Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarrior 2008 Has Got My Computer Crippled


  • This topic is locked This topic is locked
13 replies to this topic

#1 milz45

milz45

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 19 May 2008 - 07:35 AM

Hello. I have MalWarrior 2008 on my computer. Everytime I open it, Norton Antivirus gives me 100+ messages saying it can't send an email to some unknown address. I have to click through all of them, meanwhile MalWarrior 2008 throws security warning and other junk at me. I don't have a HJT log because I can't get that far ... everything is bogged down. I'm entering this topic from my work computer. Is there an application I can download that will get rid of MalWarrior 2008? Or a way to get a HJT log on my infected computer? Everytime I try to go to task manager it's greyed out and it says it's been disabled. Any suggestions?
Thank you!
Steve

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:57 AM

Posted 19 May 2008 - 09:21 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 20 May 2008 - 07:45 PM

Thanks, Quietman7.
I did everything you said. Ran Anti-Malware in safe mode because that's about the only way I could do it. It seemed to find some trojan files and it found MalWarrior files. I removed everything; it prompted me to restart, which I did. I let it boot in normal mode. Unfortunately I was greeted by a bunch of Symantic progress windows scanning files, about a hundred Symantic pop-ups saying it couldn't send an email, etc. However, there weren't any pop-ups for MalWarrior, so that's probably a good thing. Safe Mode is still about the only way I can do anything right now. See the Anti-Malware log below. What should my next steps be?
Thanks again!
Steve

Malwarebytes' Anti-Malware 1.12
Database version: 771

Scan type: Quick Scan
Objects scanned: 45166
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayxxXNG.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqOGARJ.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2e529f87-2b52-438c-9e7c-7d0a0dd910ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e529f87-2b52-438c-9e7c-7d0a0dd910ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxxxng (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e0509848 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2e529f87-2b52-438c-9e7c-7d0a0dd910ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008 (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iyiyunni.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\innuyiyi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khptefol.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lofetphk.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxxXNG.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\urqOGARJ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\vbksrofa.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\setup_526_1_.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\stdcons.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R2MPAI9I\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.HOMEOFFICE\Local Settings\Temporary Internet Files\Content.IE5\4707A9YZ\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.HOMEOFFICE\Local Settings\Temporary Internet Files\Content.IE5\O3092XI5\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080516140224698.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080517101912561.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080517200434761.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080518152136470.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080520181659402.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dortijom.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\pvnsmfor.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\oadkxrts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fvowketqgbv.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:57 AM

Posted 21 May 2008 - 06:59 AM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

When done, rescan again with MBAM and post the new log report. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact it loses some effectiveness for detection & removal when used in safe mode. So, even if its difficult, try doing the second scan in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 21 May 2008 - 07:11 AM

I removed everything; it prompted me to restart, which I did. I let it boot in normal mode.


I'll follow your latest instructions here and get back to you tonight.
Thanks,
Steve

Edited by milz45, 21 May 2008 - 07:26 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:57 AM

Posted 21 May 2008 - 07:20 AM

Scan with MBAM again after following the directions for SDFix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 21 May 2008 - 07:35 AM

Any suggestions on how to make it easier to run MBAM in normal mode? Is there a way I can reactivate the task manager so I can kill some of the processes for the time being?
Thanks,
Steve

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:57 AM

Posted 21 May 2008 - 07:38 AM

sdfix, if run exactly according to directions should enable you to run MBAM from normal mode
Chewy

No. Try not. Do... or do not. There is no try.

#9 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 22 May 2008 - 06:50 AM

Ok, here's the scoop. I downloaded and ran SDFix according to the instructions. I'm including the log file at the bottom of this reply. I then allowed my computer to boot in normal mode. Things appeared to progress as described. Then I rebooted again and started to run MBAM in normal mode. I let it scan overnight and when I got up this morning I was again greeted with hundreds of Symantec email proxy pop-ups saying it couldn't send an email with the title 'Luxury' to someone. I clicked through all of these. The MBAM scan had ran for over 8hrs, scanned approx 13,000 files and found about 17 items, but it was not finished. It looked like it was kinda stuck on a dll file. So that's the way I left it when I came to work. Things look mighty screwed up. Suggestions?
Thank you,
Steve


