Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Windows Security Alerts & Various Spyware/Virus Problems


  • Please log in to reply
23 replies to this topic

#1 Wesley1701

Wesley1701

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 14 October 2008 - 08:23 PM

I had a problem earlier yesterday with a balloon that would pop up on my taskbar (an image from someone's blog of the exact baloon that I had: http://raymond.cc/images/spysheriff1.GIF) and I worked for the past 48 hours trying to get rid of it. It started out by closing all of the windows that i had open yesterday and then shutting down my computer. I rebooted and then I ran my virus and spyware scan (the ones in Verizon Internet Security Suite) and nothing was found. I obviously had a problem and updating my virus definition files did nothing even with another scan.

I chose to download the 30-day free trial of BitDefender because someone on here had been praising its capabilities. When I ran it it took care of about 15-20 viruses and a few spyware problems. It came up as unable to quarantine one problem and unable delete the same problem. I took that to be the problem that was causing my balloon to appear because it was still there. I believed my computer to still have problems because in task manager I had processes with wild names like "kzmdqnmt.exe" and "sxyfevyv.exe". Shortly after running my second scan (the one on BitDefender), I got the thought that perhaps the balloon causing virus might have placed whatever it is in my startup processes in "msconfig". I went in and found the one that BitDefender couldn't delete and then found it in my C: drive in WINDOWS. It wouldn't allow me to quarantine or delete the file. I was, however able to alter the filename to ".exe2" just as an attempt to see if it was causing the problem. I figured that if it was when my computer started next time that it wouldn't load that because it would be looking for the file name ".exe" and not ".exe2". (I realize now that I should have written the name of that file down in case I was messing with something vital to my computer, but I'm afraid I wasn't in the happiest of mindsets and was set on eradicating any and all viruses from my comp.) On startup next time my computer didn't have the balloon and I was able to delete that file.

(I just checked my list of startup items list in my system configuration window and the file that I just talked about, the one that after deletion made my balloon disappear, is still on that list for some reason. It is "brastk" and the command is simply "brastk.exe")

I restarted my computer again because the internet wasn't working. Since my restart I have gotten two notices of BitDefender blocking two torjans on my computer. I'm also receiving fake Windows Security Alerts that are, by far, the most official looking viruses, spyware, malware (whatever the heck they are) ever. I'm afraid I can't post the exact text of these alerts because one hasn't opened since my writing this. I can tell you that "Keep Blocking" or "Unblock" are unable to be clicked and the "Enable Protection" button takes me to some site that wants me to purchase their spyware program.

I'm completely stuck and I am completely drianed. I have my SATs tomorrow, so I need to get to bed, but I also really need to get my computer back to normal so I can start studying again, so I am going to start a spyware scan and set up a virus scan to run while I'm asleep. I'm sorry if this is *not at all* what needs to be said, but I tried to be detailed and follow the posting instructions.

These are the files in my running processes that look suspicious:
sxyfevyv.exe
kzmdqnmt.exe

I'm running on Windows XP Home Edition.

Thank you so much for any advice you can give me.

Wesley

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 14 October 2008 - 08:42 PM

Hello please do an MBAM scan..

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 14 October 2008 - 09:46 PM

Thank you for your response.

When installing Malwarebytes Anti-Malware I get an error message.

The message is:

Error

C:\Program Files\Malwarebytes' Anti-Malware \ssubtmr6.dll

Unable to register DLL/OCX: RegSvr32 failed with exit code 0x5.

Click Retry to try again, Ignore to proceed anyway (not recommended), or Abort to cancel installation.

---

I'm going to click retry, but I wanted to document exactly what it said just in case it doesn't work or I have to abort.

...

Clicking Retry numerous times didn't work and I aborted the installation. I still have the install file on my desktop.

Wesley

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 14 October 2008 - 10:01 PM

Have you tried one of the other mirrors?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 14 October 2008 - 10:06 PM

Er... What mirrors? Sorry! Both of the links above are just executables. I googled it and found Malwarebytes Anti-Malware on CNet and downloaded that and got the same problem, but I'm not sure of other safe locations to download from.

