Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virus/virtumonde


  • Please log in to reply
31 replies to this topic

#1 tofte

tofte

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 23 September 2008 - 06:41 AM

Think I've caught virtumonde or some other trojan/virusoff the net. Hijacked my wallpaper and replaced it one of those 'you have spyware' pictures. Machine got a lot slower after that, and was hard to start. Cleaned out what I could find through ad-aware and spybot, but now I can't really get the machine to start at all anymore. It goes through the usual windows and welcome-screens, but then just freezes when the wallpaper appears. The wallpaper has gone back being my regular one, no spyware warning anymore, but it won't load the desktop or of the other stuff.

If anyone could help with this, it'd be greatly appreciated.

Thank you

Edit: also, I'm running windows XP

Edited by tofte, 23 September 2008 - 07:18 AM.


BC AdBot (Login to Remove)

 


m

#2 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 23 September 2008 - 07:44 AM

Hi again, got it up and running now, it's just really slow and the spyware wallpaper is back. I've run ad-aware, spybot, mcafee stinger and panda on it, should I just post a hi-jakc this log in the other forum, or is there something else I can do first?

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 23 September 2008 - 08:20 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

Would you give MBAM a try

adaware and spybot aren't very good at these newer infections

Stinger was good with older ones

Panda might be better if run in safe mode

http://www.malwareremoval.com/tutorials/safemodeboot.php

The HJT forum has a huge backlog of posters seeking help right now, the wait can be quite long
Chewy

No. Try not. Do... or do not. There is no try.

#4 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 23 September 2008 - 09:25 AM

Thank you. I'll try MBAM and see if it helps. Should I post back here with a log, or won't that be necessary?

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 23 September 2008 - 09:37 AM

Please post the log, most infections takes a series of scans with different programs and can need analysis depending upon what shows up or won't cleanup.
Chewy

No. Try not. Do... or do not. There is no try.

#6 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 September 2008 - 04:48 AM

Hello again, here's the log from the scan. Noticed it's in norwegain, so if there's anything you don't understand, although I doubt it, feel free to ask.

Malwarebytes' Anti-Malware 1.28
Database versjon: 1134
Windows 5.1.2600 Service Pack 3

24.09.2008 11:42:22
mbam-log-2008-09-24 (11-42-22).txt

Skanntype: Rask Skann
Objekter skannet: 42381
Tid tilbakelagt: 3 minute(s), 43 second(s)

Minneprosesser infisert: 1
Minnemoduler infisert: 1
Registernøkler infisert: 13
Registerverdier infisert: 6
Registerfiler infisert: 2
Mapper infisert: 11
Filer infisert: 13

Minneprosesser infisert:
C:\WINDOWS\system32\lphcp2bj0et9e.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Minnemoduler infisert:
C:\WINDOWS\system32\blphcp2bj0et9e.scr (Trojan.FakeAlert) -> Delete on reboot.

Registernøkler infisert:
HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48e92754-2daf-4de4-8385-34f631580e9b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1c23ba2-8f20-4c01-b663-7ff2b3421194} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d37d6c1a-7ba4-47f4-9bf2-75031e257df6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f4406238-983a-4845-9053-f1d0007fd135} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerverdier infisert:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcp2bj0et9e (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhct2bj0et9e (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registerfiler infisert:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Programdata\rhct2bj0et9e\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Filer infisert:
C:\WINDOWS\system32\blphcp2bj0et9e.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Dag Torgerstuen\Lokale innstillinger\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dag Torgerstuen\Lokale innstillinger\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcp2bj0et9e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcp2bj0et9e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 24 September 2008 - 04:57 AM

http://www.bleepingcomputer.com/forums/ind...st&p=945875

After the reboot into normal mode to finish cleanup would you run ATFCleaner and SAS exactly as specified in these directions
Chewy

No. Try not. Do... or do not. There is no try.

