 5.1.2600 Service Pack 2

4:41:09 PM 7/11/2008
mbam-log-7-11-2008 (16-41-09).txt

Scan type: Quick Scan
Objects scanned: 42084
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 33
Registry Values Infected: 19
Registry Data Items Infected: 15
Folders Infected: 24
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\fdxbameg.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\fsrpknov.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a75e5df-d009-40d8-8663-fb8e97cd179e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6def6aa1-5511-4f1e-ac3b-caeb61c47fef} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4a662651-4d1a-4fbb-8a9e-f63d45790c5e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{874ea085-3b7b-412b-91ae-7291a94978d0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{874ea085-3b7b-412b-91ae-7291a94978d0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c5ebee4a-e9ab-4efd-8672-f0166f8ac2c3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{abbafc19-c497-4ec0-9a4d-e19c6c5cf8a3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db62cc01-ecd2-492e-bce6-57b0ad8a8d59} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpmsky (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinIFixer.com (Rogue.WinIFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6aef09c5-5b03-4c32-967b-c8b602e1cf2a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ed3cfbda-41a7-43d7-b2f0-fc404f47bac2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{143abc77-8833-4be5-b487-caa9f58339d9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e9b9e868-94f8-48a6-a327-e150ae7c9be3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sqvgnrpx.baql (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sqvgnrpx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{db62cc01-ecd2-492e-bce6-57b0ad8a8d59} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRam prosessor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\DRam prosessor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys1f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm13ff9aa8 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\DRam prosessor (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fdxbameg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fsrpknov (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-640-8365391-23668) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\XP\Application Data\WinIFixer.com (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\BrowserObjects (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP\Application Data\WinIFixer.com\WinIFixer\Quarantine\Packages (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\BrowserObjects (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\WinIFixer.com\WinIFixer\Quarantine\Packages (Rogue.WinIFixer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\wbxdpgfedxa.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sqvgnrpx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\enxw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbOCR.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\AD7SYYQH\1[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HX4WZC2C\loader[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\qandr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM13ff9aa8.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM13ff9aa8.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\index.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fdxbameg.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\fsrpknov.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\gpefaowr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 vin2988

vin2988

    New Member

  • Members
  • Pip
  • 7 posts

Posted 11 July 2008 - 07:24 AM

MY LOG AFTER SECOND SCAN USING MBAM IS :

Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 5.1.2600 Service Pack 2

5:25:43 PM 7/11/2008
mbam-log-7-11-2008 (17-25-43).txt

Scan type: Quick Scan
Objects scanned: 42991
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbOCR.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbOCR.dll (Trojan.Agent) -> Delete on reboot.


AND ONE MORE THING! INTERNET EXPLORER IS NOT WORKING.. THE SITES ARE NOT OPENING.. BUT MOZILLA APPEARS FINE EXCEPT THAT SOME SITES FAIL TO OPEN UNLESS I KEEP REFRESHING IT..

#5 DaChew

DaChew

    Visiting Alien

  • BC Advisor
  • PipPipPipPipPipPip
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop

Posted 11 July 2008 - 08:35 AM

http://www.bleepingcomputer.com/forums/ind...st&p=876350

See if you can download and install ATF cleaner and SAS and update it, and run a clean from safe mode, rescan with MBAM after rebooting into normal mode

http://www.bleepingcomputer.com/forums/ind...st&p=877671

If that doesn't get the rootkit and trojan agent I would use SDFix

I like to stay disconnected from the internet during a cleanup so I know the malware isn't reinstalling itself

Edited by DaChew, 11 July 2008 - 08:36 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 vin2988

vin2988

    New Member

  • Members
  • Pip
  • 7 posts

Posted 11 July 2008 - 03:30 PM

thanks a lot!!

i did a scan using super anti spyware.. then i rebooted into normal mode and did a rescan using MBAM.. my mbam scan showed there are no more infections..

my SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2008 at 01:39 AM

Application Version : 4.15.1000

Core Rules Database Version : 3502
Trace Rules Database Version: 1493

Scan type : Complete Scan
Total Scan Time : 00:25:41

Memory items scanned : 274
Memory threats detected : 0
Registry items scanned : 6857
Registry threats detected : 22
File items scanned : 62246
File threats detected : 74

Rootkit.Protect/WinNT32
HKLM\System\ControlSet001\Services\Gil52
C:\WINDOWS\SYSTEM32\DRIVERS\GIL52.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_Gil52
HKLM\System\ControlSet002\Services\Gil52
HKLM\System\ControlSet002\Enum\Root\LEGACY_Gil52
HKLM\System\ControlSet003\Services\Gil52
HKLM\System\ControlSet003\Enum\Root\LEGACY_Gil52
HKLM\System\ControlSet004\Services\Gil52
HKLM\System\ControlSet004\Enum\Root\LEGACY_Gil52
HKLM\System\CurrentControlSet\Services\Gil52
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Gil52
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP30\A0024571.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP30\A0024594.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP30\A0024636.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031516.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031517.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0039984.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0039991.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0040005.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0040049.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0040063.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0040093.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP47\A0040285.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP48\A0040325.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP49\A0040379.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP49\A0040396.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP49\A0041412.SYS

Rogue.WinIFixer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinIFixer [ C:\Program Files\WinIFixer\WinIFixer.exe ]

Rootkit.MailGrab
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#Type
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#Start
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Security
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum#NextInstance
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031327.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031482.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0033645.SYS

Trojan.Downloader-Gen/FotoMoto-B
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP29\A0023447.DLL

Bugs! Screensaver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP3\A0000054.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0035689.SCR

Adware.AdRotate/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP31\A0024743.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031509.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP32\A0025160.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP34\A0025271.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP34\A0025272.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP34\A0025278.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP34\A0025279.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP35\A0025400.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP35\A0025401.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP35\A0025407.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP35\A0025408.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP36\A0025528.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP36\A0025529.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP36\A0025535.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP36\A0025536.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP42\A0025982.DLL
C:\WINDOWS\SYSTEM32\OXBDXW.DLL
C:\WINDOWS\SYSTEM32\RHHLGV.DLL
C:\WINDOWS\SYSTEM32\RKETRKAB.DLL
C:\WINDOWS\SYSTEM32\SDXTAKWH.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP34\A0025338.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP34\A0025339.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP35\A0025467.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP35\A0025468.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP36\A0025596.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP36\A0025597.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0040028.ICO
C:\WINDOWS\SYSTEM32\DQKJWCJH.DLL
C:\WINDOWS\SYSTEM32\URAXNR.DLL

Trojan.Downloader-CREW
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0028221.DLL

Rogue.Dropper/Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031448.EXE

Rogue.Vista AntiVirus 2008
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031503.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031631.CPL

Trojan.Unclassified/Multi-Dropper (Packed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0031511.EXE

Trojan.Unclassified/CBOcr
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0035716.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0036757.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0038897.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0038953.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0038979.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP43\A0040006.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP47\A0040286.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17CD050A-2C74-4236-B7CF-EB466982B758}\RP48\A0040326.DLL

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@account.live[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adopt.euroclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@partner2profit[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@virusremover2008[2].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP








and my MBAM log:

Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 5.1.2600 Service Pack 2

1:47:21 AM 7/12/2008
mbam-log-7-12-2008 (01-47-21).txt

Scan type: Quick Scan
Objects scanned: 41930
Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



now my internet has become fast and websites are opening too :thumbsup: thanks

#7 DaChew

DaChew

    Visiting Alien

  • BC Advisor
  • PipPipPipPipPipPip
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop

Posted 11 July 2008 - 04:21 PM

http://www.bleepingcomputer.com/forums/ind...st&p=878149

this will get rid of those infections saved in system restore but keep a close eye out, these nasties have a way of coming back
Chewy

No. Try not. Do... or do not. There is no try.
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·