Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Privacy Is In Danger!


  • Please log in to reply
27 replies to this topic

#1 mlawman

mlawman

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 22 April 2008 - 09:17 PM

Hello, My wife or I must have downloaded a virus or spyware. My screen saver has turned red and says: "Your privacy is in danger! Download privacy protection software now" We also keep receiving numerous pop ups to buy bogus spyware protection. I have read about this problem in other forums but it seems that the fixes depend on your individual computer. I have ran scans with my norton antivirus but it detects no problems. I have also tried to remove the software but cannot find it. I would appreciate any help. I have windows XP and very basic computer knowledge.
Thanks, mlawman

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:23 AM

Posted 22 April 2008 - 09:36 PM

Hello and welcome to BC.
Please use our self help tutorial and tell us how the PC is after that.
How to remove Privacy Protector or PrivacyProtector (Removal Instructions)

Next run
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now Scan and post back this report
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 28 April 2008 - 07:53 AM

Thanks very much for the help. The tutorial did not go exactly as described but I think I got it all done. The Red danger screen and the pop ups are gone but my desktop has turned white. When I try to change the desktop backround in properties I get the message file://C:\WINDOWS\privacy_danger\index.htm. Any more suggestions would be appreciated. My log is below.
Mlawman

Malwarebytes' Anti-Malware 1.11
Database version: 672

Scan type: Quick Scan
Objects scanned: 43561
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\vadokmxt.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b1728b8e-a79e-44f4-b718-666f3c8f38c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VirusIsolator.exe (Rogue.VirusIsolator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vadokmxt (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.
C:\Program Files\VirusIsolator\Infected (Rogue.VirusIsolator) -> Quarantined and deleted successfully.
C:\Program Files\VirusIsolator\Suspicious (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\olgdqarf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\VirusIsolator\vscan.tsi (Rogue.VirusIsolator) -> Quarantined and deleted successfully.
C:\Program Files\VirusIsolator\zlib.dll (Rogue.VirusIsolator) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wxvgsdbq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vadokmxt.dll (Trojan.FakeAlert) -> Delete on reboot.

Malwarebytes' Anti-Malware 1.11
Database version: 672

Scan type: Quick Scan
Objects scanned: 44317
Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:23 AM

Posted 28 April 2008 - 04:06 PM

Hello, I'm unclear on this item,can you provide afew specifics,thanks.

The tutorial did not go exactly as described but I think I got it all done.

Did the tool run? run /stop...
It appears from"

the message file://C:\WINDOWS\privacy_danger\index.htm.

. That the malware and more may still exist.

Please run this SDFix application and post that log.
How to use SDFix

Also let me know if the desktop is still incorrect.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 05 May 2008 - 10:43 PM

Hi, thank you for the help. I ran the SDfix and had no changes. The log is below. After this I got really frustrated and ran the SmitFraudFix again (report below), and rebooted the computer. Guess what? It worked! Everything worked great on my computer: no more pop-ups, or red or white screen savers. This lasted for about a week. I came home today to a blue screensaver that reads "Warning:Spyware threat has been detected on your PC" and "Your computer has several fatal errors due to spyware activity." There is a link to do a scan and multiple pop-ups to buy spyware protection. I am pretty sure this is not a new infection but some remnant of the old infection. Please help!

Mlawman


SDFix: Version 1.176
Run by Matt Lawler on Mon 04/28/2008 at 04:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\MATTLA~1\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 16:36:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FE2DACC32FFC736428AAAAFB7320283D\Usage]
"Complete"=dword:389c0ef9

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Southwest Airlines\\Ding\\Ding.exe"="C:\\Program Files\\Southwest Airlines\\Ding\\Ding.exe:*:Enabled:DING!"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :


File Backups: - C:\DOCUME~1\MATTLA~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 9 Mar 2006 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Thu 27 Dec 2007 104 ..SHR --- "C:\WINDOWS\system32\F1803B6432.sys"
Thu 27 Dec 2007 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 16 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 5 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\Matt Lawler\Application Data\Microsoft\Word\~WRL4074.tmp"
Thu 6 Mar 2008 0 A..H. --- "C:\Documents and Settings\Matt Lawler\Desktop\MATT\Anniversary Party\~WRL1138.tmp"
Tue 25 Sep 2007 34,304 A..H. --- "C:\Documents and Settings\Matt Lawler\Desktop\MATT\CFPD\2007 Captain Test\~WRL3767.tmp"

Finished!