SDFix: Version 1.184
Run by Administrator on Wed 05/21/2008 at 09:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 22:21:38
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"="C:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe:*:Enabled:Notmad Xtreamer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 11 Mar 2006 9,699,328 A..H. --- "C:\cachefile0.sys"
Thu 29 Aug 2002 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Fri 12 Aug 2005 4,348 A..H. --- "C:\MUSIC\License Backup\drmv1key.bak"
Fri 12 Aug 2005 20 A..H. --- "C:\MUSIC\License Backup\drmv1lic.bak"
Fri 12 Aug 2005 400 A..H. --- "C:\MUSIC\License Backup\drmv2key.bak"
Fri 22 Mar 2002 36,864 A.SHR --- "C:\Program Files\Detto\DettoWeb.exe"
Thu 21 Mar 2002 2,513,981 A.SHR --- "C:\Program Files\Detto\IntelliMover Demo.exe"
Thu 20 May 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
Fri 16 May 2008 1,410,732 ..SH. --- "C:\WINDOWS\system32\cauacgck.tmp"
Tue 20 May 2008 177 ..SH. --- "C:\WINDOWS\system32\lofetphk.tmp"
Wed 4 Aug 2004 1,028,096 A.SH. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 54,784 A.SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Wed 4 Aug 2004 343,040 A.SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Wed 4 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Wed 4 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Sat 16 Jul 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIDBD32.dll"
Wed 4 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIDIB4.dll"
Wed 4 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Wed 4 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Wed 4 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Sat 17 May 2008 74 ..SH. --- "C:\WINDOWS\system32\roxrsvtu.tmp"
Fri 5 Nov 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 16 Aug 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Fri 5 Nov 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Fri 5 Nov 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Fri 5 Nov 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Wed 28 Sep 2005 96 A..H. --- "C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys"
Fri 5 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 29 Mar 2003 4,348 A..H. --- "C:\Documents and Settings\Owner\My Music\License Backup\drmv1key.bak"
Sat 24 Apr 2004 401 A..H. --- "C:\Documents and Settings\Owner\My Music\License Backup\drmv1lic.bak"
Sat 24 Apr 2004 488 A..H. --- "C:\Documents and Settings\Owner\My Music\License Backup\drmv2key.bak"
Sat 24 Apr 2004 7,680 A..H. --- "C:\Documents and Settings\Owner\My Music\License Backup\drmv2lic.bak"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT6.tmp"
Thu 15 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BIT8.tmp"
Fri 5 Nov 2004 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sun 14 Aug 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 19 Dec 2004 488 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:57 AM

Posted 22 May 2008 - 07:15 AM

http://www.bleepingcomputer.com/forums/ind...st&p=831136

you might want to try atf cleaner and SAS from safe mode

until Quietman gets a chance to look at your sdfix log
Chewy

No. Try not. Do... or do not. There is no try.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:57 AM

Posted 22 May 2008 - 07:23 AM

I don't think SAS will be of much help. This issue will require further investigation and probably the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 23 May 2008 - 06:36 AM

I downloaded DSS and tried to run it last night. Unfortunately, it just locks up midway when I run it in normal mode. I let it run overnight and it was still stuck this morning on 'Checking Temporary Files'. Can I run it in safe mode? That seems to be about the only way I can get anything to run successfully. Either that, or if you know a way to enable task manager again (it's currently greyed out), maybe I can clear some of the other processes. I'm open to suggestions.
Thanks for all the help thus far,
Steve

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:57 AM

Posted 23 May 2008 - 07:03 AM

Please download HijackThis Installer. This is HijackThis 2.0.2 but it is an automatic setup version which will install HJT in the proper location.
  • Save HJTInstall.exe to your desktop and double-click on it to start the installation.
  • Click "Install" and HijackThis will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and create a desktop shortcut.
  • HJT will automatically open after installation. If it does not, then double-click on the HiJackThis.exe shortcut on your desktop or in the program's folder.
  • Important! If using Windows Vista, be sure to Run As Administrator.
  • Choose "Scan" and HijackThis will analyze your system.
  • When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and when the Save logfile window opens, use the drop down box to save the log in the same folder as Hijackthis. At the bottom make sure the File name is hijackthis.log and Save as type: Log files (*.log).
  • In the Hijackthis log, go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Then click "Edit" > Select All > "Edit" again and "Copy" to copy the entire contents of the log and paste it into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Post the log along with a brief description of your problem, a summary of any anti-malware tools you have used and the Kaspersky online scan log. Please include the top portion of the HijackThis log that lists version information and explain that your were unable to complete a successful run of DSS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:57 AM

Posted 23 May 2008 - 10:04 PM

Hello milz45,

Now that you have successfully posted your HJT log here: http://www.bleepingcomputer.com/forums/t/148430/have-malwarrior-2008-and-tons-of-symantec-pop-ups/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users