Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Big Virus/spyware Problem


  • Please log in to reply
15 replies to this topic

#1 laurel312

laurel312

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 12 July 2008 - 08:35 PM

Hi there!

Help!!! I am not exactly computer illiterate, but I need your help. We have an older Dell diminsion desktop that is running Windows XP with service pack 2. My husband was online with it and got a popup message (I know- didnt keep up with the antivirus and security with it) that said your antivirus software is out of date. He clicked it (i know, but I wasn't home to stop him) and it installed a spyware/antivirus scanner. It will not allow me to uninstall it. It will not allow me access to DOS, and I tried to reformat the hard drive and I get an error message that says the volume is in use- access denied. I am signed on as the administrator- but I still cannot get around it. I tried to uninstall windos then reinstall it, but the virus was still there. I tried to restore it- it is set for August 2008 (we are in the future now) and the computer has no other restore points on it. I know I made a restore point when I installed a program a couple of weeks ago (Itunes).Any suggestions?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 13 July 2008 - 07:22 AM

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Instructions with screenshots if needed.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 13 July 2008 - 09:01 PM

okay-tried to do this- but the computer would not alloe me to download the file- so I used my laptop and saved the file to a flashdrive- then installed it on the computer- but when I tried to run the program in safe mode, it won't allow me to type anything in the run line...

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 14 July 2008 - 11:20 AM

when I tried to run the program in safe mode, it won't allow me to type anything in the run line...

After booting in safe mode, you have to pen the SDFix folder and double click RunThis.bat to start the script.

If you continue to have problems, then skip SDFix for now and continue with the instructins for scanning with MBAM.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 14 July 2008 - 05:58 PM

okay-tried to run SDfix, it started, then the screen went blue- ran a bunch of DOS stuff and said a fatal error had occured and to protect the computer it had shut down.Any ideas?? Same with MBAM.

Edited by laurel312, 14 July 2008 - 05:59 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 15 July 2008 - 08:38 AM

Some types of malware will disable MBAM and other security tools. Lets skip SDFix for now and try to get MBAM working. If MBAM will not run, try renaming it. Right-click on the mbam.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click to run.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 18 July 2008 - 07:18 PM

okay- I got the MBAM to work. Do you want the log that it made?Also, my antivirus came on once the computer restarted. It said it is out of date. Do I want to go onliune to update it or should I wait for your instructions. It also, still says August 12, 2008

Edited by laurel312, 18 July 2008 - 07:28 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 19 July 2008 - 05:52 AM

Yes, please post the log that you have and update your anti-virus, then run a full system scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 19 July 2008 - 07:06 PM

Okay- here's the log- also, I ran the anti-virus- it didn't find anything, except 4 items that just said "changed" next to them and they were dll items. Also, the anti-virus is updated, but keeps telling me it isn't.

Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

8:06:59 PM 8/17/2008
mbam-log-8-17-2008 (20-06-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 69533
Time elapsed: 14 minute(s), 2 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 39
Files Infected: 72

