Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse downloader KZK has taken over my computer


  • Please log in to reply
25 replies to this topic

#1 badboykiller1990

badboykiller1990

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 17 August 2009 - 05:24 PM

at the begin of august, I log on to my computer to find it has become very slow, so i tried to go to the 'task manager' to see which program was to cause. but then this massage came up telling me 'task manager has been disabled my your administrator.' the only problem is i am the users in my computer and there is no other user except me so I run a full on scan my computer using 'AVG Anti-virus free' and it found to virus and deleted them, so I restarted my computer but the problem persisted and after hours of trying to find out i open 'AVG Anti-virus’ and clicked ‘history’ then I clicked on ‘resident Shield detection’ and I found i that my computer was infected by ‘Trojan horse downloader agent KZK’ and the anti virus didn’t or couldn’t delete it or move it to the virus vault.
After a that I decide to ‘restore my computer to a couple of months ago’, and this worked but when restarted the computer and tried to go to the ‘task manager’ i got the same massage as before,

After this, I restart my computer and I went to ‘Safe mode’ (before that I updated my anti-virus)- and here i was confronted with a screen saying which user i wanted to be, the problem being i am the only user- after realizing this was the reason i couldnt using Task manager I decided to contiue and i selected the administrator user and after that I did a full can and it found one infections and deleted that or healed it, after this I tried my hand at deleting every file that is related to those infected files. But I failed and it seems that no matter what i do that this ‘thing’ seems like it doesn’t seem to do any damage becuase the ‘Trojan horse downloader agent KZK’ was still there even after I restarted my computer and the problems persisted.

By the way here is the result from the scan I done in ‘Safe mode’ (i used AVG Anti-virus-free)

AVG 8.5 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 8.0.354, engine 8.0.387
Virus Database: Version 270.13.54/2300 2009-08-13

C:\pagefile.sys Locked file. Not tested.
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared-new(2)\ Locked file. Not tested.
C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll.dmp Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{5EC42EF8-291C-45B2-8B85-A745D91CC9CB}.tmp Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{8414FB68-E000-497F-BC6E-7BC354650764}.tmp Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{8D976294-73A7-4F6E-AB7D-16574DF546A0}.tmp Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{E0D5C3AC-1715-4D59-83D3-555F5B3D5EE5}.tmp Locked file. Not tested.
D:\Documents and Settings\Administrator\NTUSER.DAT Locked file. Not tested.
D:\Documents and Settings\Administrator\ntuser.dat.LOG Locked file. Not tested.
D:\Documents and Settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll Locked file. Not tested.
D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Locked file. Not tested.
D:\Documents and Settings\Mohamed Omar\Local Settings\Temp\~TME3.tmp Trojan horse Generic14.VBA Object was moved to Virus Vault.
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
D:\Documents and Settings\NetworkService\ntuser.dat Locked file. Not tested.
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
D:\System Volume Information\ Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 197693
Found infections : 1
Found PUPs : 0
Healed infections : 1
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

and here is the latest scan- if through it said it found no virus, the problems of the computer becoming suddently slow and not being able to use Task manager are still there

AVG 8.5 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 8.0.354, engine 8.0.387
Virus Database: Version 270.13.58/2306 2009-08-16

C:\pagefile.sys Locked file. Not tested.
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared-new(2)\ Locked file. Not tested.
C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll.dmp Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
D:\Documents and Settings\Administrator\NTUSER.DAT Locked file. Not tested.
D:\Documents and Settings\Administrator\ntuser.dat.LOG Locked file. Not tested.
D:\Documents and Settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll Locked file. Not tested.
D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Locked file. Not tested.
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
D:\Documents and Settings\NetworkService\ntuser.dat Locked file. Not tested.
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
D:\System Volume Information\ Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 194438
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:30 AM

Posted 17 August 2009 - 10:19 PM

As the above logs are from AVG, I am moving this topic from the specialized HiJack This forum to the Am I Infected forum. I am also deleting your previous topic on the same issue.

