Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti Virus Xp 2008


  • Please log in to reply
18 replies to this topic

#1 livinlifes2short

livinlifes2short

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 07 September 2008 - 09:23 PM

Ok I have a pc windows xp sp2. I downloaded a .cab file for my ppc and was infected with this Anti Virus xp 2008. I ran spy bot search and destroy and I have the spywear doctor also ran the Malwarebytes' Anti-Malware. Computer seems better but at random my desktop will go blue I no longer have options in control panel to change the descktop. Also I will get the fake blue screens on start up that just keep cycling till I restart. My internet was not working but I seem to have gottten that back up. With the exception of windows popong up with random ads. And the computer running really slow. So please help I have many hours invested in this already. Also I have deleted some items out of system 32 in regards to this program but one keeps coming back the properties say that it is a screen saver blue screen and will not let me delete it. From searching I have really gathered nothing but the above, but do know you will want thembam log. I installed the program from a link in a post off of this site did the update and quick scan of all harddrives then cleaned all and rebooted imediatly. so here is my log. Thanks in advance for the time and work that you may put into helping me!

Malwarebytes' Anti-Malware 1.26
Database version: 1126
Windows 5.1.2600 Service Pack 2

9/7/2008 10:07:23 PM
mbam-log-2008-09-07 (22-07-23).txt

Scan type: Quick Scan
Objects scanned: 52968
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\wpi11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\caq21.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sca8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tcl9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmnE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\cumA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\lvt16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcjvjj0e91n.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\phcjvjj0e91n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:20 PM

Posted 07 September 2008 - 09:53 PM

OK,Hello and welcome. If you havn't done so please reboot to complete the remopval of some of the malware foung. You have a few stubborn vundo trojans here. So please check again for an update on MBAM and rescan and repost the new log.

Follow with these two tools. Tell us how the PC is running after this.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 08 September 2008 - 08:02 AM

Ok so I downloaded the programs you asked me to. First I re rean the malware program here is that log:

Malwarebytes' Anti-Malware 1.26
Database version: 1126
Windows 5.1.2600 Service Pack 2

9/8/2008 12:55:48 AM
mbam-log-2008-09-08 (00-55-48).txt

Scan type: Quick Scan
Objects scanned: 53282
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcnvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\lphcjvjj0e91n.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\phcjvjj0e91n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt17.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

I then Updated super and did as you told me in the instructions to the T
restarted and ran them in safe mode so here is he super log:

ok well actually there is nothing there. It ran for a little over an hour and found a crap load of stuff but no log. So please let me know what you want me to do next. Thanks in Advance.

So as far as the pc running it seems good with no pop ups yet and it was a little slow at first but I am assuming thats from all the programs we just instaled running after loading everything it seems up to speed. The only other concern I have is the re icon in the task bar did pop up at startup but I think thats because I do not have a firewall up. If all else is well can you reccomend a good fire wall thats free ??? Thanks in advance!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 08 September 2008 - 09:19 AM

MBAM has been updated. Please download and install the most current version (1.27) from here.

Perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 08 September 2008 - 11:58 PM

ok so I got home to run the programs and it took forever for the pc to boot up when it finally did there was no desktop or start menu but eventually I got it back. So i re downloaded the program from the link you provided and re scaned that, Then I did what was requested of me the first time and actually came out with a log from SUPER. So here is the MBAM LOG

Malwarebytes' Anti-Malware 1.26
Database version: 1126
Windows 5.1.2600 Service Pack 2

9/8/2008 12:55:48 AM
mbam-log-2008-09-08 (00-55-48).txt

Scan type: Quick Scan
Objects scanned: 53282
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcnvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\lphcjvjj0e91n.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\phcjvjj0e91n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt17.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



and here is the super log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2008 at 00:48 AM

Application Version : 4.21.1004

Core Rules Database Version : 3558
Trace Rules Database Version: 1546

Scan type : Complete Scan
Total Scan Time : 02:38:40

Memory items scanned : 177
Memory threats detected : 0
Registry items scanned : 6593
Registry threats detected : 0
File items scanned : 113312
File threats detected : 4

Adware.Casino Games (Golden Palace Casino)
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\U3\TEMP\489049650\SYSTEM\APPS\6DA918A6-D5E6-11DA-95BE-00E08161165F\DATA\LANGUAGES\DEFAULT\CASINO.EXE

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHCJVJJ0E91N.SCR

Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\LPHCJVJJ0E91N.EXE

Adware.Vundo Variant/Rel
F:\WINDOWS\SYSTEM32\GFHKJ.TMP




hopefuly we are getting somewhere I am ready to get rid of this thing ! Thanks in advance for all the help!!

