Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

anti-virus problems [Moved]


  • Please log in to reply
34 replies to this topic

#1 sighing1

sighing1

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 09:49 AM

Hello all,

I've been infected with anti-virus programs that are disabling my ability to run HiJackThis, MalwareBytes, etc. Basically, anytime a program beings to scan, it is quickly disabled and access to it becomes locked. I then get a message saying, ""Windows cannot access the specified devise,path, or file. You may not have the appropriate permissions to access the item."

I also have tried D.D.S. The command window appears, but no scan log ever pops up. So I presume that is not working, either.

I appreciate any help you can offer.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:14 PM

Posted 08 August 2009 - 10:38 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 08 August 2009 - 11:05 AM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



To run Malwarebytes, let's try a fix.

let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Computer Pro

#4 sighing1

sighing1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 01:23 PM

Hi ComputerPro,

Thank you for your help.

Unfortunately, the fix doesn't appear to have worked. I was able to install MalwareBytes and rename the file. But as soon as the scan began, the program was terminated, then locked.

The strange thing is, I have a program on here called "Advanced Registry Optimizer." That program is allowed to complete a scan, though it doesn't produce any kind of a log that I'd be able to post here.

I also tried downloading and renaming HiJackThis to no avail.

Also, I should note that the problem persists even in Safe Mode.

Edited by sighing1, 08 August 2009 - 01:43 PM.


#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:14 PM

Posted 08 August 2009 - 02:21 PM

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

Here's a random renamer for MBAM if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

Here's a link for MBAM definition update

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#6 sighing1

sighing1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 02:36 PM

Hi Chew,

Unfortunately I'm still having the same problem.

I have no issues installing MalwareBytes -- in Normal or Safe mode. But no matter what I name the installer file or the mbam.exe file, it quits as soon as the scan begins.

After it quits, I then get a message whenever I click on it saying, ""Windows cannot access the specified devise,path, or file. You may not have the appropriate permissions to access the item."

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:14 PM

Posted 08 August 2009 - 02:38 PM

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#8 sighing1

sighing1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 02:46 PM

Here you are, Chewy. Thanks so much for your help:

Process PID CPU Description Company Name
System Idle Process 0 95.45
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 772 Windows NT Session Manager Microsoft Corporation
csrss.exe 936 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1092 Windows NT Logon Application Microsoft Corporation
services.exe 1136 1.52 Services and Controller app Microsoft Corporation
svchost.exe 1300 Generic Host Process for Win32 Services Microsoft Corporation
igfxsrvc.exe 1884 igfxsrvc Module Intel Corporation
svchost.exe 1348 Generic Host Process for Win32 Services Microsoft Corporation
MsMpEng.exe 1388 Service Executable Microsoft Corporation
svchost.exe 1428 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1528 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1684 Generic Host Process for Win32 Services Microsoft Corporation
ccSetMgr.exe 1908 Symantec Settings Manager Service Symantec Corporation
SPBBCSvc.exe 1944 SPBBC Service Symantec Corporation
WLTRYSVC.EXE 1956
BCMWLTRY.EXE 1968 Dell Wireless WLAN Card Wireless Network Controller Dell Inc.
spoolsv.exe 2020 Spooler SubSystem App Microsoft Corporation
scardsvr.exe 160 Smart Card Resource Management Server Microsoft Corporation
AppleMobileDeviceService.exe 460 Apple Mobile Device Service Apple Inc.
mDNSResponder.exe 472 Bonjour Service Apple Inc.
svchost.exe 492 Generic Host Process for Win32 Services Microsoft Corporation
DefWatch.exe 536 Virus Definition Daemon Symantec Corporation
MDM.EXE 624 Machine Debug Manager Microsoft Corporation
svchost.exe 804 Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 1892 Application Layer Gateway Service Microsoft Corporation
ccEvtMgr.exe 2084 Symantec Event Manager Service Symantec Corporation
lsass.exe 1148 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1040 Windows Explorer Microsoft Corporation
rundll32.exe 1740 Run a DLL as an App Microsoft Corporation
WLTRAY.EXE 1752 Dell Wireless WLAN Card Wireless Network Tray Applet Dell Inc.
hkcmd.exe 1772 hkcmd Module Intel Corporation
igfxpers.exe 1848 persistence Module Intel Corporation
DVDLauncher.exe 196 CyberLink PowerCinema Resident Program CyberLink Corp.
ccApp.exe 312 Symantec User Session Symantec Corporation
VPTray.exe 500 Symantec AntiVirus Symantec Corporation
msmsgs.exe 612 Windows Messenger Microsoft Corporation
btdna.exe 520 DNA BitTorrent, Inc.
DevDtct2.exe 812 Device Detector 3 OLYMPUS IMAGING CORP.
IEXPLORE.EXE 3792 Internet Explorer Microsoft Corporation
BITZIPPER.EXE 2932 BitZipper - File compression tool Bitberry Software
procexp.exe 180 3.03 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
WINWORD.EXE 4012 Microsoft Office Word Microsoft Corporation

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:14 PM

Posted 08 August 2009 - 03:42 PM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • Click on the Files tab at the bottom of the window, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select your main drive(usually C), then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
Chewy

No. Try not. Do... or do not. There is no try.