==>PLEASE DO NOT NOW POST OTHER LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 17 August 2009 - 11:09 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 18 August 2009 - 07:42 AM

Budapest- i did exactly as you said but the problem is every time i get to removing the virus the program freezes, i noticed it always freezes when it gets to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{db3c772e-16f4-40e7-aaf-



so i was wondering if it is okay if i done the scan in safe mode? becuase i checked this, virus wont let me edit the regigistry and since it keeps freezinf when it gets to editing the registry- i think this will keep happening unless i login in 'Safe mode' and select the administater username which the virus created.

by the why i had to do two scan and both times it froze and crashed when it got to --- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{db3c772e-16f4-40e7-aaf ---


here are the results for the first scan

Malwarebytes' Anti-Malware 1.40
Database version: 2647
Windows 5.1.2600 Service Pack 2

18/08/2009 13:07:33
mbam-log-2009-08-18 (13-07-00).txt

Scan type: Quick Scan
Objects scanned: 106717
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\muitef.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\muitef.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\muiten.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\ck.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> No action taken.







and here are the results for the second scan

Malwarebytes' Anti-Malware 1.40
Database version: 2647
Windows 5.1.2600 Service Pack 2

18/08/2009 13:31:41
mbam-log-2009-08-18 (13-31-31) Second one

Scan type: Quick Scan
Objects scanned: 106645
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\muitef.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\muitef.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\muiten.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\ck.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> No action taken.



by the way i installed something called process explorer since the virus wouldnt let me check the the task manager and i noticed that when the anti-viruse program freezes this other program called 'DrWatson Postmortem Debugger' becomes actived

Edited by badboykiller1990, 18 August 2009 - 01:36 PM.


#5 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 18 August 2009 - 08:43 AM

sorry for the too much updates, but here is the result from the thrid scan, when the scan finished i only selecte files i knew or though were not involved with the registry becuase the viruse wont let be change or edit the registry unless i longin in safe mode and select the username Administarter which the viruse created.

here are the result from the thrid scan:


Malwarebytes' Anti-Malware 1.40
Database version: 2647
Windows 5.1.2600 Service Pack 2

18/08/2009 14:24:37
mbam-log-2009-08-18 (14-24-37).txt

Scan type: Quick Scan
Objects scanned: 106571
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\muitef.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{db3c772e-16f4-40e7-aaf2-5deba1354917} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Not selected for removal.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\muitef.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\muiten.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ck.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.







horray, the fourth and fifth scan were successfull unlike the first and second.

the result from the fourth scan--- for the fourth scann i only remoived the virus that was blocking me from accessing Task manager.

Malwarebytes' Anti-Malware 1.40
Database version: 2647
Windows 5.1.2600 Service Pack 2

18/08/2009 18:15:12
mbam-log-2009-08-18 (18-15-11).txt

Scan type: Quick Scan
Objects scanned: 106510
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Not selected for removal.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and here i the result from the fifth scan-- here i removed the remaining infected Registry files


Malwarebytes' Anti-Malware 1.40
Database version: 2647
Windows 5.1.2600 Service Pack 2

18/08/2009 19:18:37
mbam-log-2009-08-18 (19-18-37).txt

Scan type: Quick Scan
Objects scanned: 106580
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



final update-- i updated the Malwarebytes Anti Malware to the latest version and i done a scan and it found any problems. anyways here are the results

Malwarebytes' Anti-Malware 1.40
Database version: 2650
Windows 5.1.2600 Service Pack 2

18/08/2009 19:54:33
mbam-log-2009-08-18 (19-54-33).txt

Scan type: Quick Scan
Objects scanned: 106795
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

one question- does this mean this anti-virvus has removed the trojan horse donwloader? Because I went to cnet.com page about Malwarebytes' Anti-Malware and i watched their video about this program and at the end the presenter said the program removes only malware... and that was the end of the video, but this has lead me to question if all the virus have been removed and if the Trojan was removed at all.

Edited by badboykiller1990, 18 August 2009 - 05:09 PM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 18 August 2009 - 04:16 PM

It looks like you did a good job there. Let's run another scan as a double check:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 19 August 2009 - 03:32 PM

I followed you instructions exactly as you said them so I put the computer to safe mode I had to chose between my username or the username created by the virus, so i chose the Administrator username, and that where the first problem came which happened When i started up ATF cleaner- at first it cleaned everything but when I got to Firefox and clicked empty selected it showed me this massage saying ‘no files were removed’. So after couple a while I decided to continue. And the second problem was that I couldn’t find SUPERAntiSpyware program in the administrator account which the virus created, so I went to my user account and tried to run the program from there but it wouldn’t let me, so I copied the program from my user account desktop and run it and there was the problem because it wanted be to update the program and I could, so I logoff and longed in my user account and started the full scan.

