Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Virus?


  • This topic is locked This topic is locked
21 replies to this topic

#1 nickhud

nickhud

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 25 February 2009 - 12:38 AM

Hi,

Can someone please help me clean up and protect my computer? It is doing a lot of strange things. Here is a list of the things that I can think of...

1. Google Jumps - When I perform a Google search, the search results show up but when I click on one of the results, I am either taken to a completely different website OR, I am taken to the website I selected and then automatically taken to another website.

2. When I log into the computer, I have to hold down each key in the password for 2 seconds. If I do not hold the key down, a flash appears on the screen and I am not allowed to type in the letter.

3. There is a vertical white bar running from the top to the bottom of my screen on the right hand side. There is also a vertical opaque bar with a black border that is right next to it (and actually lays over the white bar a tad).

4. There are constant popups.

5. The computer runs extremely slow regardless of what application I try to use.

6. I'm pretty sure the computer is using an excessive amount of Internet bandwidth but will know more later today when I install tracking software. It appears as though it is averaging 500MB per day and I am being very cautious in not using much bandwidth. This leads me to believe there is something running in the background. Is this possible?

Can someone please help me sort this out? I would like to get it cleaned up, like new, and install protection.

My Operating System is: Microsoft Windows XP Home Edition, Version 2002, Service Pack 3

Thanks!

Nick

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 AM

Posted 25 February 2009 - 01:31 PM

Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and other security programs before connecting to the Internet.
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Mbam-rules.exe is not updated daily. Another way to get the most current definitions is to update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with disinfection. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 26 February 2009 - 09:48 AM

Hi Quietman,

Thank you so much for helping me. I am diligently working to perform the steps you have listed. My computer is moving very slow. It takes at least 10 minutes to complete one simple click action. I will post the files as soon as I can produce them.

Nick

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 AM

Posted 26 February 2009 - 11:25 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 27 February 2009 - 08:34 PM

Okay Finnnnalllyyyy...Hereís what I have done:

I checked to make sure all firewalls and antivirus applications were turned off by going into the Security Center at the Control Panel. There was nothing turned on which probably explains why Iím having some of the troubles I am having. I then started in safe mode and ran SDFix. Here is the report it generated:


SDFix: Version 1.240
Run by nick hudson on Thu 02/26/2009 at 05:25 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\Helper\prolooker.dll - Deleted
C:\Program Files\Helper\turbosearchsite.dll - Deleted
C:\Program Files\Video Add-on\uninst.exe - Deleted
C:\DOCUME~1\NICKHU~1.YOU\LOCALS~1\Temp\a.exe - Deleted
C:\DOCUME~1\NICKHU~1.YOU\LOCALS~1\Temp\b.exe - Deleted
C:\Program Files\SAV\sav0.dat - Deleted
C:\Program Files\SAV\sav1.dat - Deleted
C:\Program Files\SAV\sav.cpl - Deleted
C:\Program Files\SAV\sav.exe - Deleted
C:\WINDOWS\system32\msxml71.dll - Deleted
C:\WINDOWS\system32\sav.cpl - Deleted



Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\Video Add-on - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 06:15:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\kbdlk41a.dll 6656 bytes executable
C:\WINDOWS\system32\kbdlk41j.dll 6144 bytes executable
C:\WINDOWS\system32\kbdlt.dll 5632 bytes executable
C:\WINDOWS\system32\kbdlt1.dll 5632 bytes executable
C:\WINDOWS\system32\kbdlv.dll 6144 bytes executable
C:\WINDOWS\system32\kbdlv1.dll 6144 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 6


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:Soulseek"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 12 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe"
Mon 28 Feb 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll"
Sat 5 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 18 Nov 2007 41,472 A..H. --- "C:\SDFix\backups\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL0005.tmp"
Sun 18 Nov 2007 46,592 A..H. --- "C:\SDFix\backups\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL0869.tmp"
Sun 18 Nov 2007 46,592 A..H. --- "C:\SDFix\backups\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL3811.tmp"
Mon 13 Oct 2003 54 A.SH. --- "C:\SDFix\backups\movedfile.vir\Application Data\Purple Ghost Software, Inc\PodPlus\1.1.0.0\WinPP.sys"

Finished!



