Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Anti-virus Malware & Something Else Crippling My Xp


  • Please log in to reply
4 replies to this topic

#1 thallstd

thallstd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 24 July 2008 - 01:29 AM

Hello.

I'm running XP SP2 and I have a problem very similar to the July 18 post by Dit but have been able to make even less progress than he.

It started when Firefox issued a message that it needed to download a new codec and I was foolish enough to do so.

Immediately, I received a slew of pop-ups warning me of infection and providing access to a fix along with a red desktop warning of privacy being compromised with a button promising protection.

Adware Away seems to have cleaned up these sypmtoms, at least superficially.

Remaining symptoms:

A) VIRUS ALERT! displays next to my system time in the status bar and in the properties windows next to created/modified dates there.

:thumbsup: My C drive doesn't display in folder view unless I specifically key it into the address bar. My control panel doesn't display in folder view either.

C) My Start menu doesn't have a Run entry or anything on the right half of the split screen except Set Program Access & Defaults and Printers and Faxes.

D) Limited Internet: Can't launch Firefox or IE but can connect with Yahoo Messenger. Bought McCafee thinking it would fix this but can't install it since it needs the internet. Using a flash drive to move downloads to my infected computer from another.

E) Window-E key combo is being intercepted and instead of opening a directory window displays a msg saying "This operation has been cancelled due to restrictions in effect on this computer."

F) After a couple minutes of running from a normal boot, the system becomes unusably slow so have been relying on Safe mode.

G) Can't run Malwarebytes' Anti-Malware because mbam-setup.exe won't launch.

I figured I'd end up getting referred to the HijackThis Log forum so started preparing for that, only to find...

I can't enable my windows firewall via your tutorial 'cause have no Run menu.

I can't run the Kapersky Online Scanner 'cause can't launch a browser.

I can't run HijackThis because the installer won't launch.

Was able to run DSS. Or at least to start it. After 60+ minutes of it sitting about 85% through the Examining Add/Remove Programs stage I suspect my problem (F) above is interfering. I'll let it run overnight to see if it eventually finishes. But if not, can I run it in Safe mode? I started to initially but it brings up a msg saying it prefers to be run in normal mode.

And, assuming I can get the thing to finish at all, should I post the log here or elsewhere?

What would you like me to do next?

Thanks,

Ty

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 24 July 2008 - 01:35 AM

Try renaming mbam-setup.exe to something else, such as abcde.bat.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 thallstd

thallstd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 24 July 2008 - 11:18 AM

DSS never finished so I rebooted and renamed mbam as suggested. That enabled me to run it. But I didn't have access to the forum and instructions given to Dit so I ran a full scan. That log is below. (FULL SCAN LOG).

After rebooting everything looked to be back to normal. But I had access to the forum again so downloaded mbam-rules.exe, installed that then ran a quick scan. It found additional infected files so its log is also pasted below (QUICK SCAN LOG).

I did need to reboot after this and after doing so decided to run the auick scan again. It still found infected objects. That log is QUICK SCAN LOG2 below.

My system seems to be functioning normally now. have to run out now but will start another quick scan after rebooting and let you know those results when I return.

Thanks for all your help. You provide a great service.


******
****** FULL SCAN LOG *****
******

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

11:31:45 AM 7/24/2008
mbam-log-7-24-2008 (11-31-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130829
Time elapsed: 2 hour(s), 1 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 32
Registry Values Infected: 2
Registry Data Items Infected: 15
Folders Infected: 3
Files Infected: 99

