Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sdfix Issues


  • Please log in to reply
12 replies to this topic

#1 d1ngaa

d1ngaa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 02 June 2008 - 11:58 AM

Hi Guys

recently pc infected with trojans , malware and virus. been clean for years but something got through avg and now pc virtually unusable.

have tried running SDFix in safe mode but when watching on screen it starts to repair but hangs after giving following message


FINDSTR: Line 9564912 is too long


it repeats this message lots of time before just halting

lots of other 'FINDSTR line ++++++ is too long' messages are displayed prior to the one it hangs at

any help from you gurus would be great

xp sp2 btw

tia

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:15 AM

Posted 02 June 2008 - 12:22 PM

welcome to bleepingcomputer

would you run a scan and fix with MBAM?

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#3 d1ngaa

d1ngaa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 02 June 2008 - 12:58 PM

Thanks

chewy

running scan now but will not be able to post log until thursday - work away from pc - doh

will post when back at pc

once again thanks for your help

d

#4 d1ngaa

d1ngaa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 04 June 2008 - 01:41 PM

ok Chewy I have ran the mbam tool and here is the log :-

Malwarebytes' Anti-Malware 1.14
Database version: 824

19:19:18 04/06/2008
mbam-log-6-4-2008 (19-19-18).txt

Scan type: Quick Scan
Objects scanned: 53996
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 9
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 42

Memory Processes Infected:
C:\WINDOWS\system32\ctfmona.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\CLSID\{166bcb27-fcfd-4588-9bdb-44fc6a02ef35} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{166bcb27-fcfd-4588-9bdb-44fc6a02ef35} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{166bcb27-fcfd-4588-9bdb-44fc6a02ef35} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d7b5dfe3-dfb6-40e8-b648-7d1a225a3361} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7b5dfe3-dfb6-40e8-b648-7d1a225a3361} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\XPRepairPro2007 (Rogue.XPRepairPro2007) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{166bcb27-fcfd-4588-9bdb-44fc6a02ef35} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\InstallProgram (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d89128c0 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMdba21b5c (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmona (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Windows AdStatus (Adware.AdStatus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gyejtpwn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt10.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt17.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt1C.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt1E.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt32.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt33.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt34.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt36.tmp (Rogue.Installer) -> Delete on reboot.
C:\Documents and Settings\grant\Local Settings\Temp\.tt50.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt7.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602111425265.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602115422765.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602120221312.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602123102296.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602132849718.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602133417500.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602135257296.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602150940875.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602152008953.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080602162042140.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\qmnvcudr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ctfmona.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssrv32.exe (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\grant\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\grant\Local Settings\Temp\msprint.exe (Trojan.Agent) -> Quarantined and deleted successfully.






ps there were some items that required to be removed on reboot this I have done and the pc appears to be ok , do I need to do anything else at this stage

tia

d

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:15 AM

Posted 04 June 2008 - 01:50 PM

try to stay off the internet, that's a very bad infection

see if SDFix will run now from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#6 d1ngaa

d1ngaa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 04 June 2008 - 02:19 PM

Hi Chewy

SDfix

starts ok in safe mode and says 'starting repairs'

'checking running processes and services'

been like that for 15 minutes now showing

unable to open the file c:\windows\system32\ctfmonb.bmp

it shows this message 5 times in succession and then eventually ends up as before with

line 9564912 is too long message



any ideas???


tia

d

Edited by d1ngaa, 04 June 2008 - 02:52 PM.


#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:15 AM

Posted 04 June 2008 - 03:10 PM

Quietman,

gave this reccomendation to someone, each infection is individual tho

I would run ATF and SAS from safe mode, logged onto your normal profile

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

good luck
Chewy

No. Try not. Do... or do not. There is no try.