When I went to turn the antivirus on so that I could move to the next step, I discovered there was no antivirus installed on the computer at all. So, I got online and downloaded Avast. After doing that, I realized that I might have caused more trouble by getting online unprotected so I ran SDFix again. Here's that report:


SDFix: Version 1.240
Run by nick hudson on Thu 02/26/2009 at 09:12 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 18:04:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\kbdkyr.dll 5632 bytes executable
C:\WINDOWS\system32\kbdla.dll 6656 bytes executable
C:\WINDOWS\system32\kbdlk41a.dll 6656 bytes executable
C:\WINDOWS\system32\kbdlk41j.dll 6144 bytes executable
C:\WINDOWS\system32\kbdlt.dll 5632 bytes executable
C:\WINDOWS\system32\kbdlt1.dll 5632 bytes executable
C:\WINDOWS\system32\kbdlv.dll 6144 bytes executable
C:\WINDOWS\system32\kbdlv1.dll 6144 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 8


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:Soulseek"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Fri 12 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe"
Mon 28 Feb 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll"
Sat 5 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 18 Nov 2007 41,472 A..H. --- "C:\SDFix\backups_old\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL0005.tmp"
Sun 18 Nov 2007 46,592 A..H. --- "C:\SDFix\backups_old\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL0869.tmp"
Sun 18 Nov 2007 46,592 A..H. --- "C:\SDFix\backups_old\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL3811.tmp"
Mon 13 Oct 2003 54 A.SH. --- "C:\SDFix\backups_old\movedfile.vir\Application Data\Purple Ghost Software, Inc\PodPlus\1.1.0.0\WinPP.sys"

Finished!



THEN, I realized that I ran SDFix while Avast was running so, I ran it again without Avast. Report:


SDFix: Version 1.240
Run by nick hudson on Thu 02/26/2009 at 09:31 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 22:39:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\kbdkyr.dll 5632 bytes executable
C:\WINDOWS\system32\kbdla.dll 6656 bytes executable
C:\WINDOWS\system32\kbdlk41a.dll 6656 bytes executable
C:\WINDOWS\system32\kbdlk41j.dll 6144 bytes executable
C:\WINDOWS\system32\kbdlt.dll 5632 bytes executable
C:\WINDOWS\system32\kbdlt1.dll 5632 bytes executable
C:\WINDOWS\system32\kbdlv.dll 6144 bytes executable
C:\WINDOWS\system32\kbdlv1.dll 6144 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 8


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:Soulseek"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Fri 12 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe"
Mon 28 Feb 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll"
Sat 5 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 18 Nov 2007 41,472 A..H. --- "C:\SDFix\backups_old1\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL0005.tmp"
Sun 18 Nov 2007 46,592 A..H. --- "C:\SDFix\backups_old1\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL0869.tmp"
Sun 18 Nov 2007 46,592 A..H. --- "C:\SDFix\backups_old1\movedfile.vir\Desktop\Mark Hudson\My Documents\~WRL3811.tmp"
Mon 13 Oct 2003 54 A.SH. --- "C:\SDFix\backups_old1\movedfile.vir\Application Data\Purple Ghost Software, Inc\PodPlus\1.1.0.0\WinPP.sys"

Finished!



Finally, I made it to the Malwarebytes Anti-Malware steps. I wasnít clear as to whether or not I was supposed to connect to the internet just for the purposes of getting the updates for the program or if I was to stay connected with Avast running. So, for the record, I was connected to the internet with Avast running when this scan was processed. And here is that report:

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

2/27/2009 1:33:14 AM
mbam-log-2009-02-27 (01-33-14).txt

Scan type: Quick Scan
Objects scanned: 76096
Time elapsed: 1 hour(s), 27 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69b98c68-d2b8-4a4e-9cb7-e85b6f3a7014} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{69b98c68-d2b8-4a4e-9cb7-e85b6f3a7014} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69b98c68-d2b8-4a4e-9cb7-e85b6f3a7014} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoaccessactivex.Chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{e31f5c72-8e0d-4921-8375-9573746c170c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.19 85.255.112.140 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.19 85.255.112.140 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.19 85.255.112.140 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kbdsdf.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Fry's Electronics\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.


I apologize for making things complicated. Hopefully I have taken the appropriate steps. I donít know if this is useful information but, did I mention that this computer is slower than slowwwwww??? It literally takes 10 Ė 40 minutes for it to do even the simplest tasks. For instance, when I click on Start, it takes no less than 10 minutes to open the start menu. It took me over an hour to get through Start > Control Panel > Security Center.

