Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Anti-virus -- No Start Menu/task Bar/clock -- Or Has "virus Alert" At Clock


  • Please log in to reply
3 replies to this topic

#1 no_more_virus

no_more_virus

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 03 July 2008 - 09:50 AM

Hi,

This is my first post here, and my computer appears to be infected.

The Symptoms:
-- The desktop has "disappeared" and is replaced by a blank blue screen. The icons on the desktop are all gone.
-- There is no "bar" at the bottom: no start button, no task bar, no clock, no indications of open programs. i.e., the entire screen is blue.

-- However, the situation is different right after I start-up.
-- At first, I see all my programs. Sometimes I see the task bar and start button, clock, etc., sometimes not.
-- But something is wrong even then. The computer is slow. And I know desktop will not last long. Sometimes if I am quick I can double click on a desktop icon before the desktop disappears.
-- Sometimes there is a "transition" period. For a few seconds I'll see the desktop, then for a few it will go "all blue".
-- When it is "all blue", I can still get into programs. If I open up the task manager, I can click on the "New Task ..." button under the "Applications" tab.
-- I can still work with documents, but thinks are slow.
-- When I start in safe mode, I still have the problem of the missing desktop.

Other Signs:
-- When I can see the clock, it says "VIRUS ALERT!" followed by the time. My google searches inform me that this is a common symptom.

What I have done so far:
-- I've done the Norton "Quick Scan" -- found something the first time, and fixed it, but problem persisted.
-- In safe mode, I've done: SmitFraudFix, CCleaner, RougeRemover, Ad-Aware. The first three have fixed some things, but the problem persists.
-- I've run HijackThis. My basic method is to google entries I don't recognize, and if the consensus is itís a virus, I delete.
-- I've deleted a couple values via Hijack This, but problem persists.

Antivirus Pro 2008
-- At some point I got messages that I had an infected computer and I had notices about the Antivirus Pro 2008 program. I am aware that this is malware.
-- I found one HijackThis entry related to AntiVirus Pro 2008--I deleted it.
-- I don't see signs about Antivirus Pro 2008 anymore, but clearly something remains.

Thank you so much for your help. I wanted to start here, but I can switch to the Hijack This forum if that's where I should go. I really do appreciate your advice on how to rid myself of this virus. I am posting today from a different computer.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 AM

Posted 03 July 2008 - 01:35 PM

Welcome to BC no_more_virus

If you're using Windows 2000/XP, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

To fix the policy restrictions created by this infection, please open the SDFix folder or download XP_CodecRepair.inf and save it to your desktop. for Windows XP ONLY.
  • Right-click on XP_CodecRepair.inf and select Install from the Context menu.
  • Note: To download the .inf file, go to File, choose "Save page as" All Files and save XP_CodecRepair.inf to your desktop.
  • Then log off or reboot to apply the changes.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Instructions with screenshots if needed.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Edited by quietman7, 03 July 2008 - 01:35 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 no_more_virus

no_more_virus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 July 2008 - 12:17 PM

Thank you so mucj quietman7 . It looks like (fingers crossed) all is cleared up. I've been crazy busy recently, so I just turned again to this problem today. I did the SDFix, and that fixed some things, though it appeared the problem pursisted after that. I ran XP_CodecRepair.inf . Next I did Malwarebytes, which also fixed some things, and after restarting to delete one thing it couldn't otherwise delete, my computer appears virus free. The logs are at the bottom of this post. Thanks again.

Question: I noticed Malwarebytes offers a pay-software that offers realtime protection. Is this effective and recomended? The computer is actually my father's computer, and his machine (or he?) tends to attact these type of viruses now and then, and the more protections he has the better I think.

The logs, first SDFix then Malwarebytes

__________________________________________________________
SDFix: Version 1.204
Run by HP_Administrator on Sat 07/12/2008 at 12:25