SmitFraudFix v2.319

Scan done at 21:41:43.17, Mon 04/28/2008
Run from C:\Documents and Settings\Matt Lawler\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Matt Lawler


C:\Documents and Settings\Matt Lawler\Application Data


Start Menu


C:\DOCUME~1\MATTLA~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://cw11tv.trb.com/news/kplr-news-010608-2,0,1707971.story"
"SubscribedURL"="http://cw11tv.trb.com/news/kplr-news-010608-2,0,1707971.story"
"FriendlyName"="Monarch Firefighters Battery Blitz | St. Louis News | CW11 St. Louis | KPLR-TV"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{669BFB9E-BDD9-421D-AFD5-0DB5A24E6522}: DhcpNameServer=24.217.0.5 24.217.201.67
HKLM\SYSTEM\CS1\Services\Tcpip\..\{669BFB9E-BDD9-421D-AFD5-0DB5A24E6522}: DhcpNameServer=24.217.0.5 24.217.201.67
HKLM\SYSTEM\CS3\Services\Tcpip\..\{669BFB9E-BDD9-421D-AFD5-0DB5A24E6522}: DhcpNameServer=24.217.0.5 24.217.201.67
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.217.0.5 24.217.201.67
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.217.0.5 24.217.201.67
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.217.0.5 24.217.201.67


Scanning for wininet.dll infection


End

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:23 AM

Posted 06 May 2008 - 12:59 AM

KGyGaAvL.sys



Dr Divx???????

Edited by DaChew, 06 May 2008 - 01:06 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 May 2008 - 07:52 AM

I'm confused- is Dr. Divx something I'm supposed to run?

mlawman

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:23 AM

Posted 06 May 2008 - 08:01 AM

that file was flagged as a possible rootkit? It's also associated with a set of divx filters, usually installed with dr divx

C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"



many of these infections are seeded on limewire and integrated into other install programs

I have no idea what you all have installed, just looking for clues?
Chewy

No. Try not. Do... or do not. There is no try.

#9 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 May 2008 - 10:04 AM

Is there a good way to show you all the programs I have installed?

mlawman

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:23 AM

Posted 06 May 2008 - 10:28 AM

C:\WINDOWS\system32\KGyGaAvL.sys


Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.
http://virusscan.jotti.org/

why not let jotti scan it for you?
Chewy

No. Try not. Do... or do not. There is no try.

#11 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 May 2008 - 11:14 AM

The log is below. Do you think I should run the SmitFraudFix, the SDFix and the the maleware bytes Anti-malware again?

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: LimeWire.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 365418b2fefca481c6ce388da076eac2
Packers detected: -
Bit9 reports:

Scanner results
Scan taken on 06 May 2008 16:08:23 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: awtqnkhe.dll (MD5: 6471f52f5d21352e38cfe05642f471ea, size: 280064 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Vundo.Gen
ArcaVir X
Avast Win32:TratBHO
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web Trojan.Virtumod.based
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Win32.Rigel.6468
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control Vundo.gen148
Panda Antivirus X
Sophos Antivirus Troj/Virtum-Gen
VirusBuster Adware.Vundo.Gen!Pac.21
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

2004-2008 Jordi Bosveld <jotti@jotti.org>

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:23 AM

Posted 06 May 2008 - 11:22 AM

KGyGaAvL.sys


what about this file, limewire is usually always clean
Chewy

No. Try not. Do... or do not. There is no try.