Wes

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 14 October 2008 - 10:20 PM

Sorry meant links ,looking for other option.

Meantime run SAS first

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 14 October 2008 - 10:36 PM

Also Wes can you find those 2 exe files? then submit them to Jotti's malware scan .
Post back their reply here
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 15 October 2008 - 02:55 PM

I can't thank you enough for helping me with all of this! Really!

I just installed SUPERAntiSpyware Free and I wanted to upload those two files before I rebooted and scanned. Also, I unchecked all of the other boxes in the Scanning Control tab. Can I assume that that's what you meant? I checked those three and unchecked all of the rest.

I located "kzmdqnmt.exe" and uploaded it to Jotti's malware scan.

Here are the results:

File: kzmdqnmt.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: f381baf874f88c3240f84314f77c3a1a

Scan taken on 15 Oct 2008 19:41:40 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:PureMorph
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.W32.Obfuscated.gx
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found Win32:PureMorph
Ikarus Found Virus.Win32.PureMorph
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.FakeAlert.IQ
Norman Virus Control Found W32/Renos.BBZ
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing

I couldn't locate "sxyfevyv.exe" at the moment, but there is another file in my processes and in WINDOWS32 that looked suspicious and it was called "azuludwh.exe" and I sent that through Jotti's malware scan. It too was infected and here's exactly what it told me:

File: azuludwh.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 26766183d64b3b75ce323258e9fda7cb

Scan taken on 15 Oct 2008 19:51:58 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:PureMorph
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found Win32:PureMorph
Ikarus Found Virus.Win32.PureMorph
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.FakeAlert.IQ
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing


I am now going to reboot in safe mode and run that scan.

Wes

Edited to add: Should I not have internet when I reboot I will respond as soon as I can!

Edited by Wesley1701, 15 October 2008 - 02:58 PM.


#9 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 15 October 2008 - 06:42 PM

I ran SUPERAntiSpyware Free and here is my log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/15/2008 at 07:29 PM

Application Version : 4.21.1004

Core Rules Database Version : 3597
Trace Rules Database Version: 1584

Scan type : Complete Scan
Total Scan Time : 03:23:18

Memory items scanned : 181
Memory threats detected : 0
Registry items scanned : 6910
Registry threats detected : 27
File items scanned : 128639
File threats detected : 77

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{013A653B-49A6-4f76-8B68-E4875EA6BA54}
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}\InprocServer32
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}\InprocServer32#ThreadingModel

Adware.180solutions/ZangoSearch
HKCR\SAIX.InstallerCaller
HKCR\SAIX.InstallerCaller\CLSID
HKCR\SAIX.InstallerCaller\CurVer
HKCR\SAIX.InstallerCaller.1
HKCR\SAIX.InstallerCaller.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#{DECEAAA2-370A-49BB-9362-68C3A58DDC62}

Trojan.Unknown Origin
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mslagent
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\smp

Adware.Casino Games (Golden Palace Casino)
HKU\S-1-5-21-3555039236-4257266007-2041406129-1012\Software\Golden Palace Casino PT

Malware.DriveCleaner
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files#C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion#LastModified

Trojan.DNSChanger-Codec
HKU\S-1-5-21-3555039236-4257266007-2041406129-1012\Software\uninstall

Adware.INetDelivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\Inet Delivery
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\akl

Rogue.PC-Cleaner
HKU\S-1-5-21-3555039236-4257266007-2041406129-1012\Software\mwc

Trojan.Downloader-Gen
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ brastk.exe ]

Adware.Tracking Cookie
C:\Documents and Settings\Roca Family\Cookies\roca_family@2o7[2].txt
C:\Documents and Settings\Roca Family\Cookies\roca_family@mediaonenetwork[1].txt
C:\Documents and Settings\Roca Family\Cookies\roca_family@msnportal.112.2o7[2].txt
C:\Documents and Settings\Roca Family\Cookies\roca_family@revsci[1].txt
C:\Documents and Settings\Roca Family\Cookies\roca_family@revsci[3].txt
C:\Documents and Settings\Roca Family\Cookies\roca_family@tacoda[1].txt
C:\WINDOWS\Temp\Cookies\roca_family@2o7[1].txt