#8 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 September 2008 - 09:07 AM

All right, it took some time to scan, but here's the log from SAS.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/24/2008 at 03:58 PM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 03:37:50

Memory items scanned : 169
Memory threats detected : 0
Registry items scanned : 4878
Registry threats detected : 10
File items scanned : 46184
File threats detected : 1

Adware.180solutions/Search Assistant
C:\Programfiler\MediaGateway
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaGateway
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaGateway#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaGateway#DisplayName
HKCR\MediaGateway.LicenseInstaller
HKCR\MediaGateway.LicenseInstaller\CLSID
HKCR\MediaGateway.LicenseInstaller\CurVer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll [  ]

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 24 September 2008 - 10:06 AM

This infection is a particularly nasty one involving rootkit and backdoor trojan, it might not have infected your computer as bad as some, maybe your protection worked better.


http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Let's run SDFix just to be sure, the directions are fairly complicated, you might want to print them up

http://www.bleepingcomputer.com/forums/ind...mp;#entry948242

There's also the possibilty that all your confidental information was compromised

The good news is this has been around for a while and our selfhelp tools are getting better at handling it.

After running SDFix would you update MBAM and run another quick scan and post that log also.
Chewy

No. Try not. Do... or do not. There is no try.

#10 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 September 2008 - 11:26 AM

I've run SDFix succesfully, but it won't let me update MBAM. Says to check if I'm connected to the internet and that my firewall allows MBAM to connect to it, and as far as I know it is. I've had some trouble opening some pages before while infected, so I don't know if that could have anything to do with it?

Anyways, here's the SDFix log

SDFix: Version 1.228
Run by Dag Torgerstuen on 24.09.2008 at 18:09

Microsoft Windows XP [Versjon 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\tdssserv.sys - Rootkit.Win32.Agent.cku
C:\WINDOWS\system32\drivers\TDSSserv.sys - Rootkit.Win32.Agent.cku

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSserv.sys - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 18:14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programfiler\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:28,bf,e6,ba,1c,dd,15,0f,49,47,51,ba,57,ff,89,6e,31,1c,de,a3,a3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6b,3d,8a,86,01,66,d9,02,6f,60,cb,b2,6d,2c,d4,34,bd,..
"khjeh"=hex:0c,8f,c9,82,a2,5a,d4,e7,ca,97,47,ae,cb,53,83,34,70,8b,8e,46,37,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,d8,62,38,fa,17,5d,cc,71,b3,eb,9a,a7,47,0c,26,5d,04,bf,d2,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programfiler\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:28,bf,e6,ba,1c,dd,15,0f,49,47,51,ba,57,ff,89,6e,31,1c,de,a3,a3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6b,3d,8a,86,01,66,d9,02,6f,60,cb,b2,6d,2c,d4,34,bd,..
"khjeh"=hex:0c,8f,c9,82,a2,5a,d4,e7,ca,97,47,ae,cb,53,83,34,70,8b,8e,46,37,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,d8,62,38,fa,17,5d,cc,71,b3,eb,9a,a7,47,0c,26,5d,04,bf,d2,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programfiler\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:28,bf,e6,ba,1c,dd,15,0f,49,47,51,ba,57,ff,89,6e,31,1c,de,a3,a3,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6b,3d,8a,86,01,66,d9,02,6f,60,cb,b2,6d,2c,d4,34,bd,..
"khjeh"=hex:0c,8f,c9,82,a2,5a,d4,e7,ca,97,47,ae,cb,53,83,34,70,8b,8e,46,37,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,d8,62,38,fa,17,5d,cc,71,b3,eb,9a,a7,47,0c,26,5d,04,bf,d2,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programfiler\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:28,bf,e6,ba,1c,dd,15,0f,49,47,51,ba,57,ff,89,6e,31,1c,de,a3,a3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6b,3d,8a,86,01,66,d9,02,6f,60,cb,b2,6d,2c,d4,34,bd,..
"khjeh"=hex:0c,8f,c9,82,a2,5a,d4,e7,ca,97,47,ae,cb,53,83,34,70,8b,8e,46,37,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,d8,62,38,fa,17,5d,cc,71,b3,eb,9a,a7,47,0c,26,5d,04,bf,d2,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Kazaa\\kazaa.exe"="C:\\Programfiler\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Programfiler\\iTunes\\iTunes.exe"="C:\\Programfiler\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programfiler\\Soulseek\\slsk.exe"="C:\\Programfiler\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 30 Jan 2006 56 A.SHR --- "C:\i386\9535182C82.sys"
Mon 30 Jan 2006 3,766 A.SH. --- "C:\i386\KGyGaAvL.sys"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Programfiler\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Programfiler\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Tue 30 Jan 2007 104 ..SHR --- "C:\WINDOWS\system32\9535182C82.sys"
Tue 30 Jan 2007 6,580 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 9 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 9 Feb 2006 4,348 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Min musikk\Sikkerhetskopi av lisens\drmv1key.bak"
Fri 31 Mar 2006 20 A..H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Min musikk\Sikkerhetskopi av lisens\drmv1lic.bak"
Thu 9 Feb 2006 400 A.SH. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Min musikk\Sikkerhetskopi av lisens\drmv2key.bak"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL0152.tmp"
Thu 26 Oct 2006 20,992 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL0170.tmp"
Thu 26 Oct 2006 20,992 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL0486.tmp"
Thu 26 Oct 2006 20,480 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL0843.tmp"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL0990.tmp"
Thu 26 Oct 2006 41,984 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL1153.tmp"
Thu 26 Oct 2006 40,960 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL1217.tmp"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL1252.tmp"
Thu 26 Oct 2006 40,960 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL1679.tmp"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL1925.tmp"
Thu 26 Oct 2006 19,968 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL2134.tmp"
Thu 26 Oct 2006 37,888 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL2151.tmp"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL2226.tmp"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL2809.tmp"
Thu 26 Oct 2006 41,472 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL2952.tmp"
Thu 26 Oct 2006 19,968 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL3025.tmp"
Thu 26 Oct 2006 41,984 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL3766.tmp"
Thu 26 Oct 2006 40,960 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL3978.tmp"
Thu 26 Oct 2006 39,936 ...H. --- "C:\Documents and Settings\Dag Torgerstuen\Mine dokumenter\Ting som er skrevet\Kunst\~WRL4003.tmp"

