Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm/autorun.ahe


  • Please log in to reply
13 replies to this topic

#1 azhdeha

azhdeha

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 29 July 2008 - 04:07 AM

please help me... my anti virus is always popping this window. Even if i click the delete or any of the choices it is still coming back.


Posted Image

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 30 July 2008 - 01:26 PM

http://www.bleepingcomputer.com/forums/t/159026/hello-im-new-here-and-i-really-need-some-help/

Please follow the directions in this thread for that infection and post the MBAM log

All infections react differently on different computers
Chewy

No. Try not. Do... or do not. There is no try.

#3 azhdeha

azhdeha
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 31 July 2008 - 08:24 PM

do i have to do also the dr.cure???

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 31 July 2008 - 08:34 PM

Let's start with the MBAM log
Chewy

No. Try not. Do... or do not. There is no try.

#5 azhdeha

azhdeha
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 02 August 2008 - 07:35 PM

Malwarebytes' Anti-Malware 1.24
Database version: 1013
Windows 5.1.2600 Service Pack 2

8:30:10 AM 8/3/2008
mbam-log-8-3-2008 (08-30-10).txt

Scan type: Quick Scan
Objects scanned: 48160
Time elapsed: 34 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 02 August 2008 - 08:24 PM

http://www.malwareremoval.com/tutorials/safemodeboot.php

rescan with MBAM from safe mode, if it finds anything immediatey manually save the log as MBAM will lose it in safe mode, let it remove anything it finds

Edited by DaChew, 02 August 2008 - 08:25 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 azhdeha

azhdeha
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 August 2008 - 03:56 AM

The window does not appear anymore after i turn the comp into safe mode and scan it with avira... but i still can't open the drive D and C...

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 05 August 2008 - 05:19 AM

Your computer is probably still infected, there maybe a rootkit that hides from all scanners in normal mode, we need to find it and kill it from safe mode, not all scanners will find it in safe mode.

I asked you to use MBAM(malwarebyte) in safe mode, did it find anything?

There are several other programs we can use also.
Chewy

No. Try not. Do... or do not. There is no try.

#9 azhdeha

azhdeha
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 07 August 2008 - 10:10 PM

Malwarebytes' Anti-Malware 1.24
Database version: 1013
Windows 5.1.2600 Service Pack 2

5:08:13 PM 8/4/2008
mbam-log-8-4-2008 (17-08-12).txt

Scan type: Quick Scan
Objects scanned: 51090
Time elapsed: 26 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


that's the report... i have another problem... my computer says that there is a virus attack... a window security alert window always pops up saying windows has detcted an internet attack attempt... somebody's trying to infect your pc with spyware or harmful viruses. run full system scan now to protect your pc from internet attacks, hijacking attempts and spyware! click here to download spyware remover for total protection... i always click on cancel... and there are many pop ups leading to safecomputer... to download antivirus...

Edited by azhdeha, 07 August 2008 - 10:30 PM.


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 07 August 2008 - 10:40 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

Please install SAS and ATF cleaner and run from safe mode as specified in the second part of this guide

The longer you stay connected to the internet and put off fighting this infection the less of a chance we have of cleaning your computer
Chewy

No. Try not. Do... or do not. There is no try.

#11 azhdeha

azhdeha
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 08 August 2008 - 05:00 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/08/2008 at 10:03 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:47:21

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 3782
Registry threats detected : 29
File items scanned : 14670
File threats detected : 3

Trojan.Net-MSV/VPS-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19FFC13D-2055-4714-86F4-336EFEEDB887}
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}\InprocServer32
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}\InprocServer32#ThreadingModel
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}\ProgID
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}\Programmable
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}\TypeLib
HKCR\CLSID\{19FFC13D-2055-4714-86F4-336EFEEDB887}\VersionIndependentProgID
C:\WINDOWS\WNLMDAKQONF.DLL

