Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo.H Plus Other Issues


  • Please log in to reply
16 replies to this topic

#1 BluesAxe

BluesAxe

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 April 2009 - 03:03 PM

While downloading a few files my AVG detected a few issues. The resident shield detected a few files and i cleaned them using AVG. After that, my computer started acting up. I ran Malwarebyte's and it found a number of things mostly related to Trojan.Vundo.H and it says it removed them. Spybot also finds that my Security Center has been disabled and after repair spybot still finds it disabled. I cannot restore to an earlier point and I also get redirected to a spamware site when i try to google a fix. I don't know where to go. Any help is greatly appreciated.
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

BC AdBot (Login to Remove)

 


#2 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 04 April 2009 - 03:29 PM

  • Please print these instructions as they will be needed later when Internet access is not available.
  • Save these instructions in word or notepad to the desktop where they can be easily found.
  • Download Vundo Fix and save it to your desktop.
  • When it has completed downloading, double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click the OK button.
  • When the computer has shutdown, turn your computer back on.
  • Please do a quick scan with MBAM, then post your results of the Vundo fix (did it go successfully?), and the log of MBAM.
...

#3 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 04 April 2009 - 04:40 PM

Vundo fix did not find any infected files. Ran MBAM. Listed below are two MBAM Logs (one yesterday and one after the Vundo fix) and associated date/time. Also I get an error message from time to time that keeps coming up. It states "Windows - No Disk Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c". It happens when I try to run SpyBot (for sure) and others too. And I am still getting redirected at times when using IE7 on the internet.

MBAMs

Malwarebytes' Anti-Malware 1.35
Database version: 1939
Windows 5.1.2600 Service Pack 3

4/4/2009 4:30:11 PM
mbam-log-2009-04-04 (16-30-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175646
Time elapsed: 36 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.35
Database version: 1939
Windows 5.1.2600 Service Pack 3

4/3/2009 11:12:36 PM
mbam-log-2009-04-03 (23-12-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175133
Time elapsed: 42 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\Doug\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c84282bd-c6f1-4672-a70a-a6bfecedd71d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c84282bd-c6f1-4672-a70a-a6bfecedd71d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\namelenefi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetchk (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nidle (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Doug\Application Data\nidle (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\nepebega.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\krbclick1.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vuzoluza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yehorewi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ms1238817387.exe (Trojan.Proxy) -> Delete on reboot.
C:\Documents and Settings\Doug\Application Data\nidle\nidle.exe (Trojan.Agent) -> Delete on reboot.
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 04 April 2009 - 05:00 PM

Vundofix for all practical purposes is useless with the newer infections, I haven't reccomended it in over a year.

Now your infection

HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace)

is a dangerous newer variant the even MBAM cannot cure.

There's a rootkit that will have to be disabled for MBAM to possibly see and disinfect it's associated files.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

You may have to rename the executable to get it to run
Chewy

No. Try not. Do... or do not. There is no try.

#5 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 04 April 2009 - 05:37 PM

Thanks for the response. He is the gmer log.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-04 17:27:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8984C638 ZwEnumerateKey
Code 898B5638 ZwFlushInstructionCache
Code 8989981E IofCallDriver
Code 8960F75E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 89899823
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 8960F763
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 898B563C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 5 Bytes JMP 8984C63C
? tqhj.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetCloseHandle 7805DA59 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!HttpOpenRequestA 78064341 5 Bytes JMP 00CA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetConnectA 7806499A 5 Bytes JMP 00BE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetConnectW 78065B88 5 Bytes JMP 00BF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!HttpOpenRequestW 78065D62 5 Bytes JMP 00CB000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 00C7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 00C5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!HttpSendRequestW 78080825 5 Bytes JMP 00C9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetReadFileExW 78082AAA 5 Bytes JMP 00C4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetReadFileExA 78082AE2 5 Bytes JMP 00C3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3856] WININET.dll!InternetSetStatusCallbackW 780BB098 5 Bytes JMP 00C6000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\ovfsthvatplfnkwmhaekcqedspmdpvpacawyli.sys (*** hidden *** ) B6936000-B694E000 (98304 bytes)

---- EOF - GMER 1.0.15 ----
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 04 April 2009 - 06:16 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#7 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 04 April 2009 - 10:33 PM

Wow. After almost 4 hours, Dr. Web has the following report.

