Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly Infected with WinPC Defender-Please help


  • This topic is locked This topic is locked
15 replies to this topic

#1 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 10 April 2009 - 09:16 AM

Hello-- I have a laptop that is infected with WinPC Defender. It has several of the symptoms listed on The BleepingComputer homepage. It has The WinPC Defender "Program" showing up with fake firewall warnings and virus threats. I believe the browser is hijacked as well because when I attempted to download MalwareBytes(I googled Malwarebytes and clicked on the result for it's homepage) and the browser just shuts down. I then downloaded Malwarebytes and Hijackthis from a differrent, uninfected computer onto a flash drive, copied them to the infected computer and tried to install the programs. MalwareBytes will let me get to the first step of installation where it asks for you to choose the setup language....but after I choose english and click "OK" the window just closes and the installation will not continue. When I attempted to install Hijackthis nothing at all happens. I just click on the .exe link for Hijackthis and nothing happens. It was suggested to me to try changing the file name so I redownloaded from a safe computer, changed the file names, and tried to run them on the infected computer with the same results for both programs . I have no logs to post because I cannot get the programs installed. Can you help me with this issue?? As always thank you for your time and help. :thumbsup:

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 10 April 2009 - 07:50 PM

If mbam won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 11 April 2009 - 10:29 AM

Hello garmanma-- Thank you for your response to my help request....Your time and help is very much appreciated. I followed the instructions you gave. Here is what I did

1.) I downloaded Malwarebytes from a non infected computer onto a flash drive. I renamed the file at the time of download and also changed the file extension as you instructed.

2.) I then copied the new renamed file to the infected computer and attempted to install it. I had the same result as I did i my original e-mail. I was able to get to the first step in the install process where it asks for language preference....I slected English, clicked ok, and the program just shuts down.

3.) I tried the above procedure for each of the suggested file extensions with the same results.

4.) I also tried just renaming the file without changing the file extension with the same results.

Any help you could provide in resolving this issue would be very much appreciated. Thanks in advance for your time and help.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 11 April 2009 - 08:18 PM

Let's try the same thumb drive procedure with SAS
--------------------


SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by garmanma, 11 April 2009 - 08:18 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 12 April 2009 - 01:10 PM

Hello garmanma-- I followed your instructions in regards to Super Anti Spyware. It worked for removing the WinPC Defender issue as well as numerous other infections. I do beleive the system is still infected with Trojan: Generic 1521988(This is the decription BitDefender gives it when it catches it). The reason I am thinking there is still an infection is because everytime I plug my thumb drive into the infected computer and then plug it back into my non infected computer and scan the thumb drive Bit Defender catches this infection. I am sure the thumb drive is clean after unplugging it from my non infected computer because I scan it again after removing the infection to make sure it is clean before pluggin it back in to the infected system. Also, Malwarebytes and Hijackthis still will not install even after name and file extension changes. I attached the Super Antispyware log below as you requested. Any further help you could provide in making sure this system is clean would be very much appreciated.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2009 at 09:44 AM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 01:53:13

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 4424
Registry threats detected : 11
File items scanned : 28731
File threats detected : 12

Rogue.WinPCDefender
[sysav] C:\DOCUMENTS AND SETTINGS\CHUCK\APPLICATION DATA\PCDEFENDER.EXE
C:\DOCUMENTS AND SETTINGS\CHUCK\APPLICATION DATA\PCDEFENDER.EXE
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run#sysav [ C:\Documents and Settings\Chuck\Application Data\pcdefender.exe ]
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Software\WinPC Defender
C:\Documents and Settings\Chuck\Desktop\WinPC Defender.LNK
C:\Documents and Settings\Chuck\Start Menu\WinPC Defender.LNK
C:\WINDOWS\Prefetch\PCDEFENDER.EXE-3AA987C3.pf

Trojan.Unknown Origin
[dll] C:\WINDOWS\SYSTEM32\DLL32.DLL
C:\WINDOWS\SYSTEM32\DLL32.DLL
HKLM\System\ControlSet001\Services\bc3575346bc2283f02eb4f01da938956
C:\WINDOWS\SYSTEM32\BC3575346BC2283F02EB4F01DA938956.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956
HKLM\System\ControlSet003\Services\bc3575346bc2283f02eb4f01da938956
HKLM\System\ControlSet003\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956
HKLM\System\CurrentControlSet\Services\bc3575346bc2283f02eb4f01da938956
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Control Panel\don't load#wscui.cpl [ No ]