Here are the result from the first full scan which was in my account not the account or administrator account created by the virus.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/19/2009 at 04:12 PM

Application Version: 4.27.1002

Core Rules Database Version: 4062
Trace Rules Database Version: 2002

Scan type : Complete Scan
Total Scan Time: 03:32:42

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 6083
Registry threats detected : 0
File items scanned : 55589
File threats detected : 1

Trojan.Rec04-NECLaunch
K:\MININT\SYSTEM32\REC04.HTA

After re-reading you instruction I came up with the idea of downloading the latest update and saving it and when I went to administer account created by the virus i would run the SUPERAntiSpyware and when it asked to update i would say no and after i installed the program i would install the update it worked and here are the result from the second scan.
second

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/19/2009 at 08:47 PM

Application Version : 4.27.1002

Core Rules Database Version : 4060
Trace Rules Database Version: 2000

Scan type : Complete Scan
Total Scan Time : 03:30:31

Memory items scanned : 235
Memory threats detected : 0
Registry items scanned : 5770
Registry threats detected : 0
File items scanned : 55812
File threats detected : 0

I belief that both scan lasted more than 7 hours (it was close to 7 hours and 3 minutes.)


one last question -- does this mean that the there are no virus or trojan in my computer? and if the answers is 'yes' why is does the useraccount created by the virus which can only be access in safe mode still here?

update-- i though all the problems were gone but the computer seems to keep freezing randomly, and i cant find what prgram is responsible for it

update-- i think i found what program it is... when the computer froze i manage to switch to task manager and i notice avgnsx.exe running or using 250,000 K of memory, this is a problem becuase this program is now using only 3,000--- after looking a process explorer (i installed this program 2days ago when i couldnt acess Task manager) and it is saying avgnsx.exe is AVG Network scanner service

Edited by badboykiller1990, 19 August 2009 - 05:28 PM.


#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 19 August 2009 - 05:26 PM

It seems like you have cleaned up most of the infection. However, some of these infections can be very extensive in that they drop malicious files all over your computer and cause all sorts of problems. Often just one scan, or one scanning program won't be able to remove the infection completely and we need to run multiple scans and other types of fixes.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 19 August 2009 - 05:47 PM

Are you able to run the DrWebCureIt scan?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 August 2009 - 08:13 AM

Budapest- i followed you intructions and when Dr.Web CureIt finished The Express scan, i got this massage saying it found something this virus or trojan called backdoor (i cant remember exactly what came after that i thing it was moast but am not sure) something and it said it need to restart so i clicked yes. and the computer turned off and when it restarted i got this screen which said packardbell restore centre (when the computer first got the virus i spend three whole days trying to get to this screen) so i clicked restore computer to factory setting and delete everything :thumbsup: - now it looks like it deleted everything and i am happy with that, now here is the problem i want to check if the virus is still here? so far i checked everywhere and i cant find anything that suggest anything from before is still here- all the programs inculding thesaved files e.g. pictures, music are gone.


bad news read follow up post -12

you fun read post 11 if you want it doesnt really matter

Edited by badboykiller1990, 20 August 2009 - 12:27 PM.


#11 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 August 2009 - 08:35 AM

bad news--the viruse is not gone

while i was writing the last post the computer started to freeze so i though something was wrong so i downloaded Malwarebytes' Anti-Malware and did a scan

Malwarebytes' Anti-Malware 1.40
Database version: 2664
Windows 5.1.2600 Service Pack 2

20/08/2009 15:59:00
mbam-log-2009-08-20 (15-59-00).txt

Scan type: Quick Scan
Objects scanned: 84640
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

but for extra security i downloaded Dr.Web CureIt and i went into save mode to do a scan and when the screen started i was confront with a screen asking me to login to my account or the Administor account (i didnt created this account, i am thinking it is same one from before) this confused me becuase I deleted everything inculding user account and the evidence is that my old useraccount doesnt exist---

so after a while i logged into the administor account and , i went to my computer and then i clicked (D)date drive and then i clicked Documents and Settings and then my user account and then desktop and then i copied and pasted the Dr.Web CureIt prgram into the Administor accounts desktop and i run the program, it did the Express scan but found nothing, after that i click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok. and then i started the full scan after and hour it finished and it found only one virus,

