Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected cant run Malware or Spybot


  • Please log in to reply
12 replies to this topic

#1 HOAXoneder

HOAXoneder

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 15 August 2009 - 11:27 PM

I think my pc is infected with Packed.Generic.200. I had Norton installed a few days back and it would tell me I was infected with it but would not remove it. I removed Norton. Tried running Malware Bytes, Spybot but they will not run not even in safe mode - it shows up in my Processes but it gets stuck there. If I do a Yahoo search it takes me to a mirror page result and it opens up advertisement pages. Im running Windows XP and am trying to get rid of this if possible before going to my last resort and reformatting my drive.

Please help!

BC AdBot (Login to Remove)

 


#2 HOAXoneder

HOAXoneder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 16 August 2009 - 11:16 AM

Can someone please help me with this! please!!!

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 16 August 2009 - 05:11 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.




Lets try to get Malwarebytes to run:

let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Computer Pro

#4 HOAXoneder

HOAXoneder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 16 August 2009 - 06:01 PM

Man your a life saver! Thanks. Here is the log.


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/16/2009 3:43:05 PM
mbam-log-2009-08-16 (15-43-05).txt

Scan type: Quick Scan
Objects scanned: 115360
Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abd45510-9b22-41cd-9acd-8182a2da7c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd45510-9b22-41cd-9acd-8182a2da7c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 16 August 2009 - 06:03 PM

Ok, lets run RootRepeal. Most of the time, that trick works for Malwarebytes.



Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#6 HOAXoneder

HOAXoneder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 16 August 2009 - 08:07 PM

Yeah thanks for that Maleware trick right there.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 18:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 62
Status: Sector mismatch

Path: F:\„S"My.ook
Status: Invisible to the Windows API!

Path: F:\autorun.inf
Status: Visible to the Windows API, but not on disk.

Path: F:\wd_windows_tools
Status: Visible to the Windows API, but not on disk.

Path: F:\wd_mac_tools
Status: Visible to the Windows API, but not on disk.

Path: F:\Documentation
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun
Status: Visible to the Windows API, but not on disk.

Path: F:\Install.ini
Status: Visible to the Windows API, but not on disk.

Path: F:\setup.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: F:\Install.log
Status: Visible to the Windows API, but not on disk.

Path: F:\New Music
Status: Visible to the Windows API, but not on disk.

Path: F:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: F:\Picz
Status: Visible to the Windows API, but not on disk.

Path: F:\Photoshop Light Burst Text Tutorial.txt
Status: Visible to the Windows API, but not on disk.

Path: F:\Evidence
Status: Visible to the Windows API, but not on disk.

Path: F:\Daniels Declaration.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\Crystal Prop Docs
Status: Visible to the Windows API, but not on disk.

Path: F:\The Baptism of Jesus shows us that the heavens opened and The.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\Backup Pics
Status: Visible to the Windows API, but not on disk.

Path: F:\Keith Green
Status: Visible to the Windows API, but not on disk.

Path: F:\Gospel
Status: Visible to the Windows API, but not on disk.

Path: F:\Christian Music! The best
Status: Visible to the Windows API, but not on disk.

Path: F:\Michael Jackson
Status: Visible to the Windows API, but not on disk.

Path: F:\VA-New_Jack_Swing_Gold-2CD-2007-XXL
Status: Visible to the Windows API, but not on disk.

Path: F:\DJ Premiere Hits
Status: Visible to the Windows API, but not on disk.

Path: F:\Golden Era of Rock N Roll
Status: Visible to the Windows API, but not on disk.

Path: F:\New Christian Tracks
Status: Visible to the Windows API, but not on disk.

Path: F:\Hip Hop
Status: Visible to the Windows API, but not on disk.

Path: F:\Photoshop Projects
Status: Visible to the Windows API, but not on disk.

Path: F:\80's Music
Status: Visible to the Windows API, but not on disk.

Path: F:\VirtualDJ Local Database v5.xml
Status: Visible to the Windows API, but not on disk.

Path: F:\New Pictures
Status: Visible to the Windows API, but not on disk.

Path: F:\80's Cartoon Intros
Status: Visible to the Windows API, but not on disk.

Path: F:\mbam-setup.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\That Jesus Music
Status: Visible to the Windows API, but not on disk.

Path: F:\Soundtracks
Status: Visible to the Windows API, but not on disk.

Path: F:\Top Songs of The 80's
Status: Visible to the Windows API, but not on disk.

Path: F:\Funk and R&B
Status: Visible to the Windows API, but not on disk.

Path: F:\1940's
Status: Visible to the Windows API, but not on disk.

Path: F:\Shekinah Shack Art
Status: Visible to the Windows API, but not on disk.