Trojan.WinBo32
C:\WINDOWS\SYSTEM32\COMBOPLUSCTL.OCX

Adware.Vumer
C:\WINDOWS\SYSTEM32\MUKMIL.DLL

Adware.Vundo/Variant-BHONew
C:\WINDOWS\IEOCX.DLL

Trojan.Dropper/Win-NV
C:\WINDOWS\LD03.EXE
C:\WINDOWS\FREDDY40.EXE

Trojan.Agent/Gen-Dropper
C:\WINDOWS\MSTRE15.EXE

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 12 April 2009 - 05:50 PM

Have you tried to get into Safe mode w/networking?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 13 April 2009 - 08:37 AM

Hello Again Garmanma-- I do not have any trouble getting into regular safe mode. That is how I was able to get SAS Installed. Here are my remaning problems:

1.) I can not get MBAM or Hijackthis to install even in safe mode with or without changing the filename and/or extension.

2.) The majority of the infections were eliminated by the SAS scan but I am still having 2 issues:

A.) Everytime I run SAS I am getting this result....even after scanning and cleaning.... "Rogue XP AntiSpyware 2009" with a registry key listing in the details section. If I clean this it just comes back next time I run the scan.

B.) Everytime I plug my thumb drive into the infected computer and then plug it into my non infected computer my Bit Defender scanner catches this trojan "Trojan: Generic 1521988(This is the decription BitDefender gives it when it catches it). After cleaning the thumb drive and rescanning it shows it's clean I then re plug into the infected computer, unplug and re plug into the non infected computer the trojan shows up again on Bit Defender. So the infected computer must still be infected with this trojan.

Any help you could provide in getting MBAM and Hijack this installed on this system as well as removing the remaining 2 infections would be greatly appreciated. You have helped me get rid of 22 of the 21 vurises on this sytem and I would really like to get it completely clean if possible. I have attached an SAS log that should show the "Rogue spyware" detection and removal. Again, thank you very much for your time and help

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2009 at 10:11 PM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 01:56:35

Memory items scanned : 260
Memory threats detected : 0
Registry items scanned : 4429
Registry threats detected : 1
File items scanned : 28890
File threats detected : 0

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Control Panel\don't load#wscui.cpl [ No ]

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 13 April 2009 - 03:20 PM

Plug in the thumb drive while holding down the shift key

Please download
Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Then run Dr Web Cure It

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 13 April 2009 - 07:07 PM

Thanks again for your help garmanma. Should I plug the thumb drive into the infected or uninfected computer and perform the actions you instructed me to??

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 14 April 2009 - 05:43 PM

Do it on the clean computer
You can then use it safely between the 2 computers
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 15 April 2009 - 11:04 AM

Hello-- I followed all your instructions for cleaning my thumb drive. It appears to be ok now. I posted the Dr. Web Cure It log below as you requested. How does it look?? Thanks again for your time and help.


psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Incurable.Moved.;
cakemania-setup.exe/data032\data002;D:\hp\apps\APP29918\src\install\games\cakemania-setup.exe/data032;Adware.SpywareStorm;;
data032;D:\hp\apps\APP29918\src\install\games;Archive contains infected objects;;
cakemania-setup.exe;D:\hp\apps\APP29918\src\install\games;Archive contains infected objects;Moved.;

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#12 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 15 April 2009 - 04:33 PM

Let's see if we can get Mbam to run now
If you can at least get it downloaded to the computer,let me know via PM
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 16 April 2009 - 08:14 AM

Hello Again Garmanma-- Thanks again in advance for your time and help. I was able to get MBAM and Hijackthis to load and update on the infected computer(This was quit a trick....lol). I found numerous viruses including koobvace and Vundo. I have posted SAS, MBAM, and Hi jack this logs below. Could you please take a look and tell me how things look. Thanks again Garmanma.

MBAM INFECTED LOG:

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 2

4/15/2009 10:30:19 AM
mbam-log-2009-04-15 (10-30-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 30259
Time elapsed: 22 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: olepexp2.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\olepexp2.dll (Trojan.Vundo.H) -> Delete on reboot.


