Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde help needed


  • Please log in to reply
18 replies to this topic

#1 BN40

BN40

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 December 2008 - 03:28 PM

Hello, I write to ask for some help about virtumonde. It showed up when did a spyware check (adaware and spybot) found the problem a few days ago. I used both to fix but it kept reappearing when I re-ran the spyware check. AVG also found it. I ran superantispyware and it seemed to fix the problem...so I thought. It does not appear on avg, adaware or spybot but random pop ups are still occuring. I read through the bleeping computer forum which suggested to run superantispyware in safe mode. I did that but SAS still comes up with nothing. I ran a file search for the word 'virtumonde' and got a ton of found files. Wonder if anyone can help me on this problem. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 PM

Posted 27 December 2008 - 03:40 PM

Heelo lets see whats left here.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 December 2008 - 04:06 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2

27/12/2008 21:04:33
mbam-log-2008-12-27 (21-04-33).txt

Scan type: Quick Scan
Objects scanned: 58325
Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba4f4f0c-5f41-4a48-b55e-ce09cd502b0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ba4f4f0c-5f41-4a48-b55e-ce09cd502b0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kxypbk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 PM

Posted 27 December 2008 - 04:19 PM

Hi again,please run this now

SmitFraudFix by S!Ri
Copy paste that report... The report can be found at the root of the system drive, usually at C:\rapport.txt .

Then run MBAM once again.
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected,Post new log and Reboot.


I'll be back in a few hours to check.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 December 2008 - 04:35 PM

HI Boopme,

Was I just suppose to run search and paste the report? No cleaning? If so see below.

SmitFraudFix v2.387

Scan done at 21:28:02.55, 27/12/2008
Run from C:\Documents and Settings\Brett\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Brett


C:\DOCUME~1\Brett\LOCALS~1\Temp


C:\Documents and Settings\Brett\Application Data


Start Menu


C:\DOCUME~1\Brett\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll kxypbk.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


RK



DNS

Description: SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{039FCD38-C947-4BD7-850B-015E9519863F}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{863241DE-F2C5-4036-B13D-CA6CDB95ECD6}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AF48ACD6-FAFF-4F59-8B7D-10528DD2C3FE}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{039FCD38-C947-4BD7-850B-015E9519863F}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{863241DE-F2C5-4036-B13D-CA6CDB95ECD6}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AF48ACD6-FAFF-4F59-8B7D-10528DD2C3FE}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C82E27F7-1AF0-4311-89CC-C170394DFC39}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{039FCD38-C947-4BD7-850B-015E9519863F}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{863241DE-F2C5-4036-B13D-CA6CDB95ECD6}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AF48ACD6-FAFF-4F59-8B7D-10528DD2C3FE}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C82E27F7-1AF0-4311-89CC-C170394DFC39}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


Scanning for wininet.dll infection


End

#6 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 December 2008 - 04:52 PM

Hi Boopme,

here is the MBAM report. Thanks for your help with this problem.

BN40

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2

27/12/2008 21:50:37
mbam-log-2008-12-27 (21-50-37).txt

Scan type: Quick Scan
Objects scanned: 58337
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 December 2008 - 06:59 PM

bedtime for bonzo, will check in the morning. Thanks for your help. Quick question about my spybot file. In the recover file...C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
there are zip files for aheadNero burning, antispyware, eSupport, IE, MS Direct, MS windows security, Office, SmitfraudC, windows explorer, zlob DNS changer, windows media, and our infamous virtumonde. What are all these zip files for? Thanks again for your help.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 PM

Posted 27 December 2008 - 10:05 PM

Hello. OK yes we can run the cleaner now. Post that report also.
Thos e other files are most likely infected items. If all those programs in there ae operable than I would delete them in another day.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 28 December 2008 - 05:22 AM

Morning, here is the rapport from Smitfraud post cleaning. Just about to run MBAM now. Awoke to a message from AVG alert. trojan horse Generic 12.AEAN C: system volume information\_restore..., process name: c\windows\system32\svhost.exe, process id: 1536 if that is of any help.. Will post MBAM rapport next.

#10 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 28 December 2008 - 05:23 AM

SmitFraudFix v2.387

Scan done at 9:45:31.22, 28/12/2008
Run from C:\Documents and Settings\Brett\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{039FCD38-C947-4BD7-850B-015E9519863F}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{863241DE-F2C5-4036-B13D-CA6CDB95ECD6}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AF48ACD6-FAFF-4F59-8B7D-10528DD2C3FE}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{039FCD38-C947-4BD7-850B-015E9519863F}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{863241DE-F2C5-4036-B13D-CA6CDB95ECD6}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AF48ACD6-FAFF-4F59-8B7D-10528DD2C3FE}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C82E27F7-1AF0-4311-89CC-C170394DFC39}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{039FCD38-C947-4BD7-850B-015E9519863F}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{863241DE-F2C5-4036-B13D-CA6CDB95ECD6}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AF48ACD6-FAFF-4F59-8B7D-10528DD2C3FE}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C82E27F7-1AF0-4311-89CC-C170394DFC39}: DhcpNameServer=208.67.220.220 208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#11 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 28 December 2008 - 05:39 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1562
Windows 5.1.2600 Service Pack 2

28/12/2008 10:39:14
mbam-log-2008-12-28 (10-39-14).txt

Scan type: Quick Scan
Objects scanned: 58613
Time elapsed: 13 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 28 December 2008 - 05:50 AM

back in 2 hours.

#13 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 28 December 2008 - 09:13 AM

stepping out but will check back in a few hours. Cheers

#14 BN40

BN40
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 28 December 2008 - 03:28 PM

Boopme, let me know when you are around. Cheers,

BN40

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 PM

Posted 28 December 2008 - 03:44 PM

Awoke to a message from AVG alert. trojan horse Generic 12.AEAN C: system volume information\_restore..., process name: c\windows\system32\svhost.exe, process id: 1536 if that is of any help.. Will post MBAM rapport next.


Man it's bust here today. WE will clear that after one more scan . I'll be here to see the log. It may come back clean but I'd like to be sure.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 28 December 2008 - 03:44 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users