Memory Processes Infected:
C:\Program Files\antiviirus.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\tmp0.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\tmp1.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\tmp2.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a3b4ff8a-d3e7-4692-a9b6-971f62802310} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{2b7763c3-642b-4934-902c-72a63a95127a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cj.cjmgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cj.cjmgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b552b8a4-76ac-4e8c-a469-c1585b111116} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b552b8a4-76ac-4e8c-a469-c1585b111116} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\isecurity.mgr (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\isecurity.mgr.1 (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a8311e8f-e459-4d22-89b4-cb9dcf10a425} (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a8311e8f-e459-4d22-89b4-cb9dcf10a425} (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\iSecurity (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\isecurity (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iSecurity applet (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a87b78ff (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviirus (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smshc56tj0en8l (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc76tj0en8l (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.FakeAlert) -> Data: xlibgfl254.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\IE Extensions (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\SystemDefender (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\v20 (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{2D118893-00EF-4781-8A1A-B3D598CBD290} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{32FF2108-1EF0-4ae8-8C23-17C92EAA5DEF} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{8BD8E8FA-92A5-4a5c-A044-FBF462517EB4} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{AE997BF5-8AF9-43c3-946B-2C29553E5141} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\iSecurity (Rogue.ISecurity) -> Quarantined and deleted successfully.
C:\iSecurity\v20 (Rogue.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc76tj0en8l\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\shc56tj0en8l\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\778670 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\931928 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008 (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ywmikhhh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hhhkimwy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\931928\931928.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F3SYIODD\1215999187[1].dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\rhc76tj0en8lSkin.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\Summitsoft\SystemTech XP\iea.exe (Rogue.PornCleanser) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc36tj0en8l.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy\uninstall.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\antivirusxp.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\antivirusxp.ico (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\antivirusxpi.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\iSecurity.dat (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\iSecurity.html (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\systemdefender.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\systemdefender.ico (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\systemdefenderi.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc76tj0en8l\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\shc56tj0en8l.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc56tj0en8l\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\tmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\antiviirus.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\tmp0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\tmp1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\tmp2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlibgfl254.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc36tj0en8l.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc36tj0en8l.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\SystemDefender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Edited by laurel312, 19 July 2008 - 07:47 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 20 July 2008 - 07:15 AM

Your MBAM log indicates you are using an older version of MBAM with an outdated database. Please download the most current version of MBAM from here, remove the old and then install the new one. If you encounter any problems while downloading the updates, manually download the updates and just double-click on mbam-rules.exe to install.

After performing a new scan, don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 20 July 2008 - 05:18 PM

k- got the updated version- here's the log- also the AVG says it is up to date now :thumbsup:



Malwarebytes' Anti-Malware 1.21
Database version: 971
Windows 5.1.2600 Service Pack 2

6:11:03 PM 7/20/2008
mbam-log-7-20-2008 (18-10-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 68545
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62bf492d-75c4-4d5d-a6c6-d66379f545ca} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{62bf492d-75c4-4d5d-a6c6-d66379f545ca} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc76tj0en8l (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shc56tj0en8l (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc76tj0en8l (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\shc56tj0en8l (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\sprof (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\depvak.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0000040.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0000059.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0000060.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0002131.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\qcliicwt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\zsjndu.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\software.php (Trojan.FakeAlert) -> No action taken.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 20 July 2008 - 06:10 PM

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile". Please review these instructions (scroll down) and rescan. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing a new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 21 July 2008 - 02:18 PM

alright- here's the log :thumbsup:

Malwarebytes' Anti-Malware 1.21
Database version: 971
Windows 5.1.2600 Service Pack 2

3:12:50 PM 7/21/2008
mbam-log-7-21-2008 (15-12-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 68600
Time elapsed: 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62bf492d-75c4-4d5d-a6c6-d66379f545ca} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62bf492d-75c4-4d5d-a6c6-d66379f545ca} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc76tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shc56tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc76tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\shc56tj0en8l (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\sprof (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\depvak.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0000040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0000059.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0000060.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP3\A0002131.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qcliicwt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zsjndu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\software.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 21 July 2008 - 02:27 PM

They released a new version (1.22) of MBAM. I recommend you download the most current version from here, remove the old and then install the new one. Then perform another scan and posts the results. The developer keeps improving the threats MBAM is detecting and removing. So we might pick up a few more nasties the previous scans missed.

When done, also let me know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 laurel312

laurel312
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 21 July 2008 - 08:17 PM

Okay...I uninstalled to old one, installed the new one, restarted the computer, and here's the log. It seems to be running fine- as a matter of fact, better than before the virus. The anti-virus is updating fine and seems to have no problems thus far. If all is well, let me say thank you so much AGAIN! You guys are AWESOME!!! I also gave my husband a class in things to look for that may be harmful.....

Malwarebytes' Anti-Malware 1.22
Database version: 977
Windows 5.1.2600 Service Pack 2

9:12:32 PM 7/21/2008
mbam-log-7-21-2008 (21-12-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 69286
Time elapsed: 15 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP9\A0002492.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5BACD79-0650-482F-A54A-60EEB67E9F21}\RP9\A0002493.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users