MBAM Log-Still Infected

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 2

4/15/2009 4:15:31 PM
mbam-log-2009-04-15 (16-15-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94050
Time elapsed: 3 hour(s), 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msmark2.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2809f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2784f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2810f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2829f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2803f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.


MBAM Log- Clean??

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2

4/15/2009 7:41:41 PM
mbam-log-2009-04-15 (19-41-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 95107
Time elapsed: 54 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SAS Log- Infected

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2009 at 09:44 AM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 01:53:13

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 4424
Registry threats detected : 11
File items scanned : 28731
File threats detected : 12

Rogue.WinPCDefender
[sysav] C:\DOCUMENTS AND SETTINGS\CHUCK\APPLICATION DATA\PCDEFENDER.EXE
C:\DOCUMENTS AND SETTINGS\CHUCK\APPLICATION DATA\PCDEFENDER.EXE
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run#sysav [ C:\Documents and Settings\Chuck\Application Data\pcdefender.exe ]
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Software\WinPC Defender
C:\Documents and Settings\Chuck\Desktop\WinPC Defender.LNK
C:\Documents and Settings\Chuck\Start Menu\WinPC Defender.LNK
C:\WINDOWS\Prefetch\PCDEFENDER.EXE-3AA987C3.pf

Trojan.Unknown Origin
[dll] C:\WINDOWS\SYSTEM32\DLL32.DLL
C:\WINDOWS\SYSTEM32\DLL32.DLL
HKLM\System\ControlSet001\Services\bc3575346bc2283f02eb4f01da938956
C:\WINDOWS\SYSTEM32\BC3575346BC2283F02EB4F01DA938956.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956
HKLM\System\ControlSet003\Services\bc3575346bc2283f02eb4f01da938956
HKLM\System\ControlSet003\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956
HKLM\System\CurrentControlSet\Services\bc3575346bc2283f02eb4f01da938956
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_bc3575346bc2283f02eb4f01da938956

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1482476501-1935655697-854245398-1003\Control Panel\don't load#wscui.cpl [ No ]

Trojan.WinBo32
C:\WINDOWS\SYSTEM32\COMBOPLUSCTL.OCX

Adware.Vumer
C:\WINDOWS\SYSTEM32\MUKMIL.DLL

Adware.Vundo/Variant-BHONew
C:\WINDOWS\IEOCX.DLL

Trojan.Dropper/Win-NV
C:\WINDOWS\LD03.EXE
C:\WINDOWS\FREDDY40.EXE

Trojan.Agent/Gen-Dropper
C:\WINDOWS\MSTRE15.EXE


SAS Log- Still Infected

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2009 at 10:48 AM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 02:18:23

Memory items scanned : 504
Memory threats detected : 1
Registry items scanned : 4439
Registry threats detected : 1
File items scanned : 29006
File threats detected : 2

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\FDFEABECDAF.DLL
C:\WINDOWS\SYSTEM32\FDFEABECDAF.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fdfeabecdaf
C:\SYSTEM VOLUME INFORMATION\_RESTORE{50F3625E-B1B4-43B7-AD49-6B7C5D4138F4}\RP166\A0085231.DLL


SAS Log- Clean??


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2009 at 01:32 AM

Application Version : 4.26.1000

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 05:46:07

Memory items scanned : 492
Memory threats detected : 0
Registry items scanned : 4443
Registry threats detected : 0
File items scanned : 36972
File threats detected : 0


Thanks again for all the help Garmanma!!

Edited by Orange Blossom, 17 April 2009 - 01:40 PM.
HJT log deleted. ~ OB

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#14 Johnny Computer

Johnny Computer
  • Topic Starter

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:58 AM

Posted 16 April 2009 - 06:09 PM

I was also able to get Cure It to Install if you want me to run that scan as well.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:58 PM

Posted 16 April 2009 - 06:57 PM

I was going to recommend you do a HJT scan
The only problem is this is not the correct forum to post the log
I'm closing this post. Pleas follow this message and post your log in the correct forum
Good luck

-------------------------



Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Edited by garmanma, 16 April 2009 - 06:58 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users