Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ms juan, ms track system, and other persistent viruses


  • Please log in to reply
7 replies to this topic

#1 ashleys

ashleys

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 02 January 2009 - 08:08 PM

Hi, this is my first post here so apologies in advance if I don't provide the correct information. I was infected by malware first on around 12/15/08, and I have been having persistent problems since then. Today was a particularly bad day, and while I think I might have cleared most of it up I am still unable to rid my computer of MS Juan and MS Track System. As a side note, my Windows Defender has not been able to update its definitions lately, but I'm not sure if it's connected. I am including below a couple of the Malwarebytes' logs from 12/15 and today, 1/2. Can you tell me how bad this is, and if there is any way to stop these viruses from coming back?
Thanks...

mbam-log-2008-12-15
Malwarebytes' Anti-Malware 1.31
Database version: 1504
Windows 5.1.2600 Service Pack 3

12/15/2008 10:34:55 PM
mbam-log-2008-12-15 (22-34-54).txt

Scan type: Quick Scan
Objects scanned: 53648
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 24
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\geBrppoM.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\fvsgws.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\nnnmnnmj.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Not selected for removal.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6b0d767f-04f4-4941-a2e7-be8190bb3980} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrppom (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a1a1d73-27bb-4230-aac3-9fd842a70c64} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8a1a1d73-27bb-4230-aac3-9fd842a70c64} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b0d767f-04f4-4941-a2e7-be8190bb3980} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b0d767f-04f4-4941-a2e7-be8190bb3980} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnmnnmj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnmnnmj -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\~.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\ZBT18MC0\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\ULBC9CBE\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sjjqkxtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tjoxtpjt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dqdpck.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iiaohfhx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jmnnmnnn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nnnmnnmj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\jmnnmnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xhfhoaii.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fvsgws.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\geBrppoM.dll (Trojan.Vundo.H) -> Delete on reboot.


mbam-log-2008-12-16
Malwarebytes' Anti-Malware 1.31
Database version: 1504
Windows 5.1.2600 Service Pack 3

12/16/2008 1:04:13 AM
mbam-log-2008-12-16 (01-04-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125838
Time elapsed: 1 hour(s), 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\binatoko.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Not selected for removal.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eeeb7d8b-49df-49d9-8851-4d355ee7ac71} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eeeb7d8b-49df-49d9-8851-4d355ee7ac71} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tarenasigi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\binatoko.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\binatoko.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\binatoko.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1354\A0119164.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1355\A0119180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\binatoko.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\mupodalu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uladopum.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ninegozu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fivipute.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


mbam-log-2009-01-02
Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3

1/2/2009 4:28:20 PM
mbam-log-2009-01-02 (16-28-20).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 120050
Time elapsed: 50 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\urqRHyvT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\qoMdBQKD.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xacmxcdo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqrhyvt (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76fc447b-a9cf-4981-9245-06d0dd8a6430} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76fc447b-a9cf-4981-9245-06d0dd8a6430} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{76fc447b-a9cf-4981-9245-06d0dd8a6430} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c8f12d2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomdbqkd -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomdbqkd -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Desktop\Gay Fetish Sex.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Best BDSM P0rn.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Rapid Antivirus\Uninstall.lnk (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Rapid Antivirus\Support Page.lnk (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\HowToBuy.txt (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\Buy.url (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\Uninstall.exe (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\ID.dat (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\License.txt (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Rapid Antivirus\Start Rapid Antivirus.lnk (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\Help.url (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Rapid Antivirus\Purchase License.lnk (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\seneka51d5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msiconf.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Me\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekaqxepkmlj.dll (Trojan.Seneka) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\urqRHyvT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DKQBdMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qoMdBQKD.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xacmxcdo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DKQBdMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\odcxmcax.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\ULBC9CBE\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.


mbam-log-2009-01-02
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 3

1/2/2009 6:06:17 PM
mbam-log-2009-01-02 (18-06-17).txt

Scan type: Quick Scan
Objects scanned: 54564
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\s_4610_fHx8fHx8fDEyNDM1NTQ5Nzh8_.dbx (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekaoqvrsrpj.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\senekawawqpuxb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\senekatxdyuhye.sys (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:24 AM

Posted 02 January 2009 - 08:47 PM

Hello, removal of Vundo,MSJuan is not always easy as you see. Have you rebooted after theses scans ,it completes thevremoval in some cases.
Did you uncheck the removal box on some?
Weather Services (Adware.Hotbar)

Please run these tools next.
ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now an SAS scan, this one will be about an hour.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Finally run MBam again.
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot..

Tell us how the computer is now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ashleys

ashleys
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 04 January 2009 - 05:15 PM

Thanks for your reply. In response to your question, I did reboot after scanning and removing the malware, but (as you can see) it still came back on the next scan. As for the ones I unchecked, I did so because they looked like they were connected to the Weather Channel application I have on my desktop - if you think they might be the root of the problem I'd be more than happy to remove them as well, especially if they have compromised the information on my computer, passwords, etc.

