Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious viruses infecting my computer


  • Please log in to reply
9 replies to this topic

#1 Kolton

Kolton

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 22 June 2009 - 09:00 PM

At some point during the day my computer became infected with both spyware and malware from some third party source. I havn't an honest clue as to how they got in, but I do know of many ways to remove them. None of which have worked. I started with trying to use SmitFraudFix and the message "SmitFraudFix has encountered a problem and must close" came up. Something that has never happened in the past.

The current spyware I do know of that is in my computer is a program called "Protection System" a false advertiser that constantly brings up desktop pop ups with false virus readings.

Either way, I then tried downloading SuperAntiSpyware. Apparently the spyware that has infected my computer is smart enough to simply re-direct any searches I do to advertisements that make you pay for MORE fake spyware stoppers. I've searched for Malwarebytes and was re-directed. I've searched for Spyware Doctor and been either denied or redirected.

Now, I was able to get both of those via a laptop and put them on a jump drive. Once I got them onto the infected computer there was a new problem. Sdsetup for Spyware Doctor simply won't start. A little hourglass shows for a split second and then goes away. No progress. I was able to install Malwarebytes completly, but upon trying to run it the same thing would happen. An hourglass and no sign of the program actually activating.

I've scoured the forums and other websites for any similar problem, but it seems others ARE able to get their anti-spyware and malware programs to work. To top it off it seems this malicious program is seriously interferring with the normal flow of my computer as I can't log onto it without being in safe mode. I did use the option to run the computer on the last known good specs and that made it work, but the second I restarted it I was sent to my boot menu to run the computer in safe mode or simply reset the entire computer to square one. So it seems my last good specs are RIGHT before this virus hatches.

I'm truly at my wits end and could use some advice. The last thing I wish to do is restore my computer as there's quite a bit of information that will have to be backed up. IF that is what it comes to I would love advice of any means on how to make that a quick process without leaving behind any important files.

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:45 PM

Posted 22 June 2009 - 09:16 PM

Hello Kolton and :thumbsup: to Bleepingcomputer.

Let us see if we can trick the malware into letting us run Malwarebytes (MBAM for short). I need you to boot into normal mode please (if you need to boot using Last Known Good Configuration that's fine)

Please navigate to the folder MBAM installed to and rename mbam.exe to bubbles.bat. Then double click on the file you just renamed to launch the program. Once MBAM is running, make sure you've updated it and then run a scan. Please post the log generated back for my review, and we'll see where we need to go from there.

If this doesn't work, post back and let me know and we'll try something else.

In your next reply, please include the following:
Malwarebytes log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Kolton

Kolton
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 22 June 2009 - 10:43 PM

Here are the results of the scan. I wasn't able to update it due to an incompatibility error with 64 bit XP operating systems, but all the same was able to scan and get these results.


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2

6/22/2009 10:45:45 AM
mbam-log-2009-06-22 (10-45-45).txt

Scan type: Quick Scan
Objects scanned: 91695
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19e0ede5-5507-72ae-7715-0fb26a6b8ace} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19e0ede5-5507-72ae-7715-0fb26a6b8ace} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47029696-7f5e-4501-8d7c-6516dfb805bc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{47029696-7f5e-4501-8d7c-6516dfb805bc} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oguyaepb (Trojan.FakeAlert.H) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\luwrub\oguyaepb.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by Kolton, 22 June 2009 - 10:57 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:45 PM

Posted 22 June 2009 - 11:15 PM

Alright run that scan again. . . this time make sure everything is checked and then click remove selected.

Once that is done please uninstall the version of Malwarebytes on your system and download a fresh copy. Here is a direct link: http://malwarebytes.gt500.org/mbam-setup.exe
You shouldn't be having issues updating because of incompatibility with 64-bit OS; Malwarebytes supports both 32 and 64 bit versions. So try and update this new copy. Once you get an updated copy of the program, run another scan and post that log back.