here are the results from that scan

=============================================================================
Dr.Web Scanner for Windows v5.00.4 (5.00.4.06300)
© Doctor Web, Ltd., 1992-2009
Log generated on: 2009-08-20, 16:49:08 [mohamedomar][Administrator]
Command line: "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\k6l5j.exe" /lng /ini:setup_XP.ini
Operating system: Windows XP Home Edition x86 (Build 2600), Service Pack 2
=============================================================================
DwShield started
Engine version: 5.00 (5.00.0.12182)
Engine API version: 2.02
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\322167a9 - 3187 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b59bcd1f - 8546 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2caf0597 - 7640 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\9916d0d7 - 6071 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\dd1d4d76 - 4983 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\4d191578 - 2139 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\9b07970f - 3732 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\c3af34f7 - 6424 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\71010a75 - 5242 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\5583c4ee - 2770 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2d04d01e - 2685 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\ad3ee346 - 3327 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\49cb81e9 - 4697 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\1c24ef2c - 2792 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\6d22f015 - 5841 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8238e06e - 2260 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\0fee677a - 4796 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\3ab7145f - 5098 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a406ab47 - 4891 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8178b5eb - 5033 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\296b5e0c - 3254 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7cc0dc2f - 5206 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\135baa8c - 7585 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2228ea7c - 5298 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\29c6b204 - 5947 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\586d6b80 - 6039 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\17501ec7 - 5309 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8a7cbd8f - 3511 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7fcdd5ce - 2495 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b475f821 - 4565 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\494b7bcc - 4467 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\fdc5fb44 - 5196 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\080a6ab2 - 2359 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\e870fe7c - 1938 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\e9f5aa7a - 3335 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b4036f19 - 3185 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\453c8427 - 1468 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\29ed5ad9 - 280 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\6cdb0fdc - 567 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\5edb2b5a - 1194 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\115e1337 - 423328 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a79d210b - 145 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\443e4f67 - 665 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7e1e76fa - 626 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\c6073dec - 126 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2713430b - 712 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\9c15af91 - 925 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8b37c5c6 - 840 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\53314c84 - 3316 virus records
[Virus database] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f4a51ee1 - 19303 virus records
Total virus records: 615338
[Self-checking] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\k6l5j.exe
Key file: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.key
License key number: 0010867178
Registered to: A User
License key activates on: 2009-06-03
License key expires on: 2009-12-04
Process in memory: System:4 - OK
Process in memory: \SystemRoot\System32\smss.exe:128 - OK
Process in memory: \??\C:\WINDOWS\system32\csrss.exe:180 - OK
Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:204 - OK
Process in memory: C:\WINDOWS\system32\services.exe:248 - OK
Process in memory: C:\WINDOWS\system32\lsass.exe:260 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:408 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:468 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:544 - OK
Process in memory: C:\WINDOWS\Explorer.EXE:800 - OK
Process in memory: D:\Documents and Settings\Administrator\Desktop\9tujear2.exe:1416 - OK
Process in memory: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7a8a48.exe:1424 - OK
Process in memory: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\k6l5j.exe:1448 - OK
[Memory scanning] No viruses found
Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK
OS/2 or WinNT Boot Sector HDD1 - OK

[Scan path] c:\apps\emailchecker\ech.exe
c:\apps\emailchecker\ech.exe - OK

[Scan path] c:\apps\hidservice\hidservice.exe
c:\apps\hidservice\hidservice.exe - OK

[Scan path] c:\apps\powercinema\kernel\tv\clcapsvc.exe
c:\apps\powercinema\kernel\tv\clcapsvc.exe - OK

[Scan path] c:\apps\powercinema\kernel\tv\clsched.exe
c:\apps\powercinema\kernel\tv\clsched.exe - OK

[Scan path] c:\apps\powercinema\pcmservice.exe
c:\apps\powercinema\pcmservice.exe - OK

[Scan path] c:\apps\recordnow\shlext.dll
c:\apps\recordnow\shlext.dll - OK

[Scan path] c:\apps\smp\pcsetup.exe
c:\apps\smp\pcsetup.exe - OK

[Scan path] c:\ati technologies\ati control panel\atiptaxx.exe
c:\ati technologies\ati control panel\atiptaxx.exe - OK

[Scan path] c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll - OK

[Scan path] c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll - OK

[Scan path] c:\program files\common files\aol\acs\aolacsd.exe
c:\program files\common files\aol\acs\aolacsd.exe - OK

[Scan path] c:\program files\common files\microsoft shared\information retrieval\msitss.dll
c:\program files\common files\microsoft shared\information retrieval\msitss.dll - OK

[Scan path] c:\program files\common files\microsoft shared\speech\sapi.cpl
c:\program files\common files\microsoft shared\speech\sapi.cpl - OK

[Scan path] c:\program files\common files\system\ole db\oledb32.dll
c:\program files\common files\system\ole db\oledb32.dll - OK