I also went through the steps you laid out for me above, and they do appear to have removed MS Juan and MS Track System. At the end of it all I did a quick scan with Malwarebytes that showed no malware, but when I did a complete scan immediately following that, it did show up two new pieces (that scan is included below). I just did another complete scan, though, and it came up clean, so I think we are ok on that front.

When I scan in the future, should I use Malwarebytes or Super AntiSpyware? Should I hang onto Super AntiSpyware just in case I run into a problem like this in the future? I still don't know why this started all of a sudden, but hopefully I have cleared out the root of the problem and it won't return. Many thanks for your help - I have been recommending your site to anyone I know with computer problems!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2009 at 02:34 AM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type : Complete Scan
Total Scan Time : 02:00:01

Memory items scanned : 176
Memory threats detected : 1
Registry items scanned : 6647
Registry threats detected : 52
File items scanned : 73895
File threats detected : 20

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\CZPJKW.DLL
C:\WINDOWS\SYSTEM32\CZPJKW.DLL
HKLM\Software\Classes\CLSID\{4ac8e4d0-f227-488e-84c3-3d48376ce867}
HKCR\CLSID\{4AC8E4D0-F227-488E-84C3-3D48376CE867}
HKCR\CLSID\{4AC8E4D0-F227-488E-84C3-3D48376CE867}\InprocServer32
HKCR\CLSID\{4AC8E4D0-F227-488E-84C3-3D48376CE867}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ac8e4d0-f227-488e-84c3-3d48376ce867}
C:\WINDOWS\SYSTEM32\ENVRMYNK.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Me\cookies\me@ads.cnn[2].txt
C:\Documents and Settings\Me\cookies\me@doubleclick[1].txt
.cnn.122.2o7.net [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\r0yiw9hs.slt\cookies.txt ]

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\from%3A%2037%20withers%20st%2C%20brooklyn%2C%20NY%2011211%20to%3A%203500%2048th%20St%2C%20Queens%2C%20NY%2011101
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\from%3A%2037%20withers%20st%2C%20brooklyn%2C%20NY%2011211%20to%3A%203500%2048th%20St%2C%20Queens%2C%20NY%2011101#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\from%3A%2037%20withers%20st%2C%20brooklyn%2C%20NY%2011211%20to%3A%203500%2048th%20St%2C%20Queens%2C%20NY%2011101#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\from%3A%2037%20withers%20st%2C%20brooklyn%2C%20NY%2011211%20to%3A%203500%2048th%20St%2C%20Queens%2C%20NY%2011101#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs

Rogue.Component/Trace
HKLM\Software\Microsoft\6C8F005C
HKLM\Software\Microsoft\6C8F005C#6c8f005c
HKLM\Software\Microsoft\6C8F005C#Version
HKLM\Software\Microsoft\6C8F005C#6c8faddc
HKLM\Software\Microsoft\6C8F005C#6c8fc439
HKU\S-1-5-21-1695731375-1669553003-213828046-1007\Software\Microsoft\CS41275
HKU\S-1-5-21-1695731375-1669553003-213828046-1007\Software\Microsoft\FIAS4018

Rogue.RapidAntivirus
HKU\.DEFAULT\Software\Rapid Antivirus
HKU\S-1-5-18\Software\Rapid Antivirus

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1695731375-1669553003-213828046-1007\SOFTWARE\Microsoft\fias4013

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\1B85488B49C40497
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\232772469429862F
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\254825867AEC9E28
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\30B27C3067D8E19F
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\72EA5C3933C82B8
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\8151AFDD854D08FF
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\99E34786371B8AF1
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\AD41D45AD5ABC16

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\FNPGYMPD.INI


Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3

1/3/2009 1:39:28 PM
mbam-log-2009-01-03 (13-39-28).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 120526
Time elapsed: 1 hour(s), 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0120484.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0120487.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:24 AM

Posted 04 January 2009 - 05:49 PM

OK we have made a lot of progress. To address the "unchecked" items..They contain Spyware(Hotbar).

they were connected to the Weather Channel application

Hotbar Spyware
Hotbar is a program that embeds a toolbar into your browser. It monitors every URL that you visit as well as phrases which you enter into search engines and sends this information back to a third party. The information is used to target ads on your computer, both in popups as well as directly embedded within web pages.

Hotbar consumes over 20MB of disk space on your hard drive. It will slow down your browser, make your PC boot slower, and may crash your computer altogether. Hotbar also disables certain popup blockers.

