Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Worm.Viking


  • Please log in to reply
8 replies to this topic

#1 afodd1

afodd1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 09 March 2009 - 02:50 PM

Hi, I just ran a scan using Lavasoft Adaware ("Anniversary Edition"), which found these files:

C:\Program Files\WinRAR\WinRAR.exe
C:\Users\AOD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk

to be infected by "Win32.Worm.Viking". Does anyone know if this is false positive or not? I have quarantined these files as suggested by Adaware software. Adaware will not allow me to uninstall Winrar, saying that the process is blocked because of this worm. I am currently running Trend Micro Office Scan to see if it detects anything. I am running Windows Vista 32-bit home version on my laptop, and have Trend micro and zone alarm firewalls installed as well as trend micro office scan.

Here is the Adaware scan log. Thank you, hope somebody can help!





Logfile created: 09/03/2009 15:0:41
Lavasoft Ad-Aware version: 8.0.3
Extended engine version: 8.1
User performing scan: AOD

*********************** Definitions database information ***********************
Lavasoft definition file: 146.20
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 61507
Objects detected: 9


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 2
Folders.........: 0
LSPs............: 0
Cookies.........: 7
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *live365* Family Name: Cookies Clean status: Failed Item ID: 408844 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0
Description: *estat* Family Name: Cookies Clean status: Failed Item ID: 408873 Family ID: 0

Quarantined items:
Description: C:\Program Files\WinRAR\WinRAR.exe Family Name: Win32.Worm.Viking Clean status: Success Item ID: 617099 Family ID: 1075
Description: C:\Users\AOD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk Family Name: Win32.Worm.Viking Clean status: Success Item ID: 617099 Family ID: 1075

Scan and cleaning complete: Finished correctly after 320 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Jan 21 21:50:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Jan 21 21:50:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: AOD-LAPTOP
Processor name: AMD Athlon™ X2 Dual-Core QL-60
Processor identifier: x86 Family 17 Model 3 Stepping 1
Raw info: processorarchitecture 0, processortype 586, processorlevel 17, processor revision 769, number of processors 2
Physical memory available: 1406922752 bytes
Physical memory total: 2949033984 bytes
Virtual memory available: 1975980032 bytes
Virtual memory total: 2147352576 bytes
Memory load: 52%
Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Windows startup mode:

Running processes:
PID: 448 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 584 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 644 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY
PID: 656 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 688 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 704 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 712 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY
PID: 868 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 904 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1000 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1040 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1092 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1112 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1164 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1180 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1268 name: C:\Windows\System32\SLsvc.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1308 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1376 name: C:\Windows\System32\WacomTouchService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1424 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1520 name: C:\Windows\System32\ZoneLabs\vsmon.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1612 name: C:\Windows\System32\wlanext.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1884 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1912 name: C:\Program Files\DigitalPersona\Bin\DpHostW.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1968 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 124 name: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 304 name: C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1300 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1388 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1476 name: C:\Windows\SMINST\BLService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1604 name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1976 name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2292 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2356 name: C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2416 name: C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2492 name: C:\Windows\System32\taskeng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2740 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3204 name: C:\Windows\System32\dwm.exe owner: AOD domain: AOD-Laptop
PID: 3212 name: C:\Program Files\DigitalPersona\Bin\DpAgent.exe owner: AOD domain: AOD-Laptop
PID: 3224 name: C:\Windows\System32\taskeng.exe owner: AOD domain: AOD-Laptop
PID: 3296 name: C:\Windows\explorer.exe owner: AOD domain: AOD-Laptop
PID: 3696 name: C:\Windows\Temp\SF6457.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2376 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2876 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2836 name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe owner: AOD domain: AOD-Laptop
PID: 3928 name: C:\Windows\RtHDVCpl.exe owner: AOD domain: AOD-Laptop
PID: 4032 name: C:\Program Files\Windows Defender\MSASCui.exe owner: AOD domain: AOD-Laptop
PID: 3496 name: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe owner: AOD domain: AOD-Laptop
PID: 2888 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4068 name: C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe owner: AOD domain: AOD-Laptop
PID: 3480 name: C:\Windows\System32\wbem\unsecapp.exe owner: AOD domain: AOD-Laptop
PID: 3900 name: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2896 name: C:\Program Files\Internet Explorer\ieuser.exe owner: AOD domain: AOD-Laptop
PID: 3884 name: C:\Program Files\Windows Sidebar\sidebar.exe owner: AOD domain: AOD-Laptop
PID: 856 name: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe owner: AOD domain: AOD-Laptop
PID: 2128 name: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe owner: AOD domain: AOD-Laptop
PID: 1696 name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe owner: AOD domain: AOD-Laptop
PID: 3336 name: C:\Windows\ehome\ehtray.exe owner: AOD domain: AOD-Laptop
PID: 3276 name: C:\Program Files\MagicDisc\MagicDisc.exe owner: AOD domain: AOD-Laptop
PID: 3164 name: C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2616 name: C:\Program Files\Internet Explorer\iexplore.exe owner: AOD domain: AOD-Laptop
PID: 1400 name: C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3564 name: C:\Windows\ehome\ehmsas.exe owner: AOD domain: AOD-Laptop
PID: 3504 name: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe owner: AOD domain: AOD-Laptop
PID: 1136 name: C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4156 name: C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe owner: AOD domain: AOD-Laptop
PID: 4220 name: C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe owner: AOD domain: AOD-Laptop
PID: 4276 name: C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe owner: AOD domain: AOD-Laptop
PID: 5448 name: C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5592 name: C:\Program Files\Synaptics\SynTP\SynTPHelper.exe owner: AOD domain: AOD-Laptop
PID: 5964 name: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5384 name: C:\Program Files\Microsoft Office\Office12\WINWORD.EXE owner: AOD domain: AOD-Laptop
PID: 5636 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 5948 name: C:\Windows\System32\SearchProtocolHost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 6012 name: C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\SearchFilterHost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 6048 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5372 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5444 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: AOD domain: AOD-Laptop
PID: 3864 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: AOD domain: AOD-Laptop
PID: 4468 name: C:\Windows\servicing\TrustedInstaller.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3372 name: C:\Program Files\Windows Live\Messenger\msnmsgr.exe owner: AOD domain: AOD-Laptop

