Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/malware Or What? Plz Help


  • Please log in to reply
19 replies to this topic

#1 slashkai

slashkai

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 10 March 2008 - 11:53 AM

Hi everyone new here and needed help badly.
My laptop suddenly keep having this big red wallpaper with a red warning logo sign saying ur privacy is at risk. and everytime i log in to windows it appears.it is able to be closed however it appears after some time. and also now when i open internet explorer, below the address bar there is something saying 'warning: possible spyware or adware infection. click here to scan your computer for spyware and adware.'is this also related to the red wallpaper thingy not.
is this some kind of virus, spyware or wad? can someone plz help me.

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 10 March 2008 - 12:10 PM

This is definately adware. Seems like Vundo though I can't be sure yet.

First of all, could I ask for what anti malware programs you are running currently, either scanners or realtime shields?

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:35 PM

Posted 10 March 2008 - 09:51 PM

Hello slashkai and welcome to BC :flowers:

In order to provide you with the correct disinfection advice, we need more information from you.

What is your operating system: Windows XP, Vista, etc.

What security programs do you have installed? Please name them.

is this also related to the red wallpaper thingy not.


It probably is. Please provide the requested information so we can begin disinfection procedures.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 March 2008 - 01:20 AM

I am using windows xp.
Using a program call Advanced Windowscare V2 Personal,avg antispy,search and destroy spybot, and the symantec anti virus tat come along with windows.

symantec antivirus doesnt show anything when i perform a full scan. the other 3 programs(Advanced Windowscare V2 Personal,avg antispy,search and destroy spybot) i did the usual thing i always did,which is search and den auto fix problems, but it doesnt seems to help. the red wallpaper seems to keep coming back after some time after i closes it.

#5 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 March 2008 - 01:22 AM

oh and thx for the welcome. :thumbsup:

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:35 PM

Posted 11 March 2008 - 09:58 AM

Hello slashkai,

At this point I would like you to run a scan with SUPERAntiSpyware in Safe Mode. You will, of course, run it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.

Please post the log in your next reply. Also indicate whether you are using the Home or Pro version of XP and if you have Service Pack 1 or Service Pack 2 installed.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 PM

Posted 11 March 2008 - 01:23 PM

Please continue as follows when done with the above scan.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    Posted Image
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 March 2008 - 01:41 PM

I have done the super anty spyware as followed by orange blossom. However when i restart in normal mode back to windows the red wallpaper thingy still appear.

Quietman7, i try both the download link for the malwarebytes anti-malware and save in my desktop but i cant run it.i double click but nth happens.Tried for a few times.Is the file problem or izzit my laptop problem.

Anyway here is the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/12/2008 at 02:20 AM

Application Version : 4.0.1154

Core Rules Database Version : 3417
Trace Rules Database Version: 1409

Scan type : Complete Scan
Total Scan Time : 00:42:03

Memory items scanned : 204
Memory threats detected : 0
Registry items scanned : 6369
Registry threats detected : 13
File items scanned : 86171
File threats detected : 52

Adware.SXGAdvisor-A
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}\InprocServer32
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}\InprocServer32#ThreadingModel
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}\ProgID
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}\Programmable
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}\TypeLib
HKCR\CLSID\{3437F77C-C103-47BF-BF1D-7EAFC400BE8F}\VersionIndependentProgID
C:\WINDOWS\DRNPFDXRFW.DLL

Adware.Tracking Cookie
C:\Documents and Settings\fdsg\Cookies\fdsg@webstats[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@www.xtracounter[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@revsci[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@zango[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@1055832236[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@overture[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@r[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@mediaonenetwork[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@lstat.youku[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@gomyhit[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@a[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@208.122.40[3].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@paypal.112.2o7[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@clicktank[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@xiti[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@tacoda[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@cgi-bin[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@neocounter2[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@1069686509[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads.veoh[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@cgi-bin[6].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@www.countertracker[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@interclick[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@toplist[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads.clicktank[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads2.myp2p[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@adultfriendfinder[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@clicksor[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@mediacorp[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@cgi-bin[3].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads.adgoto[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@1059857286[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@cgi-bin[4].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@rotator.adjuggler[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@208.122.40[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@cgi-bin[5].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@eas.apm.emediate[2].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@atwola[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads.livesport[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads.heias[1].txt
C:\Documents and Settings\fdsg\Cookies\fdsg@ads.bleepingcomputer[1].txt
C:\Documents and Settings\fdsg\Local Settings\Temp\Cookies\fdsg@ads.ookla[2].txt