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hgGvvsTl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{431f4607-4c5d-4606-b8a6-5140399815b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{431f4607-4c5d-4606-b8a6-5140399815b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff677dc0-282b-41cf-a3a3-2f6cfef82e6b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ff677dc0-282b-41cf-a3a3-2f6cfef82e6b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6230596f-3a44-4cdf-815b-372fa03c75d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6230596f-3a44-4cdf-815b-372fa03c75d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e718097-66c2-440c-bf81-1754990424f4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diagnosticscan (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\diagnosticscan (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticscan (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{88a6bf68-b9b6-429b-a8b0-3cc5c6db948c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8adabfcc-2174-46c8-8dc8-161780adeac5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3fcaeb7d-f8ae-4a67-ae6c-57ee1416bb6d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{09ad5259-202a-4244-98cd-b5cdaf4fa723} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{683b8719-51e0-4797-bf45-53530045fd2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{643cec71-bb7d-4241-aedd-083f50fe92f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8c6aacdd-4862-496c-ba20-d712ad679760} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6a4a71b0-36d2-4674-87af-288f60e3ec71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a74cd9a1-9348-4b3f-87a4-4852c2ce802e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{812ae34e-162c-4c94-baa1-a2c0431aec84} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{812ae34e-162c-4c94-baa1-a2c0431aec84} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.bvqe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SecuriSoft SARL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware away v3.1.4.7_is1 (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e09967e0 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{3fcaeb7d-f8ae-4a67-ae6c-57ee1416bb6d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvvstl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvvstl -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hgGvvsTl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lTsvvGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTsvvGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kqhire.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kgstbref.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ferbtsgk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxnhbjpb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bpjbhnxr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmMdbx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Local Settings\Temporary Internet Files\Content.IE5\6BQXA5M5\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Local Settings\Temporary Internet Files\Content.IE5\6BQXA5M5\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Local Settings\Temporary Internet Files\Content.IE5\XD2UPN6P\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Local Settings\Temporary Internet Files\Content.IE5\XD2UPN6P\kb767887[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077541.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077544.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077545.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077574.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077576.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077577.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP928\A0077578.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP929\A0078556.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP929\A0078557.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP929\A0078559.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4F22DFC-C0F4-43BB-BC0B-BF60DD53728F}\RP929\A0078561.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\erms.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bolaykdb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eppevvsc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sccbtm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Update.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\User Manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\activex.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdwareAway.chm (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\autorun.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\DiagnosticScan.SYS (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumAutoRun.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumDlls.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EProcess.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\explorerbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\fa.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\FixDesktopBackground.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\folderdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\global.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iebhotoolbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iepage.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ietoolbarbutton.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlprefix.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlsearchhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\lsp.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\nameserver.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\notifydll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\overall.log (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\process.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\protocolfilter.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ScanAtStartup.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\screenshot.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\securitysite.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\service.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextension.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextensionhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\SPAP.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\svchostdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\sysrestriction.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\uninstall.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\Update2.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cdosys.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\vmdesched.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXRIyyx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJAqnNF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmJAtR.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qndsfmao.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\kvxqmtre.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\kgxmotapktx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Application Data\TmpRecentIcons\Vista Antivirus 2008.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Desktop\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ty Hallsted\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.




******
****** QUICK SCAN LOG *****
******

Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 2

11:47:13 AM 7/24/2008
mbam-log-7-24-2008 (11-47-13).txt

Scan type: Quick Scan
Objects scanned: 40230
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hgGvvsTl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42340e90-7d63-4b77-bc19-840ad9ff160f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{42340e90-7d63-4b77-bc19-840ad9ff160f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvvstl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvvstl -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hgGvvsTl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lTsvvGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTsvvGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbinit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



******
****** QUICK SCAN LOG2 *****
******

Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 2

12:11:29 PM 7/24/2008
mbam-log-7-24-2008 (12-11-29).txt

Scan type: Quick Scan
Objects scanned: 40412
Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hgGvvsTl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTsvvGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTsvvGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 thallstd

thallstd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 24 July 2008 - 11:47 AM

After rerunning Malware it found nothing infected and everything seems to be working fine so I think this issue can be closed. Thanks again for your help. Much appreciated.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:41 PM

Posted 24 July 2008 - 01:41 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users