Hotbar can be forcibly installed when you visit certain websites, whether or not you agree to the download. Adware Report

You should allow removal of that and check in Control Panel,Add/Remove for any other reterences.
For a safe Weather application see the Time & Weather section of our Freeware list,, Freeware Replacements For Common Commercial Apps
I have a question,was that from "the weather Channel?" Cuz I saw this there... The Weather Channel Desktop Max does not contain "spyware."
http://www.weather.com/services/desktopmax.html

When I scan in the future, should I use Malwarebytes or Super AntiSpyware?

as you see you need both. one gets what the other misses. MBAm is stronfer in normal Mode and needs to be run on all users in the computer. SAS is stronger in Safe mode. Now both can be run in either if necessary. Also the free versions need to be manually updated prior to any scan. MBAM is updated quite often (at 1615 now) In both cases Quick scan should be sufficient,unless you suspect or were alerted to an infection.

Now back to your PC it still needs love. Let's do 2 scans now.
First SDFix.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Now from normal mode:
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ashleys

ashleys
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 10 January 2009 - 04:06 PM

Hello again, sorry it's taken me so long to respond. I went ahead and removed the weather channel spyware from my comp, and it doesn't seem to have affected my desktop weather application at all (which is great). I have the free version of desktop weather (from weather.com), so Desktop Max might come w/o spyware but I'd have to pay for it.

I did the SDFix scan, and that was fine, but while I was in the middle of doing the Malwarebytes scan after the reboot, I actually got an alert from my Norton about a virus! I'm pasting in the sdreport, the mbam log, and the info Norton gave me about the virus. In fact, I got a second Norton alert about the same virus (I think) the very next day. Sigh.

Again, thanks for your help.
-a



SDFix: Version 1.240
Run by Me on Wed 01/07/2009 at 07:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Me\LOCALS~1\Temp\TMP30.tmp - Deleted
C:\DOCUME~1\Me\LOCALS~1\Temp\TMP31.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 19:39:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"="C:\\WINDOWS\\SYSTEM32\\rundll32.exe:*:Enabled:rundll32"
"C:\\WINDOWS\\SYSTEM32\\logonui.exe"="C:\\WINDOWS\\SYSTEM32\\logonui.exe:*:Enabled:logonui"
"C:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"="C:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe:*:Enabled:ViewpointService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 22 Nov 2004 56 ..SHR --- "C:\WINDOWS\SYSTEM32\B2255DA512.sys"
Mon 22 Nov 2004 11,270 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Sun 10 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 15 Dec 2004 27,136 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL0001.tmp"
Wed 15 Dec 2004 30,208 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL0003.tmp"
Wed 15 Dec 2004 29,184 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL0057.tmp"
Sat 2 Sep 2006 784,384 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL0158.tmp"
Wed 15 Dec 2004 28,672 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL0881.tmp"
Wed 3 Jan 2007 30,720 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL0920.tmp"
Wed 3 Jan 2007 30,720 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL1640.tmp"
Sat 2 Sep 2006 781,824 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL2212.tmp"
Wed 3 Jan 2007 37,888 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL2344.tmp"
Wed 3 Jan 2007 35,328 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL2821.tmp"
Wed 15 Dec 2004 29,696 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL3243.tmp"
Wed 3 Jan 2007 32,768 ...H. --- "C:\Documents and Settings\Me\Desktop\~WRL3820.tmp"
Fri 2 Jan 2009 564,616 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0ac704fbc981242e850776ac903a6621\BITAA.tmp"
Wed 13 Dec 2006 26,624 ...H. --- "C:\Documents and Settings\Me\Application Data\Microsoft\Templates\~WRL2242.tmp"

Finished!




Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3

1/7/2009 9:13:34 PM
mbam-log-2009-01-07 (21-13-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 121551
Time elapsed: 1 hour(s), 20 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



NORTON:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Fakeavalert
File: C:\WINDOWS\SYSTEM32\bgl.exe
Location: Quarantine
Computer: HOME
User: Me
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Jan 07 21:08:16 2009


Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Fakeavalert
File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1383\A0120643.exe
Location: Quarantine
Computer: HOME
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Thu Jan 08 19:49:58 2009

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:24 AM

Posted 10 January 2009 - 05:12 PM

OK then, well MBam needs an update.

In regular mode from you normal user account
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ashleys

ashleys
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 11 January 2009 - 01:44 AM

Excellent call. I updated and ran another scan, and it looks good. Should I delete all the malware in the quarantine tab (currently 124 objects in quarantine)? Also, how often would you recommend doing maintenance scans, and should I just stick with quick scans unless I am alerted to the presence of malware?
Thanks again,
a


Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3

1/11/2009 1:41:05 AM
mbam-log-2009-01-11 (01-41-05).txt

Scan type: Full Scan (C:\|D:\|I:\|)
Objects scanned: 140522
Time elapsed: 2 hour(s), 22 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:24 AM

Posted 11 January 2009 - 03:02 PM

You should Update and run the MBam and SAS scans weekly. Quick scans and Full scans monthly. Remember Mbam is strongr=er in normal while SAS is in safe mode. Now if there are no more issue on your end then...
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users