Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xp" No icons or Start. (Blank screen)


  • This topic is locked This topic is locked
24 replies to this topic

#1 donsd

donsd

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 14 June 2009 - 12:44 PM

Startup loads through "Loading Personal settings", then nothing. I can get to Safe Mode and connect to Internet.

I cannot cut and paste so will summarize. I had to run dds from command line. I got errors "EDS.EXE Can't
read startup", "Could Not Find C:\DOC"

After dds runs, popup, "sort utility needs to close". Attach.txt is empty.

============================
I cannot paste, so will try to attatch log file.
============================

Any help is greatly appreciated.

Don

Attached Files

  • Attached File  DDS.txt   11.01KB   15 downloads


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 22 June 2009 - 05:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 22 June 2009 - 08:38 PM

Thank you for helping. I've attached a new dds.txt file and an empty attach.txt file.

Don

Attached Files


Edited by donsd, 23 June 2009 - 08:32 AM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 24 June 2009 - 07:28 AM

Hello donsd,

1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case utorrent / FrostWire).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


2. One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please follow the next instructions if you decided that we do the cleaning process:


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we can continue cleaning the system.
Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 25 June 2009 - 11:19 AM

Hi sempai, thanks for helping.

FYI, I did not get email notification or I would have replied sooner.

1. I ran combofix, but did not see any indication of a text file. It
definitely is not in c:\ or desktop.

2. Combo asked if I was running home edition. I clicked no because
I didn't know. My notes say XP Media Center Edition. This is a Dell
computer for home use only.

3. I ran Combo twice because I could not find the text file. The first time
it said Recovery Console was successfully installed and gave me a
list of files, which I noted. Second time said it detected presence of
rootkit activity and needed to reboot.

4. Both times machine booted to blank screen. (Same as my original
problem.)

I renamed Combofix AFTER I saved. Does that make a difference?
I am working in Safe Mode and the file was saved to C:\downloads. I
then copied to Desktop and renamed to Combo-Fix.exe.

I will attach new DDS log.

I cannot cut and paste so if you require detailed feedback from me,
would it be possible to send to an email address?

Regards,

Don

Attached Files

  • Attached File  DDS.txt   12.26KB   11 downloads


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 27 June 2009 - 08:39 AM

Hi Don,

FYI, I did not get email notification or I would have replied sooner.

On the upper right portion click Options>Track this topic then choose Immediate Email Notification and then click Proceed.


1. We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".

    :services
    avast!Antivirus
    avast!avscontrolservice
    :files
    c:\windows\system32\sdra64.exe
    c:\windows\system32\sysloc\sysloc.dll
    c:\windows\system32\twunk_32.exe
    c:\windows\ld08.exe
    c:\windows\9g2234wesdf3dfgjf23
    c:\windows\ro122730.dat
    c:\windows\system32\sysloc
    c:\windows\system32\sft.res
    c:\windows\system32\msxml71.dll
    C:\xbmqgeyn.exe
    c:\windows\ld08.exe
    c:\windows\system32\lowsec
    c:\docume~1\donrud~1\applic~1\inst.exe
    c:\windows\system32\avast!avscontrolservice.exe
    c:\windows\system32\avast!Antivirus.exe
    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
    "{ecdee021-0d17-467f-a1ff-c7a115230949CLSID}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{af69de43-7d58-4638-b6fa-ce66b5ad205d}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{0BF43445-2F28-4351-9252-17FE6E806AA0}"="-
    "{ecdee021-0d17-467f-a1ff-c7a115230949}"="-
    "{ef99bd32-c1fb-11d2-892f-0090271d4f88CLSID}"="-
    [-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
    :commands
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
2. Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.

alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Regards,
Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 27 June 2009 - 10:44 AM

> On the upper right portion click Options>Track this topic then choose Immediate
> Email Notification and then click Proceed.

Error message tells me I am already subscribed. Still no email message, however.

> If you have a previous version of MBAM, remove it via Add/Remove Programs
> and download a fresh copy.

I do not know how to do that in Safe Mode. The version on my computer is dated
5/26/09 and is 1254 kb. I will move the exe file to Desktop and try running, but will
submit the OTM log first.


Don

========== SERVICES/DRIVERS ==========

Service\Driver avast!Antivirus deleted successfully.