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {370343bc-d49f-4ab2-aa9e-a8bc06b3de96} ]

Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer

Desktop Hijacker.AboutYourPrivacy
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger

Adware.Lop-Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MEMO FAST SURF SITE\ELSEDEBUG.EXE
C:\DOCUMENTS AND SETTINGS\FDSG\APPLICATION DATA\DRIVE STUPID\QVIJJNLK.EXE

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 PM

Posted 11 March 2008 - 01:44 PM

Please print out and follow the generic instructions for using "SmitfraudFix". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
-- If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!
-- If using Windows Vista be sure to Run As Administrator
-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 March 2008 - 01:46 PM

oh sorry its running now. Ok i will get to it now.

#11 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 March 2008 - 02:02 PM

This is the log file for malwarebytes.(by the way i run and scan this in normal mode right?)
Malwarebytes' Anti-Malware 1.08
Database version: 477

Scan type: Quick Scan
Objects scanned: 40498
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 28
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Installer\{1683c573-79ee-4bc0-87d9-79919603c1da}\PrxPrx.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1683c573-79ee-4bc0-87d9-79919603c1da} (Trojan.Alphabet) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3437f77c-c103-47bf-bf1d-7eafc400be8f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\etlrlws.bfdp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\etlrlws.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5cfad498-79f2-4a82-91a3-4badde0281b1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8eaa0c99-0c3b-4786-a260-98a2c7f9b7b3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{730c4211-2f09-410a-9614-701ec92c48c4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{094b0adc-2173-4efb-964b-2f57a5b4693c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c05a4c0-d6c9-4c82-b0ad-23c7d940c603} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9cd2b6e7-8500-42cf-a02f-937b9553af34} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31bb9c63-4702-4ff8-8813-156e46620cd1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3114e623-ccd2-48d4-bccd-8cfaf5587131} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4bedab24-790a-4125-a5b8-7d903cbb440f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54fe4ac2-fe27-4f8c-9ad3-db782d7fe5b7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5bd4ecdd-c4d7-4c66-b76c-e537aecbb4e2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b4ce5e9-2ffa-4aaf-9902-baebf8b7d7de} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8adc5e8e-ff23-4e2f-89ac-65469a3b742b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9955c664-0e62-4849-a0bf-91cf041abde1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d1bab1a-7380-4ea4-a36a-5a25ec21aef3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a2b4528c-c0e8-4289-8818-e2434245c378} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a8c63b53-25f4-4e86-95c9-65e2373cc488} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cd1463a9-7961-43f7-b1ff-532c7c0189d2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d1a452fb-ad52-45f9-81a1-e667e91a65e7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f91cc930-87a1-47c3-828f-7c83e6241da2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fb168a85-d250-45c5-8c66-2b38a73802c9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.bfdp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PrxPrx (Trojan.Alphabet) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\altvxvm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{1683c573-79ee-4bc0-87d9-79919603c1da} (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Installer\{1683c573-79ee-4bc0-87d9-79919603c1da}\PrxPrx.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\antiviirus.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\instaler.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fmsxwqs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\fdsg\Local Settings\Temp\mso11.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 PM

Posted 11 March 2008 - 02:26 PM

Since you were able to get MBAM to work, you can skip my instructions for using SmitfraudFix but continue with the instructions for running SDFix and post that log back here.

Also let me know how your computer is running afterwards.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 March 2008 - 04:46 PM

I did the smitfraud instruction too. and juz finish SDFix intructions also.
The desktop turns black when i login.ya and its working fine so far,no red wallpaper thingy appearing so far.will post again if problem persist. Thanks a lot genius! :thumbsup:
heres the log.

