Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ok to run Combofix with Avira scanning?


  • Please log in to reply
18 replies to this topic

#1 coprimadonna

coprimadonna

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 26 August 2009 - 08:18 PM

I have a plethora of worms/malware/trojans/viruses. Webroot advised me to combofix... however, when I click to run, it says the following:
*************************************************
ComboFix has detected the following real time scanner to be active:

antivirus: Avira AntiVir PersonalEdition Classic

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.

Please disable these scanners before clicking "OK".

*************************************************
I've looked everywhere and can't find "Avira". I uninstalled Spybot and AdAware, but this window is still popping up.
Is it ok to just go ahead and run it?? Or is my computer going to explode, never returning to normal again?

Edited by coprimadonna, 26 August 2009 - 08:26 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 AM

Posted 26 August 2009 - 09:16 PM

Hi as this is a malware issue i am Moving this from XP to Am I Infected.
ou have searched for AVira and also AntiVir?
What Antivirus are you running as it needs to be disabled.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

May I suggest you run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 26 August 2009 - 10:38 PM

Hello,
Thank you SO much for responding. I have been working with Webroot, but their customer service is poor. One response via email every 2 days, or so.
1. Yes, I've searched all over and everywhere to try to find Avira/Antivir... to no avail.
2. I'm running Webroot's Spyware AntiSpam and Antivirus.
If I can boot my computer up and connect to the internet, I will definitely take you up on your suggestions (I'm on another laptop right now). Thank you again!
:-)

Edited by coprimadonna, 26 August 2009 - 10:39 PM.


#4 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 27 August 2009 - 12:27 PM

Dear Boopme, :flowers:
If you were here next to me, I would hug your neck and give you a smooch. This seemed to work. I learned that Webroot's spyware was locking me up. It was set to run auotmatically whenever I booted up. I had literally, one second to click, click, click to turn off the auto-checks before it crashed. On the next boot up, I uninstalled it. This allowed MBAM to run it's scan for over an hour to find the following report. Here are the results from the log, per your request:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/27/2009 11:13:18 AM
mbam-log-2009-08-27 (11-13-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 188855
Time elapsed: 1 hour(s), 11 minute(s), 13 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 35
Registry Values Infected: 6
Registry Data Items Infected: 7
Folders Infected: 4
Files Infected: 18

Memory Processes Infected:
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.
C:\WINDOWS\SYSTEM32\winupdate.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{20d57a66-f7df-467d-907b-9b7f4a118ab7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d4576c73-52bd-4401-b966-5a128c4433d4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\logon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Start Menu\Programs\Startup\TA_Start.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\AVR09.exe (Adware.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

**************************************************************************************

My next question is that Active Desktop Recovery has been staring at me, but I wasn't sure if this was a virus trying to lure me into clicking on it. What are your thoughts?

I can't believe you helped me solve this with ONE, quick message when it's taken Webroot over 2 weeks to figure it out. You're an angel. Thank you so much!
:thumbsup:

#5 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 27 August 2009 - 12:48 PM

Oops...crash. I got so excited. :-(

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 AM

Posted 29 August 2009 - 05:48 PM

Go and ahead and select to restore the Active Desktop.

Then after that, update Malwarebytes by going to the "Update" Tab and then run a Quick Scan. Post the log back here. Then after that:


Please run ATF and SAS:
Credits to Boopme

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#7 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 10 September 2009 - 01:11 PM

FOLLOWING IS THE RECENT LOG FROM MALWAREBYTES, PER YOUR REQUEST:

Malwarebytes' Anti-Malware 1.40
Database version: 2773
Windows 5.1.2600 Service Pack 2

9/10/2009 12:05:40 PM
mbam-log-2009-09-10 (12-05-40).txt

Scan type: Quick Scan
Objects scanned: 122630
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl147.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl149.tmp.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temp\n.exn (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temp\wqbwwbymbc.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\3B6OB0ZU\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\EKWD01QT\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\EKWD01QT\SetupAdvancedVirusRemover[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\N82KJ1VU\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\S5ZVV7WQ\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.