Thank you so much!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 AM

Posted 28 February 2009 - 07:15 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Now rescan again with MBAM but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 March 2009 - 02:46 AM

Just a quick reply....

So far the scan has been running for 8.5 hours. I will post the report when it is done.

Thanks!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 AM

Posted 01 March 2009 - 08:12 AM

Ok.

Just so you know, the speed of an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, archives, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 March 2009 - 07:37 PM

There was a popup box saying the scan was complete. I clicked on okay and went to logs. The only log listed there is the original scan we did. I'm running it again.

I'm working from another computer and haven't allowed anyone to touch the computer we are working on while we are doing this. I also did not change any of the settings in Malwarebyte when I performed the full scan so maybe it's the hard drive.

I can be patient so that this is done properly. I just wanted to let you know I haven't dropped the ball as I really do appreciate you helping me.

#10 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 March 2009 - 07:17 AM

This time the scan completed in only 8 hours..woohoo!

There were several times where Avast popped up and warned me of things and I clicked on "Ignore." I didn't know what to do and hope this was the right thing. I thought that clicking Ignore would allow Malwarebytes to catch them but it doesn't seem that any of the things it warned me against are listed in the log.

Anyway, here's the log. The computer still seems to have the same problems. What next, sir?:

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 3

3/2/2009 3:44:17 AM
mbam-log-2009-03-02 (03-44-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 161836
Time elapsed: 8 hour(s), 19 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\SDFix\backups_old1\movedfile.vir\Local Settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\SDFix\backups_old1\movedfile.vir\Local Settings\Temp\scan.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsdf.dll (Trojan.Agent) -> Delete on reboot.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 AM

Posted 02 March 2009 - 10:48 AM

There were several times where Avast popped up and warned me of things and I clicked on "Ignore."

That's why in Post #2, I advised to click this link to see a list of programs that should be disabled before scanning with MBAM. Avast was on the list.

Malwarebytes to catch them but it doesn't seem that any of the things it warned me against are listed in the log.

We don't know that for sure. Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.

Go ahead and rescan with avast, let it remove (quarantine) anything found and let me know the results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 March 2009 - 08:40 PM

[/quote]That's why in Post #2, I advised to click this link to see a list of programs that should be disabled before scanning with MBAM. Avast was on the list.

Ugh, yes you did, didn't you. I thought I read everything thoroughly but obviously, I did not. I am running the Avast scan now. Thank you.

#13 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 03 March 2009 - 06:46 PM

I can't figure out how to generate a text file report from the Avast scan so I had to do a print screen. I can't figure out how to get the image to show up so you can read it here so I saved it in photobucket. Here is the link.

You will notice on the right side, in the Operation column, some of the lines are cut off because my screen isn't large enough. Those lines simply read "The system cannot find the file specified."

Thanks!

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 AM

Posted 03 March 2009 - 10:03 PM

The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. System Restore is enabled by default and contains registry configuration, settings and files that are necessary for your computer to run correctly. By design System Restore runs in the background and will automatically create a new restore point every 24 hours (system checkpoints).

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, they may detect and place these files in quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

If your anti-virus or anti-malware tool were able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.

The other infected files were found in the backups of SDFix. These were files found by the tool and safely moved so they no longer are a threat. This is a similar action as when an anti-virus program quarantines a file by moving it into a virus vault (chest). That file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them as a threat while in the quarantined area.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 nickhud

nickhud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 03 March 2009 - 10:58 PM

Thank you for all of your help Quietman!

Before I do anything, I just want to verify that I understand the steps..

1. Delete all of the harmful files that are in quarantine and move all of the false positive files back to their original location. (Question - how do I know if there are crucial files in quarantine that have been flagged as false positive"?)

2. Create a system restore point.

3. Use Disk Cleanup to remove all previous restore points.

Is this correct?

Also, the computer is still doing the funny login thing and still has the bars on the side of the screen. I don't know about the jumps because I have not tested that yet. I'm trying to stay out of the Internet until it's at least somewhat repaired. Provided that the files that are quarantined are the files causing the trouble, would that stop after they were completely deleted from the computer?

Thanks!

Edited by nickhud, 04 March 2009 - 01:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users