Trojan.Fake-Drop/Gen
C:\WINDOWS\A.BAT
C:\WINDOWS\BASE64.TMP
C:\WINDOWS\BDN.COM
C:\WINDOWS\FVPROTECT.EXE
C:\WINDOWS\ITUNESMUSIC.EXE
C:\WINDOWS\MSSECU.EXE
C:\WINDOWS\SYSTEM32\AKTTZN.EXE
C:\WINDOWS\SYSTEM32\ANTICIPATOR.DLL
C:\WINDOWS\SYSTEM32\AWTOOLB.DLL
C:\WINDOWS\SYSTEM32\BDN.COM
C:\WINDOWS\SYSTEM32\BSVA-EGIHSG52.EXE
C:\WINDOWS\SYSTEM32\EMESX.DLL
C:\WINDOWS\SYSTEM32\H@TKEYSH@@K.DLL
C:\WINDOWS\SYSTEM32\HOPROXY.DLL
C:\WINDOWS\SYSTEM32\HXIWLGPM.DAT
C:\WINDOWS\SYSTEM32\HXIWLGPM.EXE
C:\WINDOWS\SYSTEM32\MEDUP012.DLL
C:\WINDOWS\SYSTEM32\MEDUP020.DLL
C:\WINDOWS\SYSTEM32\MSGP.EXE
C:\WINDOWS\SYSTEM32\MSNBHO.DLL
C:\WINDOWS\SYSTEM32\MSSECU.EXE
C:\WINDOWS\SYSTEM32\MSVCHOST.EXE
C:\WINDOWS\SYSTEM32\MTR2.EXE
C:\WINDOWS\SYSTEM32\MWIN32.EXE
C:\WINDOWS\SYSTEM32\NETODE.EXE
C:\WINDOWS\SYSTEM32\NEWSD32.EXE
C:\WINDOWS\SYSTEM32\PS1.EXE
C:\WINDOWS\SYSTEM32\REGC64.DLL
C:\WINDOWS\SYSTEM32\REGM64.DLL
C:\WINDOWS\SYSTEM32\RUNDL1.EXE
C:\WINDOWS\SYSTEM32\SSURF022.DLL
C:\WINDOWS\SYSTEM32\SSVCHOST.COM
C:\WINDOWS\SYSTEM32\SSVCHOST.EXE
C:\WINDOWS\SYSTEM32\SYSREQ.EXE
C:\WINDOWS\SYSTEM32\TAACK.DAT
C:\WINDOWS\SYSTEM32\TAACK.EXE
C:\WINDOWS\SYSTEM32\TEMP#01.EXE
C:\WINDOWS\SYSTEM32\THUN.DLL
C:\WINDOWS\SYSTEM32\THUN32.DLL
C:\WINDOWS\SYSTEM32\VBIEWER.OCX
C:\WINDOWS\SYSTEM32\VBSYS2.DLL
C:\WINDOWS\SYSTEM32\VCATCHPI.DLL
C:\WINDOWS\SYSTEM32\WINLOGONPC.EXE
C:\WINDOWS\SYSTEM32\WINSYSTEM.EXE
C:\WINDOWS\SYSTEM32\WINWGPX.EXE
C:\WINDOWS\USERCONFIG9X.DLL
C:\WINDOWS\WINSYSTEM.EXE
C:\WINDOWS\ZIP1.TMP
C:\WINDOWS\ZIP2.TMP
C:\WINDOWS\ZIP3.TMP
C:\WINDOWS\ZIPPED.TMP

Dpcproxy
C:\WINDOWS\SYSTEM32\DPCPROXY.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\PSOF1.EXE

Adware.Pacer D
C:\WINDOWS\SYSTEM32\PSOFT1.EXE

Trojan.Dluca-I
C:\WINDOWS\SYSTEM32\SNCNTR.EXE

Parasite.SpyAxe/Installer
C:\WINDOWS\TEMP\SAC7F.EXE


------------------------

Also, upon rebooting after the SUPERAntiSpyware Scan I got two error message when Windows opened.