Finished!

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 24 September 2008 - 12:00 PM

I just had a failure to update also, their server is very busy, I did get it to update(MBAM) by choosing a different update mirror

You might also try the manual update in the link I posted earlier
Chewy

No. Try not. Do... or do not. There is no try.

#12 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 September 2008 - 12:06 PM

All right, downloaded the update from your previous post and ran a quick scan. Came up with no threats, here's the log

Malwarebytes' Anti-Malware 1.28
Database versjon: 1139
Windows 5.1.2600 Service Pack 3

24.09.2008 19:01:39
mbam-log-2008-09-24 (19-01-39).txt

Skanntype: Rask Skann
Objekter skannet: 42231
Tid tilbakelagt: 3 minute(s), 30 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 0

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
(Ingen mistenkelige filer funnet)

Registerverdier infisert:
(Ingen mistenkelige filer funnet)

Registerfiler infisert:
(Ingen mistenkelige filer funnet)

Mapper infisert:
(Ingen mistenkelige filer funnet)

Filer infisert:
(Ingen mistenkelige filer funnet)

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 24 September 2008 - 12:11 PM

Malwarebytes' Anti-Malware 1.28
Database version: 1202
Windows 5.1.2600 Service Pack 3

9/24/2008 1:07:58 PM
mbam-log-2008-09-24 (13-07-58).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 1 second(s)


Database versjon: 1139


We really need you to get the latest definition update
Chewy

No. Try not. Do... or do not. There is no try.

#14 tofte

tofte
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 September 2008 - 12:18 PM

Hmm, any idea on how to get it besides from the link you provided earlier? Tried their homepage as well, but it's basically just the same version that I have running now. Trying to upgrade it while runnin MBAM just results in the error message I mentioned earlier. Could it have anything to do with any firewall I might have up or any other anti-spy/malware program running?

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:36 PM

Posted 24 September 2008 - 12:20 PM

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

try this link
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users