RegUBP2b-Doug.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
0-freeripmp3.exe\data012;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip\0-freeripmp3.exe;Adware.MyWay;;
0-freeripmp3.exe\data013;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip\0-freeripmp3.exe;Adware.MyWay;;
0-freeripmp3.exe\data014;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip\0-freeripmp3.exe;Adware.MyWay;;
0-freeripmp3.exe;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip;Archive contains infected objects;Moved.;
freeripmp3.exe\data012;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip\freeripmp3.exe;Adware.MyWay;;
freeripmp3.exe\data015;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip\freeripmp3.exe;Adware.MyWay;;
freeripmp3.exe\data017;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip\freeripmp3.exe;Adware.MyWay;;
freeripmp3.exe;C:\Documents and Settings\Doug\My Documents\My Programs\Free Rip;Archive contains infected objects;Moved.;
WxBugSetup6.07.0.20.EXE/data013\data001;C:\Documents and Settings\Doug\My Documents\My Programs\WeatherBug\WxBugSetup6.07.0.20.EXE/data013;Adware.Msearch;;
WxBugSetup6.07.0.20.EXE/data013\data002;C:\Documents and Settings\Doug\My Documents\My Programs\WeatherBug\WxBugSetup6.07.0.20.EXE/data013;Adware.Websearch;;
WxBugSetup6.07.0.20.EXE/data013\data005;C:\Documents and Settings\Doug\My Documents\My Programs\WeatherBug\WxBugSetup6.07.0.20.EXE/data013;Adware.Msearch;;
data013;C:\Documents and Settings\Doug\My Documents\My Programs\WeatherBug;Container contains infected objects;;
WxBugSetup6.07.0.20.EXE;C:\Documents and Settings\Doug\My Documents\My Programs\WeatherBug;Archive contains infected objects;Moved.;
253053%3BBnId%3D1%3Bitime%3D20527355%3Bkvmn%3D93233933%3Bkvtid%3D14sf34l0s8l6jm%3Bkvseg%3D99999%3A61752%3A50798%3A50215%3Bnodec;C:\Documents and Settings\Nicky\Local Settings\Temporary Internet Files\Content.IE5\16DF53BE;Win32.HLLM.Graz;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach;Archive contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach;Archive contains infected objects;Moved.;

What do ya see?
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 04 April 2009 - 10:42 PM

Let's update MBAM and run a quick scan
Chewy

No. Try not. Do... or do not. There is no try.

#9 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 04 April 2009 - 10:57 PM

Updated and ran a quick scan. No problems found. Still having issues though.

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 10:54:54 PM
mbam-log-2009-04-04 (22-54-54).txt

Scan type: Quick Scan
Objects scanned: 89560
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 04 April 2009 - 11:01 PM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#11 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 05 April 2009 - 09:02 AM

Here is the SUPERAnitApyware log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/05/2009 at 04:01 AM

Application Version : 4.26.1000

Core Rules Database Version : 3829
Trace Rules Database Version: 1785

Scan type : Complete Scan
Total Scan Time : 04:43:00

Memory items scanned : 200
Memory threats detected : 0
Registry items scanned : 6063
Registry threats detected : 0
File items scanned : 71320
File threats detected : 2

Trojan.Fake-Alert/Trace
C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\fbk.sts

Adware.Tracking Cookie
C:\Documents and Settings\Doug\Cookies\doug@ads.bleepingcomputer[2].txt
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 05 April 2009 - 09:25 AM

What's the status of your original problems, any progress there?
Chewy

No. Try not. Do... or do not. There is no try.

#13 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 05 April 2009 - 09:48 AM

Still have same issues and now I have a Spybot message that has just started coming up.

spybot S&D has encountered and terminated a process that is listed as part of a malicious software.

Process: 2628
filename: frmwrk.exe
found: c:/windows/system32
identified: virtumond.sdn

it is now changing my desktop
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#14 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 April 2009 - 09:53 AM

now a blank spybot window keeps popping up and my mouse if frozen. desktop has turned red in color
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware

#15 BluesAxe

BluesAxe
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 April 2009 - 09:58 AM

all i can do now is reboot. Safe or normal?
Compaq Presario SR1820NX
AMD Athlon 64 Processor 3400+
2.2 GHz, 1.43 GB Ram
?? Motherboard
160 GB HDD
Intergrated NVIDIA GeForce 6150 LE
Networked in home with Lynksys WRT54GL
Windows XP Home Edition SP3
Internet Explorer 7
Microsoft Office 2003 Outlook
AVG Free
Spybot
Malwarebyte's Anti-Malware




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users