[Scan path] c:\program files\common files\ulead systems\autodetector\monitor.exe
c:\program files\common files\ulead systems\autodetector\monitor.exe - OK

[Scan path] c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe
c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe - OK

[Scan path] c:\program files\common files\ulead systems\mpeg\mpegacm.acm
c:\program files\common files\ulead systems\mpeg\mpegacm.acm - OK

[Scan path] c:\program files\common files\ulead systems\mpeg\ulmp3acm.acm
c:\program files\common files\ulead systems\mpeg\ulmp3acm.acm - OK

[Scan path] c:\program files\common files\ulead systems\vio\dvacm.acm
c:\program files\common files\ulead systems\vio\dvacm.acm - OK

[Scan path] c:\program files\cyberlink\shared files\clml_ntservice\clmlserver.exe
c:\program files\cyberlink\shared files\clml_ntservice\clmlserver.exe - OK

[Scan path] c:\program files\java\jre1.5.0_02\bin\jusched.exe
c:\program files\java\jre1.5.0_02\bin\jusched.exe - OK

[Scan path] c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll - OK

[Scan path] c:\program files\malwarebytes' anti-malware\mbamgui.exe
c:\program files\malwarebytes' anti-malware\mbamgui.exe - OK

[Scan path] c:\program files\messenger\msmsgs.exe
c:\program files\messenger\msmsgs.exe - OK

[Scan path] c:\program files\outlook express\setup50.exe
c:\program files\outlook express\setup50.exe - OK

[Scan path] c:\program files\outlook express\wabfind.dll
c:\program files\outlook express\wabfind.dll - OK

[Scan path] c:\program files\real\realplayer\rpshell.dll
c:\program files\real\realplayer\rpshell.dll - OK

[Scan path] c:\program files\symantec\liveupdate\ndetect.exe
c:\program files\symantec\liveupdate\ndetect.exe - OK

[Scan path] c:\program files\symantec\liveupdate\s32lucp1.cpl
c:\program files\symantec\liveupdate\s32lucp1.cpl - OK

[Scan path] c:\windows\apppatch\acgenral.dll
c:\windows\apppatch\acgenral.dll - OK

[Scan path] c:\windows\explorer.exe
c:\windows\explorer.exe - OK

Edited by badboykiller1990, 20 August 2009 - 05:35 PM.


#12 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 August 2009 - 12:21 PM

---

Edited by badboykiller1990, 20 August 2009 - 05:33 PM.


#13 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 August 2009 - 03:25 PM

look below

Edited by badboykiller1990, 20 August 2009 - 05:06 PM.


#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 20 August 2009 - 04:42 PM

Forget that log for now.

Run another scan with Malwarebytes and post that log.

Also, tell me what problems your computer is currently experiencing.

And can you tell me what problems you are having with the user accounts. I kind of lost track of what you had found and done about it.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 badboykiller1990

badboykiller1990
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 August 2009 - 05:04 PM

okay first change since 18/Aug/2009 i managed to delete everything inculding my account- i done this using packardbell system retore

so i was happy with that until the computer started to freeze so ii done a scan using MMalwarebytes' Anti-Malware 1.40
Database version: 2666
Windows 5.1.2600 Service Pack 2

20/08/2009 23:10:27
mbam-log-2009-08-20 (23-10-27).txt

Scan type: Quick Scan
Objects scanned: 93090
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected) and i didn't find anything, so for extra security i decided to download Dr.Web CureIt and do a scan so i started the computer in safe mode and this screen came up asking which account i wanted to login the problem is i only created one user account and i now do one else created another account becuase i restored the computer to its factory setting and everything i mean everything was deleted so i was surprised

the other user name was called Administator and it is the same account that the virus created and no matter what i do i cant seem to be able to delete it.


anyways i done a scan using Dr.Web CureIt and it only found one virus. POSTOOBE.NEC;C:\DRIVERS;VBS.Generic.278;Deleted.;


here are the results from Malwarebytes' Anti-Malware 1.40
Database version: 2666
Windows 5.1.2600 Service Pack 2

20/08/2009 23:10:27
mbam-log-2009-08-20 (23-10-27).txt

Scan type: Quick Scan
Objects scanned: 93090
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected) done now

Malwarebytes' Anti-Malware 1.40
Database version: 2666
Windows 5.1.2600 Service Pack 2

20/08/2009 23:10:27
mbam-log-2009-08-20 (23-10-27).txt

Scan type: Quick Scan
Objects scanned: 93090
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by badboykiller1990, 20 August 2009 - 05:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users