Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Antivirus 2008


  • Please log in to reply
8 replies to this topic

#1 LeapingPanda

LeapingPanda

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 September 2008 - 09:48 AM

an "anti virus" program titled XP Antivirus 2008 downloaded onto my desktop when i was trying to download something else. I knew it was fake, but as soon as i tried to go to delete it my computer froze. I restarted in safemode to remove it, however the uninstall option in the fake anti virus' folder and the uninstall option in the add/remove programs did not work, so i went into program files and deleted it myself. however, when i restarted the wall paper changed and left this message:
Warning! Spyware detected on your computer!
Warning! Win32/Adware.Virtumonde detected on your computer
Warning! Win32/PrivacyRemover.M64 detected on your computer

Whenever i change the wallpaper, if i restart it then the wallpaper just comes back. All restore points were deleted, and my desktop options are gone. Sometimes while im using the laptop, the mouse starts acting funny, then there is a sound followed by the laptop freezing. Other times, the laptop will run without freezing. Also, althought it sounds dumb, im positive that the virus is doing its best to keep me from fixing this problem by blocking out forums such as this one. When i searched the problem using my laptop, i saw many links with solutions, however if i clicked on any of them then it loaded to a random site. So then i used my friend's laptop to search solutions and i found many programs to download, such as the one in topic164439 i just posted. So i typed the link for the program into my computer, but it says unable to connect, to all three of them. i've tried typing the links to other programs i saw in other threads but i got the same result. I dont know how its keeping me from visiting certain pages. So far i was unable to visit Online Virus Scanner, HijackThis.exe, Malwarebytes' Anti-Malware, SS&D, Ad-Ware 2008, ComboFix and the other progammes that were recommend. I am currently using my friends laptop to type this because i cannot visit this site on my laptop.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:54 AM

Posted 02 September 2008 - 10:40 AM

Please note the message text in blue at the top of this forum.

You should not attempt to use Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Since you cannot use the Internet or download any programs, you are going to need access to another computer (family member, friend, etc) with an Internet connection. Download Malwarebytes Anti-Malware, save it to a flash (usb, pen, thumb, jump) drive or CD, transfer it to the infected machine, then install and run the program. If you cannot transfer or install from the infected machine, try running the setup (installation) file directly from the flash drive or CD so it will install on the hard drive.

You will also need to, manually download the updates, save and transfer them as well. After installing MBAM, just double-click on mbam-rules.exe to install and update.

Please print out and follow these instructions to perform a Quick Scan in normal mode. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 LeapingPanda

LeapingPanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 September 2008 - 07:31 PM

Sorry, before you replied i saw a topic similar to mign and used SUPER Antispyware on safemode to remove whatever it found. Then i tried doing what you said but when i ran malware-bytes it would freeze while scanning in normal mode. Then i scanned in safemode, and removed everything it found. I will post the logs from super antispyware and malwarebytes. Although the wallpaper is gone and it doesn't seem to freeze anymore, some websites still are blocked.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/02/2008 at 06:32 PM

Application Version : 4.20.1046

Core Rules Database Version : 3554
Trace Rules Database Version: 1542

Scan type : Complete Scan
Total Scan Time : 06:15:17

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 8204
Registry threats detected : 50
File items scanned : 139710
File threats detected : 36

Rogue.Dropper/Gen
[lphc3wdj0ep1e] C:\WINDOWS\SYSTEM32\LPHC3WDJ0EP1E.EXE
C:\WINDOWS\SYSTEM32\LPHC3WDJ0EP1E.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{4B646AFB-9341-4330-8FD1-C32485AEE619}
HKCR\CLSID\{4B646AFB-9341-4330-8FD1-C32485AEE619}
HKCR\CLSID\{4B646AFB-9341-4330-8FD1-C32485AEE619}\InprocServer32
HKCR\CLSID\{4B646AFB-9341-4330-8FD1-C32485AEE619}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VVBGLHVT.DLL
HKCR\CLSID\{4B646AFB-9341-4330-8FD1-C32485AEE619}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{4BC00E4E-3FD2-403D-B9CC-6A5F59C2DE16}
HKCR\CLSID\{4BC00E4E-3FD2-403D-B9CC-6A5F59C2DE16}
HKCR\CLSID\{4BC00E4E-3FD2-403D-B9CC-6A5F59C2DE16}\InprocServer32
HKCR\CLSID\{4BC00E4E-3FD2-403D-B9CC-6A5F59C2DE16}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTSP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4BC00E4E-3FD2-403D-B9CC-6A5F59C2DE16}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\KLIQNNER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