They are:

"RUNDLL

Error loading C:\Program Files\Wild Tangent\APPS\CDA\cdaEngine0400.dll

The specified module could not be found.

OK"

&

"vmmdiag32.exe

Windows cannot find 'vmmdiag32.exe'. Make sure you typed the name correctly, and then try again. TO search for a file, click the Start button, and then click Search.

OK"

Thanks again for all the help.

Wes

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 15 October 2008 - 08:13 PM

This is looking good.. we can also fix that error,but we'll do it after this SDFix tool. It may cause more.
After SDFix are you able to run the Malwarebytes scanner. If so do that and post that log also.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 15 October 2008 - 09:15 PM

It's going to take me a little while to do this. I really need to get some schoolwork done, but I'm going to try all of this tomorrow.

I'm having trouble ensuring that all of my anti-spyware, malware, adware, and virus programs are off. I can't even figure out how to turn BitDefender off.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 15 October 2008 - 09:42 PM

Ok ,well for Bitdefender,you can disable each feature (Temporarily or permanently) from the Advanced settings window.

Most other apps can be disabled or shut down by right clicking the Icon in the System Tray next to the clock. Then select Turn off /shut down /disable etc...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 16 October 2008 - 03:17 PM

This is my SDFix report:


SDFix: Version 1.236
Run by Administrator on Thu 10/16/2008 at 03:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IPHD32.EXE - Deleted
C:\Documents and Settings\Roca Family\Application Data\Install.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 15:58:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\ovpaz.dat:inlfa 26680 bytes executable
C:\WINDOWS\arszw.dat:hdoco 56832 bytes executable
C:\WINDOWS\MSDFMAP.INI:grrby 56832 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"="C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"c:\\windows\\system32\\rk.exe"="c:\\windows\\system32\\rk.exe:*:Enabled:rk.exe"
"C:\\Documents and Settings\\Roca Family\\Local Settings\\Temp\\~os6D4.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Roca Family\\Local Settings\\Temp\\~os6D4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Roca Family\\Local Settings\\Temp\\~os5BF.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Roca Family\\Local Settings\\Temp\\~os5BF.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\Rolling Marbles\\marbles.exe"="C:\\Program Files\\Rolling Marbles\\marbles.exe:*:Enabled:Rolling Marbles"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"="C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe:*:Enabled:stvoyHM"
"C:\\Documents and Settings\\Roca Family\\Local Settings\\Temp\\~os796.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Roca Family\\Local Settings\\Temp\\~os796.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\WINDOWS\\Temp\\~os6D5.tmp\\ossproxy.exe"="C:\\WINDOWS\\Temp\\~os6D5.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\WINDOWS\\Temp\\~os6FB.tmp\\ossproxy.exe"="C:\\WINDOWS\\Temp\\~os6FB.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealOne Player"
"C:\\WINDOWS\\Temp\\~os855.tmp\\ossproxy.exe"="C:\\WINDOWS\\Temp\\~os855.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"c:\\windows\\system32\\rlvknlg.exe"="c:\\windows\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:ipsec"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1161578280\\ee\\AOLSoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1161578280\\ee\\AOLSoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Documents and Settings\\Roca Family\\Desktop\\MIKEY.NET\\Star Trek\\Star Trek\\utorrent.exe"="C:\\Documents and Settings\\Roca Family\\Desktop\\MIKEY.NET\\Star Trek\\Star Trek\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Documents and Settings\\Roca Family\\Desktop\\Put On iPod\\Full Albums\\P3\\Documents and Settings\\Roca Family\\Desktop\\MIKEY.NET\\Star Trek\\Star Trek Enterprise\\utorrent.exe"="C:\\Documents and Settings\\Roca Family\\Desktop\\Put On iPod\\Full