#6 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 08 September 2008 - 11:59 PM

oops I noticed after my reply that I actually posted my log for MBAM from yesterday here is the updated one with the updated software sorry:

Malwarebytes' Anti-Malware 1.27
Database version: 1130
Windows 5.1.2600 Service Pack 2

9/8/2008 9:55:14 PM
mbam-log-2008-09-08 (21-55-14).txt

Scan type: Quick Scan
Objects scanned: 52870
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcnvjj0e91n (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphcjvjj0e91n.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\lphcjvjj0e91n.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcjvjj0e91n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt39.tmp.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt7.tmp (Trojan.Downloader) -> Delete on reboot.

#7 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 09 September 2008 - 12:09 AM

browsing the internet still getting pop ups but they are not connecting to what ever site they are trying to reach just want to keep u informed thanks

#8 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 09 September 2008 - 12:31 AM

I rooboted my pc and right before my decktop poped up but right after the windows boot screen I had a waring message pop up and ten it dissapered as soon as the desktop came up also on the deck top is " Antivirus xp 2008 Liscence Agreement " I just left it open The only option is to agree to install.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 09 September 2008 - 08:49 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different or the same tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.
Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 09 September 2008 - 10:44 AM

ok here ya go. Pn boot up both times I got no errors or messages exe exe so far so good please let me know what ya find. I ran mbam twice rebooted after each one so here is the SDFIX log:


SDFix: Version 1.222
Run by Owner on Tue 09/09/2008 at 10:27 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\UCQATZ.dll - Deleted
C:\WINDOWS\system32\UCQATZ32.dll - Deleted
C:\WINDOWS\system32\phcjvjj0e91n.bmp - Deleted
C:\-33522~1 - Deleted
C:\WINDOWS\Temp\.ttF.tmp.exe - Deleted
C:\WINDOWS\Temp\.ttF.tmp.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 10:35:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001b4100991e]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001b4100991e]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\age of empires\\MYTH-Age2_x1.exe"="C:\\age of empires\\MYTH-Age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\age of empires\\Age2_x1\\age2_x1.exe"="C:\\age of empires\\Age2_x1\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\age of empires\\age2_x1.exe"="C:\\age of empires\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Delta Force 2\\Df2.exe"="C:\\Program Files\\Delta Force 2\\Df2.exe:*:Enabled:Df2"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\iCall\\iCall.exe"="C:\\Program Files\\iCall\\iCall.exe:*:Enabled:iCall"
"F:\\Documents and Settings\\strickland\\My Documents\\My Music\\fs9.exe"="F:\\Documents and Settings\\strickland\\My Documents\\My Music\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\jointops.exe"="C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\jointops.exe:*:Enabled:jointops"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 31 Oct 2007 15,618,076 ..SHR --- "C:\WINDOWS\himem.exe"
Sun 30 Dec 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 6 Mar 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 6 Mar 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Tue 18 Dec 2007 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Mon 18 Feb 2008 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Mon 21 Jan 2008 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Tue 1 Jan 2008 1,544 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Tue 18 Mar 2008 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Tue 4 Mar 2008 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 4 Feb 2008 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Tue 4 Dec 2007 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Mon 19 Nov 2007 14,192 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\MSDVRMM_3959743976_983040_14668.tmp"
Wed 28 Nov 2007 14,192 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\MSDVRMM_3959743976_720896_67794.tmp"
Fri 2 Aug 2002 51,285,903 A..H. --- "C:\Documents and Settings\All Users\Documents\My Videos\Sample Videos\mcintro.wmv.bak"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

Here is the first MBAM log:

Malwarebytes' Anti-Malware 1.27
Database version: 1130
Windows 5.1.2600 Service Pack 2

9/9/2008 11:14:35 AM
mbam-log-2008-09-09 (11-14-35).txt

Scan type: Quick Scan
Objects scanned: 51827
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And the second MBAM log:

Malwarebytes' Anti-Malware 1.27
Database version: 1130
Windows 5.1.2600 Service Pack 2

9/9/2008 11:26:54 AM
mbam-log-2008-09-09 (11-26-54).txt

Scan type: Quick Scan
Objects scanned: 52227
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


THanks in advance

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 09 September 2008 - 11:00 AM

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\WINDOWS\himem.exe
EmptyTemp
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 09 September 2008 - 11:21 AM

here is the log:

Explorer killed successfully
C:\WINDOWS\himem.exe moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_6f8.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09092008_121603

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_6f8.dat not found!
C:\DOCUME~1\Owner\LOCALS~1\Temp\WCESLog.log moved successfully.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 09 September 2008 - 11:27 AM

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 livinlifes2short

livinlifes2short
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 09 September 2008 - 11:30 AM

not as of right now would you like me to run MBAM again so you can see the log? But as of right now it seems great.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 09 September 2008 - 11:38 AM

That's good.

However, some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is a hidden piece of malware which has not been detected that protects files (which have been detected) so they cannot be permanently deleted. There are two bad registry keys MBAM has not been able to delete so I recommend more thorough investigation if they return after the next scan. If they do, let me know I will direct you accordingly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users