Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still Infected After Running Super Antispyware


  • Please log in to reply
9 replies to this topic

#1 mice

mice

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 02 June 2008 - 08:59 AM

Hi - On Friday I was infected with a virus: there was a Virus Alert! message next to the time on the bottom right, my desktop wallpaper was a giant radio-active sign that said I had a virus, I would get numerous Virus Waring pop ups (including Antivirus Pro 2008), my start menu lost alot of its options and the computer was running super slow.

I installed and ran Super Antispyware and it found and removed many files. I no longer get the pop ups, I was able to remove the Virus Alert! from the clock and get my start menu back to normal.

Orginally I thought that had taken care of if but I am still having speed problems, my wallpaper is just a white screen and I can't find any options to change it. When I logged on this morning I received a pop up that said "Error Loading. C:\Windows\System 32\TSFKXT:F.DLL"

I think the Antivirus Pro is still installed but I can't find it anywhere.

I am still infected? What should I do next?

I am using Windows XP Professional

Thanks so much!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:04 PM

Posted 02 June 2008 - 11:16 AM

don't worry about the error loading a missing malware file

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

run a scan with MBAM, let's try to finish cleaning the infection

welcome to bleepingcomputer

Edited by DaChew, 02 June 2008 - 11:19 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 mice

mice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 02 June 2008 - 03:27 PM

I ran the Malwarebytes Anti-Malware and the desktop background in still blank. If I right click and select "properties" I get a windo that say "Your system administrator disabled the Display control panel"

The log from the Anti-Malware is:

Malwarebytes' Anti-Malware 1.14
Database version: 815

4:17:30 PM 6/2/2008
mbam-log-6-2-2008 (16-17-30).txt

Scan type: Quick Scan
Objects scanned: 82242
Time elapsed: 26 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 5
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bakq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{23649e36-60c6-4433-880a-9df59fc27342} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9fe5b166-bc73-48f4-8696-a66adb1485ae} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1d0b9f7-f3c6-443a-af61-ad47771ace27} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{aaa0a546-2b51-4aed-b1e2-c14f38c73165} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ae22bce-b554-4803-bae3-2eff740aff44} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{56e90faa-6f19-44fd-8197-0c08388c2632} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{182fcc02-5b76-4fe2-90a5-ba88906cad3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0f8b0aa8-9d77-4231-91c8-368195e82551} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{28f85800-2969-4966-8894-eda174875e71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e80400b-dcba-4564-bc54-8c2004030da9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae6aeecd-04fa-4d6f-8ee2-006a1a5bdf49} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cf7db8b4-3332-4307-a252-01ae5ffdc5f4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bxpr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b46bc138 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (StartMenu.Hijack) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (StartMenu.Hijack) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (StartMenu.Hijack) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\atfxqogp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jtgftmul.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wvUkLbAq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\embd.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\esva.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\mone\Local Settings\Temporary Internet Files\Content.IE5\80WHQGHX\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mone\Local Settings\Temporary Internet Files\Content.IE5\CDAHK56D\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Weather.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\WeSkin.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\WINDOWS\xmpstean.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\mone\Local Settings\Tempboome20.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:04 PM

Posted 02 June 2008 - 03:36 PM

As you can see you are still heavily infected

using this guide skip the MBAM scan and install ATF cleaner and configure SAS properly

Go into safe mode and follow the directions

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

these infections tend to update themselves the longer you wait between scans, it's best to stay disconnected from the internet
Chewy

No. Try not. Do... or do not. There is no try.

#5 mice

mice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 03 June 2008 - 01:35 PM

I have tried logging into safe mode a few times. I get as far as the prompt to use control-alt-delete to login but then the computer freezes. Is there any other way to get it to stop freezing at that point. Can I run the cleaners in regular mode? Thanks for all your help!

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:04 PM

Posted 03 June 2008 - 01:39 PM

run then in regular mode, is this W2K?

Edited by DaChew, 03 June 2008 - 01:39 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 mice

mice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 03 June 2008 - 01:44 PM

Microsoft Windows XP Professional Version 2000 Service Pak1

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:04 PM

Posted 03 June 2008 - 03:09 PM

It's definitely time for a clean install then, apply sp4 and all rollups, IE 5.5 before connecting to the internet

You can't fix what was broken from the beginning
Chewy

No. Try not. Do... or do not. There is no try.

#9 mice

mice
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 03 June 2008 - 03:41 PM

is this something i do through microsoft.com? Pardon my ignorance.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:04 PM

Posted 03 June 2008 - 03:58 PM

http://www.microsoft.com/downloads/details...;displaylang=en

save this one, use fast broadband

http://www.microsoft.com/downloads/details...;displaylang=en

http://www.microsoft.com/downloads/details...;displaylang=en

these are not patches that will fix a broken corrupt W2k installation

These are the patches that W2k needs for even being on the internet and then you have to deal with the firewall issue
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users