Trojan.Unclassified/GTS
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}\InprocServer32
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}\InprocServer32#ThreadingModel
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}\ProgID
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}\Programmable
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}\TypeLib
HKCR\CLSID\{0C5686D9-8BBB-433B-96CA-ECCFE1B77417}\VersionIndependentProgID
HKCR\bgrqfetx.1
HKCR\bgrqfetx
HKCR\TypeLib\{0AEF0780-196C-4D2D-AC55-D5BC4F6B0E3A}
HKCR\TypeLib\{0AEF0780-196C-4D2D-AC55-D5BC4F6B0E3A}\1.0
HKCR\TypeLib\{0AEF0780-196C-4D2D-AC55-D5BC4F6B0E3A}\1.0\0
HKCR\TypeLib\{0AEF0780-196C-4D2D-AC55-D5BC4F6B0E3A}\1.0\0\win32
HKCR\TypeLib\{0AEF0780-196C-4D2D-AC55-D5BC4F6B0E3A}\1.0\FLAGS
HKCR\TypeLib\{0AEF0780-196C-4D2D-AC55-D5BC4F6B0E3A}\1.0\HELPDIR
C:\WINDOWS\BGRQFETX.DLL

Trojan.Net-MU/Gen
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString

Adware.Vundo-Variant/J
C:\WINDOWS\TFNSLOPK.DLL

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 08 August 2008 - 06:01 PM

Let's try Dr WEb cureit from safe mode

http://www.bleepingcomputer.com/forums/ind...st&p=894794
Chewy

No. Try not. Do... or do not. There is no try.

#13 azhdeha

azhdeha
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 August 2008 - 09:15 PM

Dr.Web
Dc45.exe;C:\RECYCLER\S-1-5-21-606747145-2025429265-1801674531-1003;Trojan.KillFiles.808;Deleted.;
A0036001.dll;C:\System Volume Information\_restore{67A6F74D-7481-4990-826C-F35EFDE67827}\RP24;Trojan.Popuper.7294;Deleted.;
A0037152.exe;C:\System Volume Information\_restore{67A6F74D-7481-4990-826C-F35EFDE67827}\RP24;Trojan.KillFiles.808;Deleted.;


I also ran the SAS...
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/11/2008 at 10:06 AM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:45:54

Memory items scanned : 193
Memory threats detected : 0
Registry items scanned : 3778
Registry threats detected : 0
File items scanned : 15003
File threats detected : 26

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@adtech[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\user\Cookies\user@serving-sys[2].txt
C:\Documents and Settings\user\Cookies\user@wmvmedialease[1].txt
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt
C:\Documents and Settings\user\Cookies\user@apmebf[1].txt
C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt
C:\Documents and Settings\user\Cookies\user@adinterax[1].txt
C:\Documents and Settings\user\Cookies\user@ads.pointroll[1].txt
C:\Documents and Settings\user\Cookies\user@ads.revsci[1].txt
C:\Documents and Settings\user\Cookies\user@drivecleaner[1].txt
C:\Documents and Settings\user\Cookies\user@bluestreak[1].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\user\Cookies\user@kontera[2].txt
C:\Documents and Settings\user\Cookies\user@imrworldwide[2].txt
C:\Documents and Settings\user\Cookies\user@insightexpressai[2].txt
C:\Documents and Settings\user\Cookies\user@revsci[1].txt
C:\Documents and Settings\user\Cookies\user@mediaplex[2].txt
C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt
C:\Documents and Settings\user\Cookies\user@richmedia.yahoo[1].txt
C:\Documents and Settings\user\Cookies\user@stats.drivecleaner[2].txt
C:\Documents and Settings\user\Cookies\user@tacoda[2].txt
C:\Documents and Settings\user\Cookies\user@zedo[1].txt

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67A6F74D-7481-4990-826C-F35EFDE67827}\RP24\A0036000.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67A6F74D-7481-4990-826C-F35EFDE67827}\RP24\A0036002.DLL

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\XXYWWNKE.DLL

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:54 AM

Posted 10 August 2008 - 09:44 PM

Would you update MBAM and run another quick scan

How is your computer running, any obvious signs of infection

There is one last program I reccomend as a last resort before referring anyone to the HijackThis forum and their more advanced tools


http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

the guide for SDFix if needed
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users