Startup items:
Name: SynTPEnh
imagepath: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Name: RtHDVCpl
imagepath: RtHDVCpl.exe
Name: DpAgent
imagepath: C:\Program Files\DigitalPersona\Bin\dpagent.exe
Name: Windows Defender
imagepath: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
Name: hpWirelessAssistant
imagepath: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
Name: OfficeScanNT Monitor
imagepath: "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
Name: ZoneAlarm Client
imagepath: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Name: Ad-Watch
imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete

Running services:
Name: AeLookupSvc
displayname: Application Experience
Name: Appinfo
displayname: Application Information
Name: Ati External Event Utility
displayname: Ati External Event Utility
Name: AudioEndpointBuilder
displayname: Windows Audio Endpoint Builder
Name: Audiosrv
displayname: Windows Audio
Name: BFE
displayname: Base Filtering Engine
Name: BITS
displayname: Background Intelligent Transfer Service
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: DpHost
displayname: Biometric Authentication Service
Name: DPS
displayname: Diagnostic Policy Service
Name: EapHost
displayname: Extensible Authentication Protocol
Name: EMDMgmt
displayname: ReadyBoost
Name: Eventlog
displayname: Windows Event Log
Name: EventSystem
displayname: COM+ Event System
Name: gpsvc
displayname: Group Policy Client
Name: hidserv
displayname: Human Interface Device Access
Name: HP Health Check Service
displayname: HP Health Check Service
Name: hpqwmiex
displayname: hpqwmiex
Name: idsvc
displayname: Windows CardSpace
Name: IKEEXT
displayname: IKE and AuthIP IPsec Keying Modules
Name: KeyIso
displayname: CNG Key Isolation
Name: KtmRm
displayname: KtmRm for Distributed Transaction Coordinator
Name: LanmanWorkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: lmhosts
displayname: TCP/IP NetBIOS Helper
Name: MMCSS
displayname: Multimedia Class Scheduler
Name: MSSQL$QADVX
displayname: SQL Server (QADVX)
Name: Netman
displayname: Network Connections
Name: netprofm
displayname: Network List Service
Name: NlaSvc
displayname: Network Location Awareness
Name: nsi
displayname: Network Store Interface Service
Name: ntrtscan
displayname: OfficeScanNT RealTime Scan
Name: PcaSvc
displayname: Program Compatibility Assistant Service
Name: PlugPlay
displayname: Plug and Play
Name: Pml Driver HPZ12
displayname: Pml Driver HPZ12
Name: PolicyAgent
displayname: IPsec Policy Agent
Name: ProfSvc
displayname: User Profile Service
Name: RasMan
displayname: Remote Access Connection Manager
Name: Recovery Service for Windows
displayname: Recovery Service for Windows
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: SBSDWSCService
displayname: SBSD Security Center Service
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification Service
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: slsvc
displayname: Software Licensing
Name: Spooler
displayname: Print Spooler
Name: SQLBrowser
displayname: SQL Server Browser
Name: SQLWriter
displayname: SQL Server VSS Writer
Name: SSDPSRV
displayname: SSDP Discovery
Name: SstpSvc
displayname: Secure Socket Tunneling Protocol Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: SysMain
displayname: Superfetch
Name: TapiSrv
displayname: Telephony
Name: Themes
displayname: Themes
Name: tmlisten
displayname: OfficeScan NT Listener
Name: TmPfw
displayname: OfficeScan NT Firewall
Name: TrustedInstaller
displayname: Windows Modules Installer
Name: upnphost
displayname: UPnP Device Host
Name: UxSms
displayname: Desktop Window Manager Session Manager
Name: vsmon
displayname: TrueVector Internet Monitor
Name: W32Time
displayname: Windows Time
Name: WacomTouchService
displayname: Wacom Touch Service
Name: WdiSystemHost
displayname: Diagnostic System Host
Name: WerSvc
displayname: Windows Error Reporting Service
Name: WinDefend
displayname: Windows Defender
Name: WinHttpAutoProxySvc
displayname: WinHTTP Web Proxy Auto-Discovery Service
Name: Winmgmt
displayname: Windows Management Instrumentation
Name: Wlansvc
displayname: WLAN AutoConfig
Name: wscsvc
displayname: Security Center
Name: WSearch
displayname: Windows Search
Name: wuauserv
displayname: Windows Update
Name: wudfsvc
displayname: Windows Driver Foundation - User-mode Driver Framework