Path: F:\Nueva Pics
Status: Visible to the Windows API, but not on disk.

Path: F:\Newer Pics
Status: Visible to the Windows API, but not on disk.

Path: F:\2dc0880752696fcd211f91ca0669
Status: Visible to the Windows API, but not on disk.

Path: F:\23b67b88afca49126566805b
Status: Visible to the Windows API, but not on disk.

Path: F:\05b6d2b4f32467be6784a693d328
Status: Visible to the Windows API, but not on disk.

Path: F:\53a6fdf7bf1ec540b9d96519
Status: Visible to the Windows API, but not on disk.

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 16 August 2009 - 08:10 PM

Please run a Full Scan using Malwarebytes. When it asks which drive to scan, select the F: drive only. Post back the generated log
Computer Pro

#8 HOAXoneder

HOAXoneder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 16 August 2009 - 08:38 PM

Here ya go

Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3

8/16/2009 6:38:22 PM
mbam-log-2009-08-16 (18-38-22).txt

Scan type: Full Scan (F:\|)
Objects scanned: 112303
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 16 August 2009 - 08:39 PM

Please download
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Computer Pro

#10 HOAXoneder

HOAXoneder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 17 August 2009 - 12:34 AM

Copmputer Pro your a life saver! I ran the Flash Disenfector and a pop box came up saying it was done. Anything else I need to do? PC is running quick and smooth again and no longer being redirected from google or yahoo.

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 17 August 2009 - 06:34 AM

Lets try one more scan:

Please run ATF and SAS:
Credits to Boopme

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#12 HOAXoneder

HOAXoneder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 19 August 2009 - 09:43 AM

Sorry been a bit busy but I ran it last night - here is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/17/2009 at 11:42 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Complete Scan
Total Scan Time : 01:29:58

Memory items scanned : 248
Memory threats detected : 0
Registry items scanned : 6557
Registry threats detected : 20
File items scanned : 25428
File threats detected : 9

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{73CFE16B-022E-4727-BAA1-C89696158783}
HKCR\CLSID\{73CFE16B-022E-4727-BAA1-C89696158783}
HKCR\CLSID\{73CFE16B-022E-4727-BAA1-C89696158783}\InprocServer32
HKCR\CLSID\{73CFE16B-022E-4727-BAA1-C89696158783}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCD.DLL
HKLM\Software\Classes\CLSID\{8A46FCD0-71D3-404B-BE34-B2D39A7845C7}
HKCR\CLSID\{8A46FCD0-71D3-404B-BE34-B2D39A7845C7}
HKCR\CLSID\{8A46FCD0-71D3-404B-BE34-B2D39A7845C7}\InprocServer32
HKCR\CLSID\{8A46FCD0-71D3-404B-BE34-B2D39A7845C7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNNN.DLL
HKLM\Software\Classes\CLSID\{9924811F-15CB-4D23-A2B7-F1250A570498}
HKCR\CLSID\{9924811F-15CB-4D23-A2B7-F1250A570498}
HKCR\CLSID\{9924811F-15CB-4D23-A2B7-F1250A570498}\InprocServer32
HKCR\CLSID\{9924811F-15CB-4D23-A2B7-F1250A570498}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A2697058-EA00-4DC3-B416-AC96AC2094B2}
HKCR\CLSID\{A2697058-EA00-4DC3-B416-AC96AC2094B2}
HKCR\CLSID\{A2697058-EA00-4DC3-B416-AC96AC2094B2}\InprocServer32
HKCR\CLSID\{A2697058-EA00-4DC3-B416-AC96AC2094B2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A46FCD0-71D3-404B-BE34-B2D39A7845C7}
HKU\S-1-5-21-1819219006-3082138576-1823859428-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A46FCD0-71D3-404B-BE34-B2D39A7845C7}
HKU\S-1-5-21-1819219006-3082138576-1823859428-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\Mslsv
C:\WINDOWS\SYSTEM32\DCBEG.BAK1
C:\WINDOWS\SYSTEM32\DCBEG.INI
C:\WINDOWS\SYSTEM32\GJKMP.BAK1
C:\WINDOWS\SYSTEM32\GJKMP.INI
C:\WINDOWS\SYSTEM32\NNNMP.INI

Rootkit.Agent/Gen-UAC
C:\WINDOWS\SYSTEM32\UACJNQONTGSVYDYNKRDT.DAT

Trace.Known Threat Sources
C:\Documents and Settings\Jahaira\Local Settings\Temp\Temporary Internet Files\Content.IE5\ALMNO1EL\index[1].htm

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 19 August 2009 - 11:23 AM

Ok, please run a last Quick Scan with Malwarebytes.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users