#10 sighing1

sighing1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 03:48 PM

The program installs and begins to scan, but then quits the same way HiJackThis and MalewareBytes did. Same in Safe mode.

Edited by sighing1, 08 August 2009 - 03:49 PM.


#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:14 PM

Posted 08 August 2009 - 03:58 PM

Sometimes a rootkit scanner needs a little help to run

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#12 sighing1

sighing1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 04:38 PM

Hi Chewy,

The scanner ran and found a number of items, but it did not reccommend removal for any of them.

I also notice many of the files found are just the new names I had created for MalwareBytes, HiJackThis, etc., in an attempt to get them to run.

Here is the log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 2009-08-08 at 17:03
User "iorizzp" on computer "SPORTS-IORIZLP"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\SUPERAntiSpyware\66f88a48-f4b9-4995-9b90-1de77581cc0f.exe
Hidden: file C:\Qoobox\Quarantine\C\Documents and Settings\iorizzp\Application Data\Mozilla\Firefox\Profiles\96sw40zv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll.vir
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\U8M9N1WC\;lf=1;nt=g;cc=us;ec=ron;p=0;!c=b;al=attp;al=bell;al=cin;al=fri;al=net;ctr=ll;ctr=ls;ec=tf;ec=ts;ia=pc;p=a;pec=f;rmt=ov;vec=st;vpec=st;atf=u;dt=s;!c=hagl;!c[2].56;
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Hidden: file C:\WINDOWS\system32\scecli.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\MVG3ZSTS\click2,wNtKAHusBwD0VyAAAAAAANgMCgAAAAAAAACwAAoAAAAAAAcAAgAFEwH1CwAAAAAAlZ0KAAAAAAAiWA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].com%2F,;ord=1249598725
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\9R31V9BS\click2,LQUAAC6lCQDpKyMAAAAAAKw8BgAAAAAAAgAEAAEAAAAAAP8AAAAFFGq4DwAAAAAAsKwHAAAAAABnUwkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].com%2F,;ord=1249599645
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\MVG3ZSTS\click2,wNtKAHSsBwC81CcAAAAAAM6qCwAAAAAAAgCQAQIAAAAAAP8AAAAFFAH1CwAAAAAAA7gFAAAAAABllxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSAwQAAAAA[1].htm
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\MVG3ZSTS\click2,wNtKAIl6CQC91CcAAAAAAM6qCwAAAAAAAgCMAQYAAAAAAP8AAAAFFI80CQAAAAAAA7gFAAAAAABllxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMAAAAA[1].htm
Hidden: file C:\Program Files\mine\HijackThis.exe
Hidden: file C:\Program Files\IorizzoHi\HijackThis.exe
Hidden: file C:\Program Files\Iorizzoee\HijackThis.exe
Hidden: file C:\Program Files\tryingagain\HijackThis.exe
Hidden: file C:\Documents and Settings\iorizzp\Desktop\fettucini.exe
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\U8M9N1WC\yisfwkx[1].htm
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware3\mbam.exe
Hidden: file C:\Program Files\MyAPP\mbam.exe
Hidden: file C:\Program Files\SUPERAntiSpyware\a95281be-ba01-401e-a2c2-6fa9050656d6.exe
Hidden: file C:\Documents and Settings\iorizzp\Desktop\RSIT.exe
Hidden: file C:\Program Files\Trend Micro\iorizzp.exe
Hidden: file C:\yedfjdy.exe
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\1HC2KV9V\homepage;oem=15800;lan=en;dcopt=ist;pos=;sec=homepage;gen=ho[1].albanygreatdanes%2Fhomepage%7Csize%3D728x90;c_type=;s_type=homepage;sz=728x90;tile=1;ord=910932219
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\VE1417RV\AAj01qYxCtLfhtMCZTNen-ZKBIERQU3XAjtTeCR5IJ0Bsq6fK2DDvCrxzpltQY2Zl2H9X7jTjf4F0J1SeYbmFZR7eSl-aG631Wq4ZE2nexcHgQL1PzHNWFdbcueczxklngHlz9Sp6Dd5HvhBIsIyDj5HOy8[1].htm
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\Y2JHTBLF\AAj9KmY3f3IkAvSPIRsvPYKLiDhDHMNV8PtnFz55FcSz1nTjOrxp5h_tQK5KX7xhpq7_HV6k1GXkWaqXvpAmnxB9VAPHJzMDYraamb7sHBjmsjXoU5utrvR4PJ3tszSJ0U6A5V0tiHXHtD94vL8YDElbYSZ[1].htm
Hidden: file C:\Documents and Settings\iorizzp\Application Data\Mozilla\Firefox\Profiles\96sw40zv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\HIN91M42\ncaa%2Fbasketball%2Fnews%3B_ylt%3Daldavogona2mw9yyqh2niobevbyf%3Fslug%3Dys-ncaabracket080709%26prov%3Dyhoo%26type%3Dlgns,;dcopt=rcl;mtfIFPath=nofile;ord=1249682283
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\7EZTT9VR\aJmP8qScYMQWjw1HjqVAbv3GU4YbMZbVmXp4AQ9R6bB4dvy0HBZandTn4AvT3sM8UsFbUcrfSm3NWWJUWrb15UexWajpTT37STYFSVfBQbutRW3iUGQW2FutoWim0EeM2WvCPsMH46JKmWTqTWf8YF3a1FX[1].gif