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Windows ProductId To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\HP_Administrator\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\HP_Administrator\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\HP_Administrator\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\gfetqaxsrnm.dll - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\gxvpsafm.dll - Deleted
C:\WINDOWS\pntqkflv.dll - Deleted
C:\WINDOWS\qegbdmwf.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\tovafrnm.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 12:36:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating"="WmiApRpl"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"="C:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe:*:Enabled:Juniper Terminal Services Client"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 24 Jan 2007 211 A.SHR --- "C:\BOOT.BAK"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\Program Files\Replay Converter\cygwin1.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Mon 9 Dec 2002 102,437 A..HR --- "C:\Program Files\Replay Converter\drv13260.dll"
Mon 9 Dec 2002 176,165 A..HR --- "C:\Program Files\Replay Converter\drv23260.dll"
Mon 9 Dec 2002 208,935 A..HR --- "C:\Program Files\Replay Converter\drv33260.dll"
Mon 9 Dec 2002 217,127 A..HR --- "C:\Program Files\Replay Converter\drv43260.dll"
Sun 9 Jun 2002 40,448 A..HR --- "C:\Program Files\Replay Converter\dspr3260.dll"
Sat 3 Nov 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\ivvideo.dll"
Tue 10 Apr 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\qtmlClient.dll"
Fri 20 Feb 2004 232,960 A..HR --- "C:\Program Files\Replay Converter\raac.dll"
Sun 9 Jun 2002 525,824 A..HR --- "C:\Program Files\Replay Converter\rnco3260.dll"
Mon 9 Dec 2002 245,805 A..HR --- "C:\Program Files\Replay Converter\rnlt3260.dll"
Mon 9 Dec 2002 45,093 A..HR --- "C:\Program Files\Replay Converter\rv103260.dll"
Mon 9 Dec 2002 98,341 A..HR --- "C:\Program Files\Replay Converter\rv203260.dll"
Mon 9 Dec 2002 94,247 A..HR --- "C:\Program Files\Replay Converter\rv303260.dll"
Mon 9 Dec 2002 90,151 A..HR --- "C:\Program Files\Replay Converter\rv403260.dll"
Sun 9 Jun 2002 49,152 A..HR --- "C:\Program Files\Replay Converter\tokr3260.dll"
Fri 9 Mar 2007 27,648 A.SH. --- "C:\WINDOWS\system32\AVSredirect.dll"
Tue 2 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 19 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"
Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"
Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"
Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT9E.tmp"
Mon 7 Apr 2008 32,256 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Templates\~WRL0004.tmp"
Wed 9 Jul 2008 32,256 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Templates\~WRL0005.tmp"
Thu 24 Apr 2008 32,256 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Templates\~WRL3526.tmp"
Tue 20 May 2008 30,208 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL0926.tmp"
Mon 23 Jun 2008 182,272 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL0943.tmp"
Sat 31 May 2008 30,208 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL1208.tmp"
Mon 29 Oct 2007 0 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL1613.tmp"
Mon 23 Jun 2008 30,208 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL2066.tmp"
Tue 20 May 2008 30,208 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL2333.tmp"
Tue 20 May 2008 30,208 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL2571.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\HP_Administrator\Application Data\U3\temp\Launchpad Removal.exe"
Tue 22 Apr 2008 23,040 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Bahrain\~WRL2873.tmp"
Thu 18 Oct 2007 48,128 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Bank\~WRL0421.tmp"
Sun 3 Jul 2005 22,528 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Bank\~WRL1070.tmp"
Mon 18 Oct 2004 34,304 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\BATAL\~WRL1448.tmp"
Mon 1 May 2006 3,408,384 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\C2E\~WRL1500.tmp"
Mon 22 May 2006 5,344,768 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\C2E\~WRL1654.tmp"
Wed 3 Jan 2007 60,416 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Dad's Files\~WRL1550.tmp"
Sun 6 Jan 2008 26,112 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Ethiopia JV\~WRL0004.tmp"
Sun 6 Jul 2008 30,208 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\HEALTHTRAK\~WRL3422.tmp"
Fri 15 Feb 2008 22,528 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Healthtrak California\~WRL2944.tmp"
Thu 29 Nov 2007 52,736 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\HOUSE\~WRL2630.tmp"
Thu 25 Oct 2007 2,351,616 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\KEWI\~WRL0355.tmp"
Wed 25 Jun 2008 22,528 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\QBI\~WRL0386.tmp"
Sat 28 Jun 2008 61,952 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\QBI\~WRL0779.tmp"
Sat 1 Mar 2008 37,888 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\QBI\~WRL2891.tmp"
Wed 28 Jul 2004 448,512 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\SOS\~WRL1694.tmp"
Tue 21 Dec 2004 22,528 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\SOS\~WRL1820.tmp"
Tue 20 May 2008 52,224 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\SOS\~WRL2313.tmp"
Thu 5 Feb 2004 38,912 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\SOS\~WRL3496.tmp"
Sat 8 Jan 2005 98,304 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\St. Patrick's\~WRL0329.tmp"
Thu 6 May 2004 62,976 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\St. Patrick's\~WRL2530.tmp"
Tue 16 Oct 2007 253,440 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Sufian\~WRL0004.tmp"
Sun 9 May 2004 129,024 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\VARHOME\~WRL1442.tmp"
Tue 5 Apr 2005 41,472 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\ventus\~WRL1512.tmp"
Tue 8 Apr 2008 50,176 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\ventus\~WRL1638.tmp"
Thu 10 Jan 2008 52,224 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\ventus\~WRL2151.tmp"
