Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Alert Log


  • Please log in to reply
3 replies to this topic

#1 Jinsoo93

Jinsoo93

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 06 August 2008 - 06:02 PM

SKIP THIS FOR MALWAREBYTES ANTIWARE LOG

I have read one of the topics of a similar virus problem where next to my time it says "VIRUS ALERT!" and the time has changed to military time. This virus has also disabled my task manager registry editing display control panel and somehow erased my "All programs" menu from my start menu it has changed my wallpaper into a huge advertisement. It has hidden my 2 main hard disks and erased most of my shortcuts and also brings up popups of advertising programs to kill adware..etc

Results of my hardwork:
After enabling my task manager display control panel, unhiding my 2 hard disks and registry edit, i found out it was from a virus from named "lanmanwrk.exe" i have found it is laying somewhere in my windows\system32 folder and i looked for it but it wasnt there i went to registry edit and deleted it but it comes back. The military time is still there and the VIRUS ALERT! is still there my "all programs" menu is gone and

MALWAREBYTES ANTIWARE LOG
Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2

7:00:26 PM 8/6/2008
mbam-log-8-6-2008 (19-00-26).txt

Scan type: Quick Scan
Objects scanned: 41923
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 39
Registry Values Infected: 4
Registry Data Items Infected: 9
Folders Infected: 2
Files Infected: 43

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtqoMff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvUnLBQH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yrqpep.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\tfnslopk.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b032699-0f07-450e-8884-0e0493b667eb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b032699-0f07-450e-8884-0e0493b667eb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7822e1b-fdf5-410c-84e1-527243364af4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e7822e1b-fdf5-410c-84e1-527243364af4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2308eded-d153-4a9c-bbf4-1585c74003fb} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2308eded-d153-4a9c-bbf4-1585c74003fb} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvunlbqh (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02c04a33-b52d-45e9-80de-f7b5d7ef0ad7} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1cd648b2-0c83-4e8d-98d4-08d399b96692} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5cf5622d-bef6-4452-8145-2db7502d0ef8} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f61bffd-ed83-40ce-8da1-5876ec4445bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c53d470-faca-44b6-860c-26486a2610ed} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7a3b7641-fd5d-4b48-a9a9-9733036c9fe8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dfb45802-9dc6-4612-8e67-4ac9ffb65302} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{907cb06f-4154-4f6f-b35f-31f10281d836} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69dd094d-5737-46c9-9830-5b26dfff353f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c70bcb6b-51d7-40fe-8a88-cd5fa0088646} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4c449c84-c554-48bb-855d-739803c70ab4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c2eed09f-e43d-4b8f-b31c-40ecd7178560} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d60e17d2-85fb-43da-b87f-3d5ea44d8b2f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8faa3717-9266-4d22-a6db-f347f56dde7d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8faa3717-9266-4d22-a6db-f347f56dde7d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bgrqfetx.bbdf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bgrqfetx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmandrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmandrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmandrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2308eded-d153-4a9c-bbf4-1585c74003fb} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lanmanwrk.exe clean (Backdoor.Qmop) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tfnslopk (Trojan.FakeAlert) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqomff -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqomff -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-640-9452834-23859) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\yrqpep.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtqoMff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ffMoqtwa.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ffMoqtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helwpkhw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\whkpwleh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wytynvxq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qxvnytyw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUnLBQH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lanmanwrk.exe (Backdoor.Qmop) -> Delete on reboot.
C:\WINDOWS\ektv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\xokvrpwg.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iglwpgsr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kclbpd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYonLD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\guvqklrm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\14lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\337lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\479lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\637lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\710lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\735lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\766lsf.exe (Backdoor.Qmop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winns72.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\Winpu04.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\installer.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\thomas\installer.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tfnslopk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\lnvegaow.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\bgrqfetx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wnlmdakqosx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmopt.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lanmandrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\thomas\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\thomas\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\thomas\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


IT would be great if you can help me

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 06 August 2008 - 06:08 PM

Reboot your computer, update and run the Malwarebytes scan again to ensure everything was removed.

Your log showed a Rootkit and Backdoor infection, which are especially nasty. You should change any online passwords you have, particularly any banking or financial passwords.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Jinsoo93

Jinsoo93
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 06 August 2008 - 06:21 PM

Thanks for the tip of changing passwords luckily im not old enough to have financial passwords heh do you mind how you determined of what kind of virus i had and i restarted and im ddoing a full scan now
Thank you very much

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 06 August 2008 - 06:37 PM

do you mind how you determined of what kind of virus i had

They were listed in the Log you posted.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users