Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer still boots but runs extremely slow


  • Please log in to reply
7 replies to this topic

#1 sokoll99

sokoll99

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 20 July 2009 - 07:52 AM

I have an older compaq laptop running win XP sp3. It was running fine a couple of days ago then suddenly began running extremely slow (takes approx 20 minutes to boot and another 10 minutes to load firefox. Additionally, when I run Task manager it shows that there are several items of malware loaded that I am slowly getting rid of. All of the memory is reported as present but I have never actually seem the commit charge exceed a little less than 50% of the total available mem.

I have a suspiscion that a mem module is fried or that a virus is loading itself into memory on boot and then hiding itself from the task manager so I cant see it...can anyone tell me what inspection steps I need to go through to inspect the Memmodule and or MB?

Edited by Pandy, 20 July 2009 - 09:13 AM.
Moved from Internal Hardware ~Pandy


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 AM

Posted 20 July 2009 - 09:24 AM

Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- If Malwarebytes Anti-Malware results in any error messages, please refer to Fixes for common problems and Error Codes. Some issues with errors can be related to malware infection but others are not.

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sokoll99

sokoll99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 27 July 2009 - 09:45 AM

It has taken a while but I finally got MBAM to load up on the computer and run a scan when it gets near the end of the scan the computer shut down for no apparent reason and MBAM doesn't seem to remember anything. If this slow down is really related to a virus I can not identify th damn thing.

I know I have at least two forms of malware loaded on the PC one is sopkidc.exe the other is difficult to identify because it is constantly renaming itself currently it is going as msgar.exe previously it was mscne.exe and msdylqz.exe

I am running the scan for a third time and monitoring the machine as closely as possible right now hopefully it will make it all the way to the end and I will be able to save the log file.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 AM

Posted 27 July 2009 - 10:02 AM

If you cannot run MBAM or complete a scan in normal mode, then try performing a Quick Scan in "safe mode".

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM but in some cases, there is no alternative but to do a safe mode scan. If that is the case, after completing a scan, it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sokoll99

sokoll99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 27 July 2009 - 10:14 AM

I can't seem to get the pc to boot into safe mode unless I induce a system failure...I have managed to copy an MBAM log file from when I removed System Security from the machine...as soon as I get a more up to date log I will post it as well.

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/14/2009 2:42:55 PM
mbam-log-2009-07-14 (14-42-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 61206
Time elapsed: 1 hour(s), 53 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 8
Registry Keys Infected: 27
Registry Values Infected: 10
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 99