Tue 10 May 2005 43,008 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\ventus\~WRL3573.tmp"
Thu 16 Dec 2004 41,472 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\ventus\~WRL3866.tmp"
Thu 27 Apr 2006 105,472 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Whalon\~WRL1289.tmp"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"
Tue 3 Jan 2006 30,208 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Documents\Videos organization\~WRL1318.tmp"
Tue 3 Jan 2006 29,696 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Documents\Videos organization\~WRL3385.tmp"
Tue 3 Jan 2006 30,208 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Documents\Videos organization\~WRL3388.tmp"
Sat 31 Dec 2005 26,112 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Documents\Videos organization\~WRL3922.tmp"
Wed 6 Sep 2006 42,496 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\Ethiopia Reforestation\Ethiopian Food Corp\~WRL2305.tmp"
Fri 5 Nov 2004 57,856 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\D\jokes\HEALTHTRAK\~WRL1051.tmp"
Mon 19 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"
Mon 19 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"
Mon 19 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"
Mon 19 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"
Mon 19 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"
Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"
Mon 19 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"
Mon 19 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"
Mon 19 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"
Mon 19 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"
Mon 19 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"
Mon 19 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"
Mon 19 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"
Mon 19 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"
Mon 19 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"
Mon 19 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"
Mon 19 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"
Mon 19 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"
Mon 19 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"
Mon 19 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"
Mon 19 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"
Mon 19 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"
Mon 19 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"
Mon 19 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"
Mon 19 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"
Mon 19 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"
Mon 19 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"
Mon 19 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"
Sun 3 Jul 2005 22,528 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\Bank\~WRL1070.tmp"
Mon 18 Oct 2004 34,304 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\BATAL\~WRL1448.tmp"
Mon 1 May 2006 3,408,384 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\C2E\~WRL1500.tmp"
Mon 22 May 2006 5,344,768 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\C2E\~WRL1654.tmp"
Wed 6 Sep 2006 42,496 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\Ethiopian Food Corp\~WRL2305.tmp"
Wed 28 Jul 2004 448,512 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\SOS\~WRL1694.tmp"
Tue 21 Dec 2004 22,528 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\SOS\~WRL1820.tmp"
Thu 5 Feb 2004 38,912 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\SOS\~WRL3496.tmp"
Sat 8 Jan 2005 98,304 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\St. Patrick's\~WRL0329.tmp"
Thu 6 May 2004 62,976 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\St. Patrick's\~WRL2530.tmp"
Sun 9 May 2004 129,024 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\VARHOME\~WRL1442.tmp"
Tue 5 Apr 2005 41,472 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\ventus\~WRL1512.tmp"
Tue 10 May 2005 43,008 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\ventus\~WRL3573.tmp"
Thu 16 Dec 2004 41,472 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\ventus\~WRL3866.tmp"
Thu 27 Apr 2006 105,472 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\Whalon\~WRL1289.tmp"
Fri 5 Nov 2004 57,856 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\Paul Geffert Data Backup\Paul Geffert\old My Documents\old d--DO NOT USE--GO TO OTHE MY DOC\jokes\HEALTHTRAK\~WRL1051.tmp"

Finished!

__________________________________________________________________________________
Malwarebytes' Anti-Malware 1.20
Database version: 942
Windows 5.1.2600 Service Pack 2

12:55:37 PM 7/12/2008
mbam-log-7-12-2008 (12-55-37).txt

Scan type: Quick Scan
Objects scanned: 43546
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBtTKET.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a9b33d3f-8e81-43a9-b905-3ca87cfccace} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9b33d3f-8e81-43a9-b905-3ca87cfccace} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.blbw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ea815359-2ad7-4bcd-9a11-9ad7dade2f12} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{82d93f87-f52b-4417-bf0e-658f00645254} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{eda8fc39-2b22-4df5-b697-3eb1c3ec07ed} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0dfdadc3-06be-43e9-84fc-2cb22575fa6b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{62a08201-9c6c-4b33-a72f-9f343a263cdb} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebttket -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebttket -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBtTKET.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TEKTtBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TEKTtBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 AM

Posted 12 July 2008 - 02:05 PM

Rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.

MBAM is a very effective program and I recommend it especially if you don't have any other security program providing real-time protection to supplement your anti-virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users