Albums\\P3\\Documents and Settings\\Roca Family\\Desktop\\MIKEY.NET\\Star Trek\\Star Trek Enterprise\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"J:\\Stored Files\\Put On iPod\\Full Albums\\utorrent.exe"="J:\\Stored Files\\Put On iPod\\Full Albums\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\Common Files\\AOL\\1205272271\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1205272271\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\AOL\\1205272271\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\AOL\\1205272271\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"J:\\Stored Files\\MIKEY.NET\\Programs\\utorrent.exe"="J:\\Stored Files\\MIKEY.NET\\Programs\\utorrent.exe:*:Enabled:ęTorrent"
"J:\\utorrent.exe"="J:\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Program Files\\MusicBrainz Picard\\picard.exe"="C:\\Program Files\\MusicBrainz Picard\\picard.exe:*:Enabled:The next generation MusicBrainz tagger"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\Roca Family\\Local Settings\\Application Data\\AMS Services, Inc\\AMS 360\\WorkstationCoordinator.exe"="C:\\Documents and Settings\\Roca Family\\Local Settings\\Application Data\\AMS Services, Inc\\AMS 360\\WorkstationCoordinator.exe:*:Enabled: "
"C:\\Program Files\\Activision\\EF2\\EF2.exe"="C:\\Program Files\\Activision\\EF2\\EF2.exe:*:Enabled:Elite Force II"
"C:\\WINDOWS\\SYSTEM32\\DRIVERS\\svchost.exe"="C:\\WINDOWS\\SYSTEM32\\DRIVERS\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 4 Dec 2005 5,025,732 A..H. --- "C:\Downloads\BitTorrent-4.2.1.exe"
Sun 4 Dec 2005 21,727,767 A..H. --- "C:\Downloads\commentary.zip"
Wed 24 Sep 2003 49,238 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 24 Sep 2003 36,954 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 24 Sep 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Fri 23 Feb 2007 225,380 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Fri 27 Dec 2002 1,084,536 A..HR --- "C:\WINDOWS\Downloaded Program Files\WebDriverFullInstall.exe"
Thu 8 Jul 2004 0 A.SH. --- "C:\WINDOWS\SYSTEM32\tmzng.dll"
Sat 29 Nov 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 29 Nov 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Mon 23 Jan 2006 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 23 Jan 2006 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Mon 23 Jan 2006 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Mon 18 Apr 2005 58,880 A..H. --- "C:\Documents and Settings\Roca Family\Desktop\~WRL1710.tmp"
Tue 3 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 4 Dec 2005 70,773,160 A..H. --- "C:\Documents and Settings\Roca Family\My Documents\My Videos\5_SE.zip"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 24 Sep 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Thu 2 Sep 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 4 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 4 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 4 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Sat 4 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!


----------

I'm going to try and run the Malwarebytes Anti-Malware scanner now.

Edit:

I got the same error message as before:

Error

C:\Program Files\Malwarebytes' Anti-Malware \ssubtmr6.dll

Unable to register DLL/OCX: RegSvr32 failed with exit code 0x5.

Click Retry to try again, Ignore to proceed anyway (not recommended), or Abort to cancel installation.

-------------

I am aborting.

Wes

Edited by Wesley1701, 16 October 2008 - 03:21 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:10 PM

Posted 16 October 2008 - 03:38 PM

OK lets fix the errors first then try MBAM again

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Wesley1701

Wesley1701
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delaware
  • Local time:02:10 PM

Posted 16 October 2008 - 06:38 PM

Okay, I searched for "cdaEngine0400.dll" and found it and deleted it. I looked for "vmmdiag32.exe" and couldn't find it for the life of me, but upon rebooting, it was gone!

I tried MBAM again and it didn't work.

Wes

Edited by Wesley1701, 16 October 2008 - 07:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users