Service\Driver avast!avscontrolservice deleted successfully.
========== FILES ==========
File/Folder c:\windows\system32\sdra64.exe not found.
File/Folder c:\windows\system32\sysloc\sysloc.dll not found.
c:\windows\system32\TWUNK_32.EXE moved successfully.
c:\windows\ld08.exe moved successfully.
c:\windows\9g2234wesdf3dfgjf23 moved successfully.
c:\windows\ro122730.dat moved successfully.
c:\windows\system32\sysloc moved successfully.
c:\windows\system32\sft.res moved successfully.
c:\windows\system32\msxml71.dll unregistered successfully.
c:\windows\system32\msxml71.dll moved successfully.
C:\xbmqgeyn.exe moved successfully.
File/Folder c:\windows\ld08.exe not found.
c:\windows\system32\lowsec moved successfully.
c:\docume~1\donrud~1\applic~1\inst.exe moved successfully.
File/Folder c:\windows\system32\avast!avscontrolservice.exe not found.
c:\windows\system32\avast!Antivirus.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{ecdee021-0d17-467f-a1ff-c7a115230949CLSID} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ecdee021-0d17-467f-a1ff-c7a115230949CLSID}\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{af69de43-7d58-4638-b6fa-ce66b5ad205d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{af69de43-7d58-4638-b6fa-ce66b5ad205d}\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\"{0BF43445-2F28-4351-9252-17FE6E806AA0}"|"- /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\"{ecdee021-0d17-467f-a1ff-c7a115230949}"|"- /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\"{ef99bd32-c1fb-11d2-892f-0090271d4f88CLSID}"|"- /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
========== COMMANDS ==========

OTM by OldTimer - Version 3.0.0.2 log created on 06272009_075358

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 27 June 2009 - 11:49 AM

Hi,

On the upper right portion click Options>Track this topic then choose Immediate
> Email Notification and then click Proceed.

Error message tells me I am already subscribed. Still no email message, however.


Try to unsubscribe first, to do this click the my controls tab at the top, then under subscription click view topics. Put a check mark on the topic that you want to unsubscribe then click unsubscribe with selected.

Then try subscribing again by clicking Options>Track this topic then choose Immediate Email Notification and then click Proceed.


> If you have a previous version of MBAM, remove it via Add/Remove Programs
> and download a fresh copy.

This is only optional if you already have or installed MBAM previously. Click start>Control panel>Add remove programs and from there you can remove a program that you need to uninstall.

Dex :thumbup2:

==============
Reason for edit: Typos

Edited by sempai, 27 June 2009 - 11:57 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 27 June 2009 - 12:27 PM

> Click start>Control panel>Add remove programs and from there you can
> remove a program that you need to uninstall.

Dex/Sempai,

Am I misunderstanding something? As I keep saying, I am in Safe Mode. I do not
know how to do above instructions in Safe Mode.

Don

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 27 June 2009 - 01:05 PM

Hi,

Did you successfully installed MBAM? Just after you have installed MBAM, just update it then run a full or quick scan.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 June 2009 - 08:51 AM

I was not able to update malwarebytes. I have to admit I did not see the instructions on downloading and then running mbam-rules.exe. I will try that next. I tried a quick scan
and it ran! :thumbup2:

I'm on another computer. Will send log in a few minutes.

Don

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 28 June 2009 - 08:56 AM

Hi,

No worries, It is important that you update it first before scanning. Is there any reason why you can't update it?

With regards,
Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 June 2009 - 09:06 AM

When I tried to update yesterday I got message saying computer could not connect. Said something
about firewall. I tried disconnecting router and running cable from modem directly to computer
but then could not connect to Internet. I spent much time last night trying to figure out how to get
the update to work and gave up. This morning I decided to try running quick scan and get back to you.

I will try running update again and report error message. Here is the log from unupdated malwarebytes:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/28/2009 6:44:40 AM
mbam-log-2009-06-28 (06-44-40).txt

Scan type: Quick Scan
Objects scanned: 91957
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\qaccess.tchongabho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e524163-8d00-46f3-b239-1f42d48c8ed0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{b6a807n6-42df-4w02-93e5-b156b3fa8al1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3cbe5399-8d3d-481c-95b2-e7ba1a57bc1d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\Temp\UACb878.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\don rudolph\favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\don rudolph\favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\don rudolph\favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN19.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN20.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN21.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN23.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#14 donsd

donsd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 June 2009 - 09:11 AM

When I try to update:

"Update failed. Make sure you are connected to the Internet and your firewall is set
to allow Malwarebytes' Anti-Malware to access the internet. Error code: 732 (12029).

Don

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:43 AM

Posted 28 June 2009 - 10:37 AM

Let's try ComboFix again but first delete any copy of ComboFix that you already have.

Important: To finish the ComboFix scan you must reboot in normal mode. In that way we can get a log file of it.

Download Combofix from any of the links below. You must rename it before saving it.  Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.  
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users