#8 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 10 September 2009 - 01:35 PM

computer pro,
After downloading ATF Cleaner and then SUPERAntiSpyware, Free Home Edition, and completing all the tasks up to rebooting in safe mode, my computer will not boot up now. Not in any of the safe modes, nor normally. Thoughts? Help??

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 AM

Posted 10 September 2009 - 08:04 PM

Hello sorry to see such difficulty. This may all be the result of the malware or the ComboFix run.

If you cannot bootup in normal or safe mode, then your options are limited. You may be able to use a Windows XP bootable Floppy Disk to boot from a diskette instead of your hard drive. If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.

"Resolving Boot Issues with a Boot Floppy Disk".
"How to obtain Windows XP Setup boot disks" and select the download that's appropriate for your Operating System. The Setup boot disks are available so that you can run the Setup program on computers that cannot use a bootable CD-ROM.

Another option is to create a Bootable CD:Bootable CD FAQs
How To Boot your Computer from a Bootable CD or DVD
How to Create a Bootable Windows XP Setup Disk on a Preinstalled/Preloaded Windows System
Creating A Windows XP Recovery Console CD Image

You can try doing a "Repair Install with Recovery Console". The Recovery Console is a Windows utility that provides a DOS-like command line from which you can run some repair programs. If you have a Microsoft Windows CD-ROM, you can get to the Recovery Console by booting from that CD and pressing any key when you told to 'Press any key to boot from CD'. At the 'Welcome to Setup' screen, press r for Repair.

"Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option"
How to perform a Repair/Reinstall (with screenshots).
"How to install and use the Windows XP Recovery Console"

If you don't have your XP CD you can download an ISO of the Recovery Console files:
Recovery Console ISO file
NTFS4FreeDos ISO
XP Recovery Console zip file

Burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO.

Important Note: If this is a virus/Trojan related issue, you should know that some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide to follow this advice and reformat, these links include step-by-step instructions with screenshots:
"XP Clean Install Interactive Setup"
"How to reformat your computer in case of a severe malware infection"
"Reformat & Clean Install Windows XP"

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore".
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 11 September 2009 - 04:29 PM

CP and boop,
After several tries in a row... I'm booted up. But in normal mode. Can I go ahead and run the ATF although it's in normal mode? I'm nervous in shutting down again, as I'm afraid the blue screen of death will rear its ugly head. Can't boot in safe mode... only normal.
Thoughts, please?

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 AM

Posted 11 September 2009 - 06:22 PM

Go ahead and run both ATF and SAS in normal mode.
Computer Pro

#12 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 11 September 2009 - 08:10 PM

CP and Boop,
Thanks again SO much for your help. I ran both ATF and SAS in normal mode. Per your request, here is the most recent log from SAS:

((pending...sorry... ran a quick scan, not complete. Stand by!)

Edited by coprimadonna, 11 September 2009 - 08:14 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 AM

Posted 11 September 2009 - 09:08 PM

Ok may as well Rerun MBAM (MalwareBytes) like this: It's upgraded to version 1.41 from 1.40 now.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:49 AM

Posted 11 September 2009 - 11:03 PM

Just ran MBAM. Here is the current log:

*******************************************************************

Malwarebytes' Anti-Malware 1.41
Database version: 2782
Windows 5.1.2600 Service Pack 2

9/11/2009 9:58:31 PM
mbam-log-2009-09-11 (21-58-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175744
Time elapsed: 59 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AD2ZWUNW\ftp[1].exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EUCCCP5W\exe[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

*******************************************************************
FYI:
The SAS log found ADWARE as its only result.

Any further suggestions would be greatly appreciated!!!
Thanks again for everything!
Juli

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 AM

Posted 11 September 2009 - 11:16 PM

What symptoms are you experiencing now?
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users