Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have Been Taken Over Help Please,thanks


  • Please log in to reply
15 replies to this topic

#1 kdt333

kdt333

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 08:56 AM

Hello ,hope all is well with you guys...
Late last night I downloaded a file and after i installed it my AVG went off,but atlas was too late...
I then noticed in big print after my time it looks like this 09:47:VIRUS ALERT! so I tryed to run avg to no avail on fixing the problem ,I then noticed my c: drive and cd drive have disappeared ,I the tried to hit ctrl alt del and it says ,taskmanager has been disabled by your administror...I was also bombarded with buy this and that fake popups and alerts.
I have some skills but I have only been able to remove some pop ups ,also there were 3 shortcuts placed on my desktop ,one says spyware and malware protection the other says privacy protector and the third says error cleaner ,I have run mcafee,win onecare ,and avast and all i have done is killed the 3 shortcuts and some popups all the rest is still fried..


Please help ,I can follow directions well

Thank you all so much...

kdt333 :thumbsup:

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:20 PM

Posted 29 September 2008 - 09:08 AM

welcome to bleeping

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

see if you can get MBAM to install and run a scan

Edited by DaChew, 29 September 2008 - 09:08 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:20 PM

Posted 29 September 2008 - 09:12 AM

Also as you have found out

Late last night I downloaded a file


Using any peer-to-peer (P2P) or file sharing program is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications. Read P2P Software User Advisories, Risks of File-Sharing Technology and P2P file sharing: Anticipate the risks....
Chewy

No. Try not. Do... or do not. There is no try.

#4 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 09:30 AM

will do


Thanks alot...

KDT333

Edited by kdt333, 29 September 2008 - 09:33 AM.


#5 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 09:59 AM

here ya go my friend...

It said all but a few were fixed and the others were to be deleted after reboot ,all seems better.

Everything I described above is back ,c: d: task manager


Hers what ya asked for and thank you very much for the help...

Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 3

9/29/2008 10:47:28 AM
mbam-log-2008-09-29 (10-47-28).txt

Scan type: Quick Scan
Objects scanned: 45309
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 18
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qoMdCtUM.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ba26bbf-4529-41e9-a277-c99675dc354c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1ba26bbf-4529-41e9-a277-c99675dc354c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b091d1b-af42-4ea3-8ff5-3adb46fe8dae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxngdax (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7b091d1b-af42-4ea3-8ff5-3adb46fe8dae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.bxfa (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomdctum -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdctum -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0047003-47834) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\qoMdCtUM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\MUtCdMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MUtCdMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXNgdaX.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhiblxai.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iaxlbihf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\ewte.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnOebb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kenny\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kenny\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kenny\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kenny\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kenny\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kenny\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


Also if it is fixed ,what do u recommend I run , my choices are mcafee (really dont like) ,I have spybot ,but it wasnt running , and I have avast and AVG ,which if I would have scanned it with that it would have caught it ,I get in the habit of not scanning d/ls...

I tend to like AVG and spybot ,just didnt have spybot running ,I cannot afford to pay for a program as I am disabled (kidney cancer)removed..I know there are good programs out there that are free...

Thanks again for all your help

Kenny

P.S. on my avast choices when I click on access scanner i get this error ...AVAST THE AAVM SUBSYSTEM DETECTED A RPC ERROR ,THE OPERATION COULD NOT BE COMPLETED...

huh???

Edited by kdt333, 29 September 2008 - 10:03 AM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:20 PM

Posted 29 September 2008 - 10:09 AM

Trojan.Vundo.H is almost always a very hard to remove infection requiring multiple scans with different programs

let's try ATFClean and SAS from safe mode followed by another quick scan with MBAM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

It should be alright to save a little time and just do a quick scan with SAS

We are going to have to address your antivirus, make sure that you are only running one at a time

avg antivirus has some issues now

spybot is good but don't run teatimer

avast is a system intensive suite but very good

Edited by DaChew, 29 September 2008 - 10:09 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 10:14 AM

ROGER ,CC. will do..

Thanks Chewy ,and what does urrmm Rockytop mean ,where abouts are you ,Im in rockytopville...

Knoxville ,Tn...


Thanks ,Kenny

#8 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 10:21 AM

sorry.

Edited by kdt333, 29 September 2008 - 10:26 AM.


#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:20 PM

Posted 29 September 2008 - 11:09 AM

rockytop is a state of mind, unfortunately the last few saturdays............................



:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#10 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 11:11 AM

OK chewy , I have got lost and ,I belive I have come about ,I ogt lost in your linking thread ,and what that guy was saying ,I am sorry and appreciate your generous patience...
I have went into safe as admin logon and did atf and then I tried to stay in safe as admin logon and run sas ,but i couldnt find the sas exe. in safe as admin ,...now keep in mind i was logged in originally as me and admin , combined in one ,so now i am running sas logged in non safe , kenny logon and am running sas
please dont let me lose you...
I am almost 40 and have been self taught in pc's since late 70's 80's ,learned from mistakes the whole time... ;)




TY

U JUST DONT KNOW :thumbsup:

Edited by kdt333, 29 September 2008 - 11:14 AM.


#11 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 11:20 AM

rockytop is a state of mind, unfortunately the last few saturdays............................



:thumbsup:


CC my friend ...I hear ya there...
heh heh if you only knew...
We will be alright in a year or 3 (3) lol
Im up on clinton hwy... raised here since 70
Before my father died in 97 ,we had done years of tile work ,but one of the most memorable ,was phillip fulmers 2 houses before his current house...
I can relate .We had season tickets from stanley morgan days up until the latter 80s...
Tn ,is a young team this yr ,I hope we get a new QB ,I believe this one urrrm sucks ,lol


Peace and again thanks for helping me...

KDT

#12 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 11:23 AM

so far sas has found 2 tracking cookies on bout 50,000 files, no biggie... I seem to be better and faster than before i d/led freakin Trojans...

Last night at 1a.m. I started this adventure and sat thru AVG going thru 660,000 files ,urrrm ...
IM OVER IT ,HEH HEH....Running GR8 right now.... all admin functions back...

You are a GODSEND...

Edited by kdt333, 29 September 2008 - 11:25 AM.


#13 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 11:33 AM

:thumbsup: :flowers: :trumpet: :inlove:


Where ya at man ,ya got my curiosity up now...
I know u can be a U.T. fan and live anywhere ...heh heh...
I lived in Tallahassee FL. from 80 to 85 and I used to goto the F.S.U. football mueseum and look at a football in a case that was garnet and orange ,with a score on it from the 60s i believe ,dont remember who won but ,ahhh the dreams of that game and then it happend in my life...

Email me if you would like ,I dont see many people round here ...


Thanks again and again...

#14 kdt333

kdt333
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 September 2008 - 01:03 PM

I think it is ok ,I can get whatever there is off ,I think...
Thank you so much and my ladie, thanks you ,I wish all of the U.S.
were like YOU AND I...


Thanks...
KDT333

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:20 PM

Posted 29 September 2008 - 01:51 PM

If there are no more problems or signs of infection

http://www.bleepingcomputer.com/forums/ind...mp;#entry943994
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users