SDFix: Version 1.155

Run by fdsg on Wed 03/12/2008 at 05:01 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 05:07:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:0e,85,44,c3,0b,87,f5,57,74,d8,3b,33,d7,b4,59,3c,85,6c,c8,10,ab,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:0e,85,44,c3,0b,87,f5,57,74,d8,3b,33,d7,b4,59,3c,85,6c,c8,10,ab,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000009e
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\hQ\x00fcb]
"\xcd\x2039\xed\x2039T\x20ac\xf3`"=dword:00000001
"\xcd\x2039\xed\x2039\x201c\x008feQ"=dword:00000001
"\20\x90\20n\x00d0c:y"=dword:00000001
"\26Y\1x\x00d0c:y"=dword:00000001
"\x00d2czz<h"=dword:00000000
"IQ\ah\xdf\x8d\x8f\x2013"=dword:00000001
"<SPACE>"=dword:00000001
"<ENTER>"=dword:00000000
"FC Input"=dword:00000000
"FC aid"=dword:00000000
"GB/GBK"=dword:00000000

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 310


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\DacEasy\\pvsw\\W3DBSMGR.EXE"="C:\\DacEasy\\pvsw\\W3DBSMGR.EXE:*:Enabled:Database Service Manager"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Documents and Settings\\fdsg\\Desktop\\Lancraft_1[1].01b.exe"="C:\\Documents and Settings\\fdsg\\Desktop\\Lancraft_1[1].01b.exe:*:Enabled:Lancraft_1[1].01b"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\fdsg\\Desktop\\wowclient-downloader.exe"="C:\\Documents and Settings\\fdsg\\Desktop\\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\\unreal\\System\\UT2004.exe"="D:\\unreal\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\Documents and Settings\\fdsg\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\fdsg\\Desktop\\utorrent.exe:*:Enabled:ęTorrent"
"D:\\avp2\\AVP2\\lithtech.exe"="D:\\avp2\\AVP2\\lithtech.exe:*:Enabled:Client"
"D:\\avp2\\AVP2\\AVP2Serv.exe"="D:\\avp2\\AVP2\\AVP2Serv.exe:*:Enabled:AVP2 Stand-Alone Server"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"D:\\Diablo\\Diablo.exe"="D:\\Diablo\\Diablo.exe:*:Enabled:Diablo"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Documents and Settings\\fdsg\\Desktop\\Unused Desktop Shortcuts\\utorrent.exe"="C:\\Documents and Settings\\fdsg\\Desktop\\Unused Desktop Shortcuts\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"D:\\BitComet\\BitComet.exe"="D:\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"D:\\BitTorrent\\bittorrent.exe"="D:\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\fdsg\\Local Settings\\Temp\\Rar$EX05.203\\WLM Lite 8.5.exe"="C:\\Documents and Settings\\fdsg\\Local Settings\\Temp\\Rar$EX05.203\\WLM Lite 8.5.exe:*:Enabled:Windows Live Messenger Lite"
"C:\\Program Files\\LF2CHARACTER.tk\\NTSD\\NTSD_beta 0.1\\Setting_Dawn_beta.exe"="C:\\Program Files\\LF2CHARACTER.tk\\NTSD\\NTSD_beta 0.1\\Setting_Dawn_beta.exe:*:Enabled:Setting_Dawn_beta"
"D:\\Avp\\lithtech.exe"="D:\\Avp\\lithtech.exe:*:Enabled:Client"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 21 Jun 2007 88 ..SHR --- "C:\WINDOWS\system32\92025EAD24.sys"
Thu 21 Jun 2007 2,828 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 9 Mar 2008 23,130 ..SHR --- "C:\WINDOWS\Installer\{370343bc-d49f-4ab2-aa9e-a8bc06b3de96}\zip.dll"
Thu 29 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 9 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1D.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\fdsg\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:35 PM

Posted 11 March 2008 - 05:13 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 slashkai

slashkai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 12 March 2008 - 04:38 AM

hmm i see,so tats it? done?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users