Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'warning,spyware Detected On Your Computer' Removed But Missing All Of My Programs


  • This topic is locked This topic is locked
13 replies to this topic

#1 bugger

bugger

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 21 July 2008 - 03:47 AM

hi i have managed to remove the spyware using Malwarebytes and spyfix of whatever it was but all of my programs are still missing. I am using windows xp proffesional. How do i get all of my programs back, I need then asap :thumbsup: thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 21 July 2008 - 04:46 PM

HI and welcome . What programs are missing. They do not exist from a search? Also are there any error messages?

Would you post the MalwareBytes log please.

Edited by boopme, 21 July 2008 - 04:47 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 22 July 2008 - 09:21 PM

When windows opens it comes up with " one of the files containg your sys registery data had to be recoverd by a log or alternate copy. The recovery was succesful"
I'm mising word, excel, pub, items in the acceory tab such as sys restore, all of the games, the start up folder is empty and i can't remember the rest.
I also can't connect to the internet via my wireless usb connection i have to use my boyfriends internet. How do i fix this. When i try to connect it says that it couldn't establish a connection.


Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

1:54:30 PM 21/07/2008
mbam-log-7-21-2008 (13-54-30).txt

Scan type: Quick Scan
Objects scanned: 56518
Time elapsed: 21 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 17
Files Infected: 47

Memory Processes Infected:
C:\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\cwwmkodh.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcjwpj0et67 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 pro (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c5e7155 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e55e1c86-434d-46f9-a253-2de4ab3f9734} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\rhcjwpj0et67\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cwwmkodh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hdokmwwc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcqgjrys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\syrjgqcm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcCSJcC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYspMG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcnwpj0et67.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcnwpj0et67.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4HG71KIK\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C5KNQR0B\Antivirus2008PRO[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C5KNQR0B\scan[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TKCA06ZF\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\rhcjwpj0et67.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\rhcjwpj0et67.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\rhcjwpj0et67Skin.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcjwpj0et67\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcnwpj0et67.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcnwpj0et67.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\atmadm2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\media.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 24 July 2008 - 05:50 AM

hello can some please help me

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 25 July 2008 - 09:24 AM

Hello soory for the delay, ou'll need to reboot,update the scanner and run anther scan. Post a new log. Some of these are stubborn and require a few scans and perhaps even another tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 25 July 2008 - 10:48 PM

i scaned the comp again using malwarebytes it picked up nothing and then i used avg and it picked up a few, here are the logs


Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

10:50:12 AM 26/07/2008
mbam-log-7-26-2008 (10-50-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 31430
Time elapsed: 17 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 25 July 2008 - 11:09 PM

How is the PC now? Are the symptoms gone?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 26 July 2008 - 12:01 AM

these are the reports from avg scans that i did today... the problem still sint' fixed, missing all the programs i mentioned before ect



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:46:04 26/07/2008

+ Scan result:



C:\WINDOWS\system\14x.exe -> Downloader.Agent.nem : Cleaned with backup (quarantined).
C:\WINDOWS\system32\3x-un-14x.exe -> Downloader.Dadobra.adk : Cleaned with backup (quarantined).
C:\WINDOWS\system\lprhelp32.dll -> Dropper.Agent.qik : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\User\Cookies\user@cms.trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\WINDOWS\system32\IEDFix.exe -> Trojan.Renos.vaoz : Cleaned with backup (quarantined).


::Report end



AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:56:29 26/07/2008

+ Scan result:



C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052340.exe -> Downloader.Agent.nem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052342.exe -> Downloader.Dadobra.adk : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Desktop\downlaods\PRECRAcked-WinRAR.3.80\MediaTubeCodec_ver1.1348.0.exe -> Downloader.Zlob.ppp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052341.dll -> Dropper.Agent.qik : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temp\removalfile.bat -> Not-A-Virus.Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0050041.exe -> Not-A-Virus.PUP.MalwareProtector.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0051040.exe -> Not-A-Virus.PUP.MalwareProtector.d : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\IOSM4PBA\file[1].exe -> Rootkit.Clbd.cv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1275210071-1580436667-1060284298-1003\Dc5\IEDFix.exe -> Trojan.Renos.vaoz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{76178016-FCC2-48D6-B9C7-F9E4E4D6995A}\RP112\A0052343.exe -> Trojan.Renos.vaoz : Cleaned with backup (quarantined).


::Report end

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 26 July 2008 - 08:36 PM

Ok let's run SDFix and see what comes back.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 26 July 2008 - 09:18 PM

SDFix: Version 1.208
Run by User on Sun 27/07/2008 at 10:05

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Antivirus 2008 PRO\vscan.tsi - Deleted
C:\Antivirus 2008 PRO\zlib.dll - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttA0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttA9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttBA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.ttA0.tmp.vbs - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\atmadm2.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\dssec.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\vista_sp1.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\media.php.bat - Deleted



Folder \Antivirus 2008 PRO - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 10:13:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Disabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Disabled:avgnsx.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Disabled:avgupd.exe"
"C:\\Program Files\\Unwired\\UwWiz.exe"="C:\\Program Files\\Unwired\\UwWiz.exe:*:Disabled:Connection Assistant"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 2 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 23 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 23 Jul 2008 15,452,536 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d7694bef8bd7032a201cda9934644640\BIT2.tmp"
Tue 10 Jun 2008 95,315,977 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8e4c50bd1c41feac24607e18c5505bd\BIT2.tmp"
Sat 26 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp"

Finished!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 27 July 2008 - 12:37 PM

So any improvement after all that removal??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 bugger

bugger
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 28 July 2008 - 02:32 AM

No im still missing the programs and i stil cannot connect to my internet, it says that ' error797 a connection to the remote computer could not be stablished because they mondem was not found or busy'

Its is still coming up with 'one of the files containg your sys registery data had to be recoverd by a log or alternate copy. The recovery was succesful" ones windows opens.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 28 July 2008 - 02:13 PM

Something is protecting this thing. I think the HJT will have to find it. Try downloding Step 6 from another PC to a CD,USB or flash drive and running it on the infected PC.
Preparation Guide for use before posting about your potential Malware problem

Post that log here.. HijackThis Logs and Malware Removal
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 29 July 2008 - 03:23 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users