Rootkit.RESSdt
HKLM\System\ControlSet001\Services\RESSDT
C:\WINDOWS\SYSTEM32\SSDT.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_RESSDT
HKLM\System\ControlSet002\Services\RESSDT
HKLM\System\ControlSet002\Enum\Root\LEGACY_RESSDT
HKLM\System\ControlSet003\Services\RESSDT
HKLM\System\ControlSet003\Enum\Root\LEGACY_RESSDT
HKLM\System\CurrentControlSet\Services\RESSDT
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RESSDT

Adware.Tracking Cookie
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@insightexpressai[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@ads.bridgetrack[2].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@advertising[2].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@adlegend[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@revsci[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@ad.yieldmanager[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@bluestreak[2].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@ads.pointroll[2].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@nextag[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@html[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@cdn.at.atwola[2].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@server.cpmstar[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@atwola[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@questionmarket[2].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@2o7[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@msnportal.112.2o7[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@richmedia.yahoo[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@at.atwola[1].txt
C:\Documents and Settings\Vu Nguyen\Cookies\vu nguyen@kontera[2].txt
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\Cookies\vu nguyen@server.cpmstar[1].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\WINDOWS\TEMP\SDEXE.EXE
C:\WINDOWS\YSTEM~1\REGEDIT.EXE~

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#OCCUR

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 ]

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKU\S-1-5-21-473996262-2993634816-2005034892-1005\Software\Microsoft\aldd
HKU\S-1-5-21-473996262-2993634816-2005034892-1005\Software\Microsoft\rdfa
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\RSTWA.BAK1
C:\WINDOWS\SYSTEM32\RSTWA.INI
C:\WINDOWS\SYSTEM32\RSTWA.INI2

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-473996262-2993634816-2005034892-1005\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-473996262-2993634816-2005034892-1005\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-473996262-2993634816-2005034892-1005\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Rogue.AntiVirus 2008
C:\Documents and Settings\Vu Nguyen\Application Data\RHC7WDJ0EP1E
C:\WINDOWS\SYSTEM32\PHC3WDJ0EP1E.BMP

Adware.180solutions/Seekmo/Zango
C:\DOCUMENTS AND SETTINGS\VU NGUYEN\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\45TUKPWW.DEFAULT\CACHE(3)\3DBFBE0AD01

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHC3WDJ0EP1E.SCR


Malaware-bytes log:

Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

9/2/2008 7:42:37 PM
mbam-log-2008-09-02 (19-42-37).txt

Scan type: Quick Scan
Objects scanned: 59150
Time elapsed: 26 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 22
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f2abb0f-44df-49d6-b227-4cf2baea7d42} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljgdbb (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f2abb0f-44df-49d6-b227-4cf2baea7d42} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc7wdj0ep1e (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbwd32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletecookie (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletesol (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_newversion (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc7wdj0ep1e (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc7wdj0ep1e (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrt_shell (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mljgdbb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlljg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gjllm.bak1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winbwd32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\awtqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtsqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkhhi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkklk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mljiiig.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddccy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\xrt_gste.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vu Nguyen\Local Settings\Temp\wnd45EB.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 LeapingPanda

LeapingPanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 September 2008 - 07:45 PM

The websites that were not visitable before, I am now able to visit. However, I still feel unsure as to whether or not everything was removed..

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:54 AM

Posted 03 September 2008 - 06:35 AM

Your MBAM log indicates some files will be deleted on reboot. If MBAM encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and check all items found for removal. Then click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, then rescan again anyway and post a new log.

Scanning in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a driver which does not work in safe mode. For optimal removal, normal mode is recommended. If you cannot use normal mode, then perform your scan in safe mode.

IMPORTANT NOTE: One or more of the identified infections (tdssserv.sys) was related to a nasty rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 LeapingPanda

LeapingPanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 03 September 2008 - 10:43 AM

Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

9/3/2008 11:43:34 AM
mbam-log-2008-09-03 (11-43-34).txt

Scan type: Quick Scan
Objects scanned: 63018
Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:54 AM

Posted 03 September 2008 - 11:58 AM

That log looks good.

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 LeapingPanda

LeapingPanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 03 September 2008 - 03:55 PM

my computer seems to be working perfectly fine now. But after reading what you've posted, im a little worried. I don't have any passwords or credit card information stored on this computer. Would it still be dangerous just signing into webmail and such?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:54 AM

Posted 03 September 2008 - 04:08 PM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action but I cannot make that decision for you.

If that is something you prefer not to do, then if there are no more signs of infection you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users