#8 d1ngaa

d1ngaa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 05 June 2008 - 09:02 AM

Hi guys

finally managed to run sdfix after running atf and superantispy two or three times in safe and 'ordinary' mode

the log from sdfix :-


SDFix: Version 1.187
Run by grant on 05/06/2008 at 14:04

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
msupdate
msupdate
msupdate
msupdate

Path :

msupdate - Deleted
msupdate - Deleted
msupdate - Deleted
msupdate - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\system32\TFTP1128 - Deleted
C:\WINDOWS\system32\TFTP1948 - Deleted
C:\WINDOWS\system32\TFTP616 - Deleted
C:\WINDOWS\system32\drivers\DICA88~1.sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(6).sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(7).sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(8).sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(9).sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(~1.sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(~2.sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(~3.sys - Deleted
C:\WINDOWS\system32\drivers\DIM48(~4.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 14:53:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,5d,de,16,d3,c9,d8,a0,2e,15,d0,93,c0,c6,df,1f,a5,8d,..
"ljej40"=hex:ae,e5,95,92,ba,8d,85,b4,f0,92,08,d1,19,82,b3,5e,8f,7e,98,6e,15,..
"ljej41"=hex:03,e5,95,92,c2,8d,85,b4,f1,92,09,d1,18,82,b3,5e,8f,7e,98,6e,5e,..
"ljej42"=hex:03,e5,95,92,c2,8d,85,b4,f1,92,09,d1,18,82,b3,5e,8f,7e,98,6e,5e,..
"ljej43"=hex:03,e5,95,92,c2,8d,85,b4,f1,92,09,d1,18,82,b3,5e,8f,7e,98,6e,5e,..
"ljej44"=hex:03,e5,95,92,c2,8d,85,b4,f1,92,09,d1,18,82,b3,5e,8f,7e,98,6e,5e,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8D8903B4-2FA4-4E56-500D-142516B87F20}]
"abedaolpflheejfhklnffejckelboajddb"=hex:66,61,61,62,68,70,62,66,6c,62,64,65,00,00
"bbedaolpflheejfhklcgmfflojgeabadbnpo"=hex:66,61,61,62,68,70,62,66,6c,62,64,65,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"C:\\Program Files\\FlashFXP\\flashfxp.exe"="C:\\Program Files\\FlashFXP\\flashfxp.exe:*:Enabled:FlashFXP v3"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 11 May 1998 93,880 ..SH. --- "C:\COMMAND.COM"
Thu 3 Jan 2002 1,676 A.SHR --- "C:\MSDOS.BAK"
Mon 11 May 1998 53,248 A..H. --- "C:\Program Files\Accessories\mspcx32.dll"
Mon 7 Mar 2005 56 ..SHR --- "C:\WINDOWS\system32\EE9F987252.sys"
Mon 7 Mar 2005 1,890 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 27 May 2008 1,454,030 A.SH. --- "C:\WINDOWS\system32\tkggxaju.tmp"
Mon 11 Apr 2005 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 11 Apr 2005 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Mon 3 May 2004 67,944 ...H. --- "C:\Program Files\Ahead\Ahead\data\Nero PhotoShow Express.exe"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"

Finished!



Do I need to do anything else or do you reckon I'm clean now???

thnaks for your help

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:15 AM

Posted 05 June 2008 - 10:47 AM

can you get a quick clean scan from MBAM?

Is the computer running OK?
Chewy

No. Try not. Do... or do not. There is no try.

#10 d1ngaa

d1ngaa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 05 June 2008 - 01:53 PM

yes done a fulls can in 'ordinary' mode ie not safe mode and result ok:-



Malwarebytes' Anti-Malware 1.14
Database version: 824

19:50:27 05/06/2008
mbam-log-6-5-2008 (19-50-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 100696
Time elapsed: 20 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:15 AM

Posted 05 June 2008 - 02:09 PM

You might try this

if there are no more signs of infection

http://www.bleepingcomputer.com/forums/ind...st&p=844460
Chewy

No. Try not. Do... or do not. There is no try.

#12 d1ngaa

d1ngaa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 06 June 2008 - 02:32 PM

Chewy

I can confirm everything now sorted and working well

thanks for your assistance

d

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:15 AM

Posted 06 June 2008 - 04:13 PM

On behalf of the BC community you are welcome

way to go

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users