In your next reply, please include the following:
New Malwarebytes log

Edited by Blade Zephon, 22 June 2009 - 11:16 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Kolton

Kolton
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 23 June 2009 - 01:03 AM

Alrighty, did a re-scan with the old version, then removed it and did this new scan. I did an update, but the results were the same with the error. The error is code: 732 (0,0) if that can clear up anything. Here's the New Log.

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2

6/22/2009 10:45:45 AM
mbam-log-2009-06-22 (10-45-45).txt

Scan type: Quick Scan
Objects scanned: 91695
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19e0ede5-5507-72ae-7715-0fb26a6b8ace} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19e0ede5-5507-72ae-7715-0fb26a6b8ace} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47029696-7f5e-4501-8d7c-6516dfb805bc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{47029696-7f5e-4501-8d7c-6516dfb805bc} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oguyaepb (Trojan.FakeAlert.H) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\luwrub\oguyaepb.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#6 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:45 PM

Posted 23 June 2009 - 04:41 AM

That appears to be the exact same log as the first one. Has the same date and time on it and is not the updated version of Malwarebytes.

Can you possibly try downloading the new version and updating it and running the scan again?

If you can do that, then post a new log of the scan, if you cannot do that, please post that you cannot.

Blade can probably help you a little bit easier if you do one of those things.

#7 Kolton

Kolton
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 23 June 2009 - 11:00 AM

Thanks for pointing that out, don't know how that happened. There seemed to be a few duplicate logs for some reason, but here's a the latest log with a new version of MBAM. Again I wasn't able to use the Update button on MBAM due to error 732. But this is the newest version I have.

If it helps any, I've had to restart the computer from the last known good configuration settings each time I've done these scans.
I didn't know if after the first scan I was supposed to go into safe mode so I just continued with what was told to me originally.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/22/2009 10:54:07 PM
mbam-log-2009-06-22 (22-54-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 432303
Time elapsed: 1 hour(s), 20 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\support.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\unreg.html (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\delete.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\info.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\plus_circle.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\tick.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\warn.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons\offline.gif (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons\online.gif (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons\voice.gif (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Edited by Kolton, 23 June 2009 - 11:20 AM.


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:45 PM

Posted 23 June 2009 - 12:52 PM

If it helps any, I've had to restart the computer from the last known good configuration settings each time I've done these scans.
I didn't know if after the first scan I was supposed to go into safe mode so I just continued with what was told to me originally.


We need to stay out of safe mode if at all possible; MBAM is much more powerful in normal mode and booting into safe mode may prevent it from removing some of the things it finds. About the Last Known Good Configuration (LKGC): at each boot try and just start Windows normally. If that fails then go ahead and use LKGC. Either way, please inform me which way you had to boot at each step.


Looks like MBAM found some more stuff :thumbsup: Alright. . . I want to try one other method of updating MBAM. The new download got the latest software version, but the database is still lacking. Hopefully we can get around that error this way.



Manually download the updates from here and just double-click on mbam-rules.exe to install.

If you can't get the updates to install. . . post back here and let me know. If they do install, run another scan as before and post back here with the log please.


I know it might appear that we're just doing the same thing over and over, but we are making progress.

~Blade

In your next reply, please include the following:
Malwarebytes log (hopefully)

Edited by Blade Zephon, 23 June 2009 - 01:01 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 Kolton

Kolton
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 23 June 2009 - 02:03 PM

Ok I used that update you posted and it seemed to have worked. Here's the new log though. I've also had to boot the computer in LKGC each time i've booted it.

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

6/23/2009 1:55:18 AM
mbam-log-2009-06-23 (01-55-18).txt

Scan type: Quick Scan
Objects scanned: 95896
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by Kolton, 23 June 2009 - 02:05 PM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:45 PM

Posted 23 June 2009 - 05:14 PM

That update did not function as planned. . . it rolled you back to an earlier database version :thumbsup: I'm looking into that, but there is one file that keeps popping up in every scan, meaning Malwarebytes is not dealing with it as it should.

EDIT: Got some new information. . . looks like this isn't something that we can deal with here in AII.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Edited by Blade Zephon, 23 June 2009 - 06:08 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users