Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntispywareXP 2009 Infection...Programs have been disabled.


  • Please log in to reply
1 reply to this topic

#1 ibiza

ibiza

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 03 November 2008 - 09:15 AM

Ok, I guess its time I made a post. My work laptop became infected with this virus (I have read other topics with people that had the same virus and have started with some basic scans and have been able to succesfully delete this virus. However, several programs began dissapearing or became disabled and I have no idea if these are still on my computer and can repaired or if I need to start re-installing programs. (I did have Connected Data Protector, however my backup was a few days old and I would rather not restore that unless I absolutely cannot restore things on the computer.

I initially ran an MBAM quick scan and here are my results:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

11/1/2008 12:16:35 PM
mbam-log-2008-11-01 (12-16-35).txt

Scan type: Quick Scan
Objects scanned: 65753
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispywarexp2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antispywarexp2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispywarexp 2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karna.dat -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\karna.dat -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10802.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\leecr\Local Settings\Temporary Internet Files\ibobyg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbqbx.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSbrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhym.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) -> Delete on reboot.


Then I ran a full scan and these were my results:

Malwarebytes' Anti-Malware 1.30
Database version: 1352
Windows 5.1.2600 Service Pack 2

11/1/2008 1:10:11 PM
mbam-log-2008-11-01 (13-10-11).txt

Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 145482
Time elapsed: 41 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7E0465D5-B0DC-479E-B9DD-3F4479DC9DDB}\RP140\A0101410.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\wrdwn2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\TDSSbf05.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\leecr\Local Settings\Temp\TDSSc00f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Then I scanned with Ad-aware:

Total scans performed: 1
Total infections detected: 7
Total infections removed: 7
Total infections quarantined: 0
Total objects scanned: 133780

Average TAI of infections: 1.71

Tracking Cookie TAI: 3 Items found: 4 Items removed: 3
MRU object: TAI: 0 Items found: 3 Items removed: 3

I also ran a spybot S&D scan and a stinger scan. They only thing I found with spybot was my VPN client so I did not delete it. I did not find anything with stinger.

What should I do next? Is it possible that I might be able to restore those programs?

Thanks in advance for any help!

Edited by leecravens, 03 November 2008 - 08:29 PM.


BC AdBot (Login to Remove)

 


#2 ibiza

ibiza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 07 November 2008 - 11:48 PM

Hey, sorry, I think I read something about bumping threads but it has been several days now and I am several pages down. I am still stuck in the same spot. If anybody is familiar with this virus or how to re-enable these programs your help would be greatly appreciated.

Thanks :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users