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\HIN91M42\homepage;oem=15800;lan=en;dcopt=null;pos=;sec=homepage;gen[1].albanygreatdanes%2Fhomepage%7Csize%3D160x600;c_type=;s_type=homepage;sz=160x600;tile=2;ord=910932219
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\VE1417RV\homepage;oem=15800;lan=en;dcopt=null;pos=;sec=homepage;gen[1].albanygreatdanes%2Fhomepage%7Csize%3D200x200;c_type=;s_type=homepage;sz=200x200;tile=3;ord=910932219
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\1HC2KV9V\sports;oem=15800;lan=en;dcopt=ist;pos=;sec=sports;gen=none;c_cou=us;[1].albanygreatdanes%2Fnone%7Csize%3D728x90;c_type=;s_type=none;sz=728x90;tile=1;ord=465590299
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\Y2JHTBLF\sports;oem=15800;lan=en;dcopt=null;pos=;sec=sports;gen=none;c_cou=[1].albanygreatdanes%2Fnone%7Csize%3D160x600;c_type=;s_type=none;sz=160x600;tile=2;ord=465590299
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\HIN91M42\sports;oem=15800;lan=en;dcopt=null;pos=;sec=sports;gen=none;c_cou=[1].albanygreatdanes%2Fnone%7Csize%3D200x200;c_type=;s_type=none;sz=200x200;tile=3;ord=465590299
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\Y2JHTBLF\undefined;oem=15800;lan=en;dcopt=null;pos=;sec=;gen=undefined;c_c[1].albanygreatdanes%2Fundefined%7Csize%3D160x600;c_type=;s_type=;sz=160x600;tile=2;ord=958557450
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\VE1417RV\undefined;oem=15800;lan=en;dcopt=ist;pos=;sec=;gen=undefined;c_cou=[1].albanygreatdanes%2Fundefined%7Csize%3D728x90;c_type=;s_type=;sz=728x90;tile=1;ord=958557450
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\HIN91M42\undefined;oem=15800;lan=en;dcopt=null;pos=;sec=;gen=undefined;c_c[1].albanygreatdanes%2Fundefined%7Csize%3D200x200;c_type=;s_type=;sz=200x200;tile=3;ord=958557450
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\Q185QL49\click2,VaUDABPCCQBuihkAAAAAADceCwAAAAAAAgA1aAYAAAAAAP8AAAAHEYyuAQAAAAAAZtkPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].php%3Fen%3Dcp1252,;ord=1249764646
Hidden: file C:\Program Files\ThisOne\winlogon.exe
Hidden: file C:\Program Files\install.com\mbam.exe
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\EDQ1E1SB\click2,VaUDABPCCQBuihkAAAAAADceCwAAAAAAAABdaAYAAAAAAAMAAgAHEYyuAQAAAAAAZtkPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].php%3Fen%3Dcp1252,;ord=1249764710
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\L9F3QWAT\click2,VaUDABTCCQAzsR8AAAAAAKvgCQAAAAAAAgAlaAIAAAAAAP8AAAAHEYyuAQAAAAAABlMOAAAAAAAXGw4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].php%3Fen%3Dcp1252,;ord=1249764640
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\EDQ1E1SB\click2,VaUDABDCCQA-ZQ8AAAAAAJd5BAAAAAAAAwB1aA8AAAAAAP8AAAAHEYyuAQAAAAAA-akGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].php%3Fen%3Dcp1252,;ord=1249764756
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\EDQ1E1SB\click2,VaUDABDCCQDQ2CoAAAAAACtfDAAAAAAAAwDhaA8AAAAAAP8AAAAHEoyuAQAAAAAAdqwPAAAAAAAphBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1].php%3Fen%3Dcp1252,;ord=1249765214
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\Q185QL49\click2,VaUDABDCCQCHCRkAAAAAAKqMCAAAAAAAAgCBaA8AAAAAAP8AAAAHEYyuAQAAAAAAoDkMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwJAIAAAAA[1].htm
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\L9F3QWAT\click2,VaUDABDCCQAAlCkAAAAAAIoBDAAAAAAAAgC9aA8AAAAAAP8AAAAHEYyuAQAAAAAAA9QQAAAAAAA2CxEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwJAIAAAAA[1].htm
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\L9F3QWAT\click2,VaUDABDCCQCp2SgAAAAAAM1HDAAAAAAAAgDpaA8AAAAAAP8AAAAHEoyuAQAAAAAAb2IRAAAAAAAAAAAAAAAAAAAAAAA[1].php%3Fen%3Dcp1252,;dcopt=rcl;mtfIFPath=nofile;ord=1249765221
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\IU73PKNV\click2,VaUDABDCCQAAlCkAAAAAAIoBDAAAAAAAAgDBaA8AAAAAAP8AAAAHEYyuAQAAAAAAhlEKAAAAAAA2CxEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwJAIAAAAA[1].htm
Hidden: file C:\Documents and Settings\iorizzp\Local Settings\Temporary Internet Files\Content.IE5\Q185QL49\click2,VaUDABDCCQDoph8AAAAAAGntCQAAAAAAAgDJaA8AAAAAAP8AAAAHEYyuAQAAAAAAby4OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwJAIAAAAA[1].htm
Stopped logging on 2009-08-08 at 17:32