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\hgGxULcD.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\flashd32.dll (Spyware.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\hilozepi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\febudipi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\fccaBRHy.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\6to4v32.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\msncache.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\SYSTEM32\sdcvddd.dll (Trojan.Ertfor) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccabrhy (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{38101905-d80f-4788-96f6-986a8186178a} (Spyware.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{66c71daf-49c3-41ae-8d72-0dff9b46acb5} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6cddcacd-d7bf-45ea-bc69-f4df179d0360} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\6to4 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msncache (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msncache (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msncache (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Ertfor) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b41727bc (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuyaremelu (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmb7241420 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13243834 (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{38101905-d80f-4788-96f6-986a8186178a} (Spyware.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{af2c392c-ac67-43e3-9b71-faaf85c36892} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggxulcd -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hilozepi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\hilozepi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\febudipi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\febudipi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\febudipi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\drivers\smss.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\drivers\smss.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\fccaBRHy.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\dozilibe.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\ebilizod.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\hajigira.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\arigijah.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\hgGxULcD.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\DcLUxGgh.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\DcLUxGgh.ini2 (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\jonotama.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\amatonoj.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\poviwumi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\imuwivop.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\renayoli.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\iloyaner.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\umovifbb.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\bbfivomu.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\vetuyija.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\ajiyutev.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\kudafane.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\hilozepi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\sdcvddd.dll (Trojan.Zlob.H) -> No action taken.
C:\Documents and Settings\All Users\Application Data\13243834\13243834.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\SYSTEM32\flashd32.dll (Spyware.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\febudipi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\6to4v32.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\msncache.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Sarah\Local Settings\Temp\i.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\msrzj.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\SYSTEM32\msxml71.dll (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Adam\protect.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Adam\start menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\0ATXM2OM\w[1].bin (Trojan.Agent) -> No action taken.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\WLGZ34ZO\w[1].bin (Trojan.Agent) -> No action taken.
c:\documents and settings\networkservice\protect.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\WAVVGE70\w[1].bin (Trojan.Agent) -> No action taken.
c:\documents and settings\Sarah\protect.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\4054029541mxx.dll (Spyware.OnlineGames) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\a.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\b.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\db.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\defender32.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\f.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\h.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\j.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\ji756rur5jh6w4jns44.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\ji756rur5jh6w4jns46.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\jkxyi765e4jrjfrmke435rfgs44.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\msb.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\msxml71.dll (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\popka.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\topinstall.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\vcru_1246849818.exe (Worm.Koobface) -> No action taken.
c:\documents and settings\Sarah\local settings\Temp\temporary internet files\Content.IE5\AUYJ41QT\i[1] (Trojan.Dropper) -> No action taken.
c:\documents and settings\Sarah\my documents\downloads\backups\backup-20090708-214833-705-ChkDisk.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Sarah\start menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Sarah\xp deluxe protector\xpdeluxe.exe (Trojan.FakeAlert) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc47.exe (Trojan.FakeAlert) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc50.exe (Rogue.SystemSecurity) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc94.exe (Trojan.Dropper) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc95.exe (Trojan.Dropper) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc99.exe (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc41\drv.dll (Rootkit.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1007\Dc41\drv.sys (Rootkit.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-2907011200-645757453-568730901-1008\Dc7\xpdeluxe.exe (Trojan.FakeAlert) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP68\A0035574.old (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP69\A0035577.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP69\A0036564.dll (Trojan.Vundo) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP69\A0037569.dll (Trojan.FakeAlert) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP72\A0037628.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0037635.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0037636.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0038570.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0038652.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0039653.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0039655.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0039659.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0039667.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0039675.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0039684.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0040683.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0040691.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0041708.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0041718.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0041720.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0041726.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0043726.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0044733.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0044739.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0045733.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{12855640-7d70-4bd9-bbea-f3a6839fbaea}\RP73\A0045740.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\msa.exe (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\pp10.exe (Worm.Koobface) -> No action taken.
c:\WINDOWS\Fonts\cooecp.tlb (Trojan.Dropper) -> No action taken.
c:\WINDOWS\Fonts\logcde.dll (Trojan.Dropper) -> No action taken.
c:\WINDOWS\Fonts\windef.dll (Trojan.Dropper) -> No action taken.
c:\WINDOWS\Fonts\windef.Log (Trojan.Dropper) -> No action taken.
c:\WINDOWS\Fonts\winpaged.ocx (Trojan.Dropper) -> No action taken.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 AM

Posted 27 July 2009 - 10:22 AM

Lets try this.

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Then do another scan with MBAM. BTW, your Malwarebytes Anti-Malware log indicates you are using an outdated database version (2421).
Last I checked it was 2510.

Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 sokoll99

sokoll99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 04 August 2009 - 11:07 AM

Guys,

I want to say thanks for all of the help so far I finally got MBAM to run a quick scan and reboot the machine this morning and it appears to have cleaned the majority of the viruses running in teh background and the machine is running significantly faster. I still have several bho's running in the background but I will post a separate thread in the viruses section when I have a chance to evaluate them and figure out just what in the heck is happening with them.

The MBAM scan cleared off over 40 bad registry entries and more than 400 contaminated files (the vast majority of these were created by a trojan dropper). The machine is not 100% yet because there were a couple of BHOs which MBAM could not figure out but it is usable again which is a huge improvement.

Thanks for everything on this one fellas this forum is the only one which was able to direct me to a resource which could help.

PS the reason MBAM was having trouble earlier was the trojan dropper was replicating itself everytime you tried to get MBAM to run. The solution was for me to wait for the dropper to create an instance of regsvr.exe once it did that it would also instance MBAM then I was able to kill the dropper and the regsvr.exe. This procedure allowed the dropper to open an additional instance of services.exe, but would allow MBAM to open. Once MBAM finished it's scan the program was able to unload the "bad" instance of services.exe.

The quick scan took about 1 hour and 20 minutes

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 AM

Posted 05 August 2009 - 08:36 AM

. I still have several bho's running in the background but I will post a separate thread in the viruses section

This thread was moved to the proper forum so if you still have malware problems, continue here.

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users