Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 08, Etc.


  • This topic is locked This topic is locked
7 replies to this topic

#1 jeffmellinger

jeffmellinger

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 27 June 2008 - 10:50 PM

I think one of my nieces heard that the Sysinternals Bluescreen screensaver would be funny to download on my computer and did so without my knowledge. Now, my desktop background is replaced with a blue background and a "VIRUS ALERT". My screensaver is now defaulted to the stupid Bluescreen one. I also have Antivirus XP 2008 which I can't get rid of as well as IE ads randomly popping up. Right clicking on the desktop shows that I do not have the option tabs to change my display nor my screensaver anymore and my font is different now. I tried Ad-aware as well as a post from Quietman7 that gave directions to first use Anti-Malware, then use ATFcleaner in safe mode and wind up using SuperAntiSpyware. These seemed to have found the bad stuff and gotten rid of it but on reboot, it all comes back again.
Here is the Anti-Malware log ( I rebooted afterwards, like the post had said to):
Malwarebytes' Anti-Malware 1.18
Database version: 894

3:36:28 PM 6/26/2008
mbam-log-6-26-2008 (15-36-28).txt

Scan type: Quick Scan
Objects scanned: 40712
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 86

Memory Processes Infected:
C:\WINDOWS\??sembly\nslookup.exe (Adware.PurityScan) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ljJDWOfc.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\whruihpe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wsae.dll (Adware.ClickSpring) -> Unloaded module successfully.
C:\WINDOWS\system32\opnomnon.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRHywtr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da03b4ac-d43e-4da4-a61d-94ac66284db7} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{da03b4ac-d43e-4da4-a61d-94ac66284db7} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8f62e96b-23d8-0420-ff3a-7ca2ec994cb6} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f62e96b-23d8-0420-ff3a-7ca2ec994cb6} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9c28eafb-ff50-4f42-8d39-a006129cc907} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c28eafb-ff50-4f42-8d39-a006129cc907} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnomnon (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\104b76ef (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9c28eafb-ff50-4f42-8d39-a006129cc907} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjdwofc -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjdwofc -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jsppsefu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufesppsj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJDWOfc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cfOWDJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cfOWDJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\whruihpe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ephiurhw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\??sembly\nslookup.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsae.dll (Adware.ClickSpring) -> Delete on reboot.
C:\WINDOWS\system32\drivers\srvv.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc35sj0en59.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu572.exe.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\NDRE70.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\temp.fr6F4C (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\accesss.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\astctl32.ocx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\clrssn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctrlpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\directx32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dnsrelay.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\editpad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funniest.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funny.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\gfmnaaa.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\helpcvs.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iedll.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\inetinf.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msconfd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msspi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc10.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc20.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mtwirl32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\notepad32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\qttasks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\quicken.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.vbe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\searchword.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\sistem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\svcinit.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systeem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systemcritical.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\time.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\users32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\waol.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win32e.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win64.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winajbm.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\window.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winmgnt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xplugin.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnomnon.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRHywtr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnlkljj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlifDT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Richard Fu

Richard Fu

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 PM

Posted 27 June 2008 - 11:04 PM

Try a Full Scan.

#3 jeffmellinger

jeffmellinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 28 June 2008 - 01:04 AM

Here is the full scan results...am about to reboot
Malwarebytes' Anti-Malware 1.18
Database version: 894

11:03:25 PM 6/27/2008
mbam-log-6-27-2008 (23-03-25).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 120135
Time elapsed: 41 minute(s), 16 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 14
Files Infected: 44

Memory Processes Infected:
C:\WINDOWS\??sembly\nslookup.exe (Adware.PurityScan) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\yayyVmKE.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\cbXPjIcy.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92d37f2d-bbcf-46a6-8ccc-afa8d6093a52} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{92d37f2d-bbcf-46a6-8ccc-afa8d6093a52} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3ee86d91-2f18-4027-9157-a16110ac59be} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ee86d91-2f18-4027-9157-a16110ac59be} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxpjicy (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3ee86d91-2f18-4027-9157-a16110ac59be} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ljJDWOfc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cfOWDJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cfOWDJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyVmKE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\EKmVyyay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EKmVyyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\??sembly\nslookup.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\AXPFixer.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\.ttC0B.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\NDR1F.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\I129AKL4\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\rhc75sj0en59\rhc75sj0en59Skin.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1229272821-746137067-1708537768-500\Dc1\rhc75sj0en59Skin.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C232945B-5F22-47E7-9116-B88F46952712}\RP2\A0000012.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc35sj0en59.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\AXPFixer.exe.local (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\AXPFixerSkin.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\database.dat (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\license.txt (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\MFC71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\MFC71ENU.DLL (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\msvcp71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\msvcr71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\Uninstall.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\How to Register Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\License Agreement.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\Register Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\Uninstall.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXPjIcy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnomnon.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 Richard Fu

Richard Fu

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 PM

Posted 28 June 2008 - 09:36 AM

From your quick scan:
Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 86
From your last scan:
Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 14
Files Infected: 44
It's spreading in your hard disk but the memory and registry looks cleaner.
So how is the computer doing after the reboot?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 PM

Posted 28 June 2008 - 10:16 AM

Multiple infections like these usually require several passes with several programs

http://www.bleepingcomputer.com/forums/ind...st&p=864546

You have already run MBAM, please install ATF cleaner and SAS following the directions given in that link

Make you run them from safe mode after installing and updating

After rebooting into normal mode, use the computer for a while and then update and rerun MBAM and post that log also
Chewy

No. Try not. Do... or do not. There is no try.

#6 jeffmellinger

jeffmellinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 28 June 2008 - 08:35 PM

On reboot, the computer hung when trying to load windows. I had to restart....thus, the viruses etc. are still there.
I have done the MBAM, ATF, SAS method also a couple days ago. If I remember right, the computer hung during one of the reboots that time too....
I will try ATF/SAS in safemode and then MBAM again and post the log.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 PM

Posted 28 June 2008 - 08:55 PM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

You might want to download sdfix, and print out the directions, this is a hard infection to fight

I usually get all my tools updated and disconnect from the internet until I have the computer clean
Chewy

No. Try not. Do... or do not. There is no try.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:51 PM

Posted 28 June 2008 - 09:44 PM

Hello jeffmellinger,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/154529/help-to-remove-antivirus-xp-2008-etc/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users