#13 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 May 2008 - 01:19 PM

I did a search for the file but nothing was found. I am still getting all the popups for virus protection, messages from windows saying my computer is infected, and now I'm getting pop-ups for "Adult Friend Finder"-not good! Mlawman

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:23 AM

Posted 06 May 2008 - 01:40 PM

you are being reinfected about as fast as you are cleaning it up

try to follow this guide exactly

http://www.bleepingcomputer.com/forums/ind...st&p=810060

that's post 4



MBAM will need to be updated and rerun in normal mode

Edited by DaChew, 06 May 2008 - 01:41 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#15 mlawman

mlawman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 May 2008 - 03:54 PM

Hi, thanks again for your help. I followed the guide and SuperAntispyware found a bunch of spyware. I deleted them but on the reboot my screensaver was still the same. I ran the Malwarbytes which also detected problems and several items could not be deleted. I rebooted and received the message "RunDLL error loading c:\windows\system32\mtrllolm.dll the specialized module could not be found." My screensaver is still the same. I haven't noticed any popups in the few minutes i've been writing this. Mlawman

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/06/2008 at 03:00 PM

Application Version : 4.0.1154

Core Rules Database Version : 3453
Trace Rules Database Version: 1445

Scan type : Complete Scan
Total Scan Time : 00:45:30

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 6084
Registry threats detected : 27
File items scanned : 17249
File threats detected : 58

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}
HKCR\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}
HKCR\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}\InprocServer32
HKCR\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\TUVULKHB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{B3102264-D09D-4322-B625-503FBF18DD7E}
HKCR\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.Vundo-Variant/M
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52e06e88-49be-4fe1-80f4-3fa98cef5f15}
HKCR\CLSID\{52E06E88-49BE-4FE1-80F4-3FA98CEF5F15}
HKCR\CLSID\{52E06E88-49BE-4FE1-80F4-3FA98CEF5F15}\InprocServer32
HKCR\CLSID\{52E06E88-49BE-4FE1-80F4-3FA98CEF5F15}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JQTLXIUH.DLL

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Rogue.VirusIsolator
C:\DOCUMENTS AND SETTINGS\MATT LAWLER\LOCAL SETTINGS\TEMPMJIWEP0.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP801\A0115405.EXE

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Adware.SXGAdvisor-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP799\A0114987.DLL

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP799\A0114988.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP799\A0114989.DLL

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP814\A0116812.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP814\A0116813.EXE

Adware.Vundo-Variant/H
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0118847.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP816\A0118855.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP816\A0119828.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0118848.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP816\A0118853.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP816\A0119824.DLL

Rogue.Multi-Dropper/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0118849.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP816\A0118854.EXE
C:\WINDOWS\LFN.EXE

Trojan.Fake-Drop/Gen
C:\WINDOWS\AUDIOSRV32.DLL
C:\WINDOWS\2020SEARCH.DLL
C:\WINDOWS\2020SEARCH2.DLL
C:\WINDOWS\APPHELP32.DLL
C:\WINDOWS\ASFERROR32.DLL
C:\WINDOWS\ASYCFILT32.DLL
C:\WINDOWS\ATHPRXY32.DLL
C:\WINDOWS\ATI2DVAA32.DLL
C:\WINDOWS\ATI2DVAG32.DLL
C:\WINDOWS\AUTODISC32.DLL
C:\WINDOWS\AVIFILE32.DLL
C:\WINDOWS\AVISYNTHEX32.DLL
C:\WINDOWS\AVIWRAP32.DLL
C:\WINDOWS\BJAM.DLL
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\BROWSERAD.DLL
C:\WINDOWS\CDSM32.DLL
C:\WINDOWS\CHANGEURL_30.DLL
C:\WINDOWS\MSA64CHK.DLL
C:\WINDOWS\MSAPASRC.DLL
C:\WINDOWS\MSPPHE.DLL
C:\WINDOWS\MSSVR.EXE
C:\WINDOWS\NTNUT.EXE
C:\WINDOWS\SAIEMOD.DLL
C:\WINDOWS\SHDOCPE.DLL
C:\WINDOWS\SHDOCPL.DLL
C:\WINDOWS\STCLOADER.EXE
C:\WINDOWS\WINSB.DLL

Trojan.FakeDrop-SWin32
C:\WINDOWS\SWIN32.DLL

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\NJBKEOIR.DLL

Trojan.FakeDrop-VoiceIP
C:\WINDOWS\VOICEIP.DLL


Malwarebytes' Anti-Malware 1.12
Database version: 726

Scan type: Quick Scan
Objects scanned: 37008
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM8fd56b76 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\000080.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtrllolm.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users