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:27 AM

Posted 09 March 2009 - 06:40 PM

Hi and welcome to BleepingComputer :thumbsup:

Please continue with MBAM

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 09 March 2009 - 09:23 PM

Hi,
Thanks for the fast reply. :thumbsup:
I ran the malwarebytes quick scan and it found nothing. should i let the winrar files out of quarantine?




Malwarebytes' Anti-Malware 1.34
Database version: 1829
Windows 6.0.6001 Service Pack 1

09/03/2009 10:12:26 PM
mbam-log-2009-03-09 (22-12-26).txt

Scan type: Quick Scan
Objects scanned: 60637
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:27 AM

Posted 09 March 2009 - 10:24 PM

Take a look here: Winrar.exe

Probably a flase positive, but's lets be sure.

Submit that file out of quaranteen to : http://virusscan.jotti.org/

Let's see what the other scanners say. please post back the findings

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 victor2009dk

victor2009dk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 10 March 2009 - 12:13 AM

hey there i have the same problem with ad-aware and i
have the Malwarebytes' Anti-Malware and i did a quick scan and
full scan nothing was found but how ever i found that virus
came from that winrar then i try to unistall it !

then my ad-ware pop up and warning me there is a
virus in the uninstallexe its self it asked me to blocked or allowed
i blocked ofc se here

2 0 0 9 / 0 3 / 0 9 2 0 : 4 5 : 3 0 : C : \ p r o g r a m f i l e s \ w i n r a r \ u n i n s t a l l . e x e d i a g n o s i s : M a l w a r e f a m i l y : W i n 3 2 . W o r m . V i k i n g = > B l o c k

what i did i removred the all winrar flies out of my pc and make sure that
nothing left behind and i did a re scan ad-ware and Malwarebytes' Anti-Malware again
to make sure its was gone
its seems it is i mean gone but the blocking of the winrar unistall.exe didten move shall i keep it blocked ?? or
clear the rules ??

i keep woundering were that virus come from
cos i have high protection on my pc and i keeps scaning my pc every day and i
this programs avast + avg + Spybot Search & Destroy + superantispywere + adware + Malwarebytes' Anti-Malware + spyblaster
and i keep it updated all the time i use allso ccleaner to remover all junk so i realy like to know were did it came from
and how

Edited by victor2009dk, 10 March 2009 - 01:00 AM.


#6 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 10 March 2009 - 08:46 AM

Hi,
I'm having trouble locating the ad-aware quarantine, any ideas on where it might be?

#7 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 10 March 2009 - 09:29 AM

Ok,
disregard that last comment I restored the files out of quarantine and submitted them to http://virusscan.jotti.org/, none of these scanners found anything...

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:27 AM

Posted 10 March 2009 - 08:43 PM

So this looks like a false positive. You could submit that file to Trend for analysis.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 11 March 2009 - 09:24 AM

Ok thanks for the help, i'll remember that virusscan.jotti.org site for future reference :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users