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:14 PM

Posted 08 August 2009 - 07:41 PM

Download: http://oldtimer.geekstogo.com/TFC.exe

1. Save it to your desktop.
2. Open the file and close any other windows.
3. It will close all programs itself when run, make sure to let it run uninterrupted.
4. Click the Start button to begin the process.
5. Once it's finished it should reboot your machine, if not, do this yourself.

Try this before a rootkit scan
Chewy

No. Try not. Do... or do not. There is no try.

#14 sighing1

sighing1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 August 2009 - 10:14 PM

I followed both steps. I was able to run another scan, which this time produced fewer results. However, it still did not recommend any items be removed. I did get three error messages this time that I did not get before. They are included in the log.

Here is the log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 2009-08-08 at 22:48
User "iorizzp" on computer "SPORTS-IORIZLP"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Error parsing raw registry hive SOFTWARE. Registry scan may not be
supported on this version of Windows.
Warning: Unable to load raw registry hive SOFTWARE.
Registry scan may not be supported on this version of Windows.
Warning: Error reading list of user profiles. You may not have
access rights to the whole registry.
Access is denied.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\SUPERAntiSpyware\66f88a48-f4b9-4995-9b90-1de77581cc0f.exe
Hidden: file C:\Qoobox\Quarantine\C\Documents and Settings\iorizzp\Application Data\Mozilla\Firefox\Profiles\96sw40zv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll.vir
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Hidden: file C:\WINDOWS\system32\scecli.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Program Files\mine\HijackThis.exe
Hidden: file C:\Program Files\IorizzoHi\HijackThis.exe
Hidden: file C:\Program Files\Iorizzoee\HijackThis.exe
Hidden: file C:\Program Files\tryingagain\HijackThis.exe
Hidden: file C:\Documents and Settings\iorizzp\Desktop\fettucini.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware3\mbam.exe
Hidden: file C:\Program Files\MyAPP\mbam.exe
Hidden: file C:\Program Files\SUPERAntiSpyware\a95281be-ba01-401e-a2c2-6fa9050656d6.exe
Hidden: file C:\Documents and Settings\iorizzp\Desktop\RSIT.exe
Hidden: file C:\Program Files\Trend Micro\iorizzp.exe
Hidden: file C:\yedfjdy.exe
Hidden: file C:\Program Files\QuickTime\QTSystem\QuickTimeCapture.Resources\fr.lproj\QuickTimeCaptureLocalized.qtr
Hidden: file C:\Documents and Settings\iorizzp\Application Data\Mozilla\Firefox\Profiles\96sw40zv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
Hidden: file C:\Program Files\ThisOne\winlogon.exe
Hidden: file C:\Program Files\install.com\mbam.exe
Stopped logging on 2009-08-08 at 23:08

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:14 PM

Posted 08 August 2009 - 10:23 PM

http://www.incodesolutions.com/threats3/rootyedfjdyexe.php

http://www.prevx.com/filenames/13026782355...RRPPQS.EXE.html

Don't download either program, this is way too new for them

Use Sophos to delete it

Hidden: file C:\yedfjdy.exe

or take the safer alternative and wait
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users