Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm pretty sure I'm infected


  • Please log in to reply
35 replies to this topic

#1 thedemoninside

thedemoninside

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 07 September 2009 - 06:47 PM

When I open task manager, I see wscsvc32.exe, sometimes Installer.exe and others I don't recognize. I tried running Avira but it didn't detect anything. I tried opening Malware Bytes but it never opened. I downloaded combofix but it doesn't open, it just runs in the background but I never see it. I keep getting popups relating to some fake antivirus program. I dunno what to do. Also, iexplorer.exe opens by itself and I hear audio.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:04 PM

Posted 07 September 2009 - 07:01 PM

Hello let's try again to get that MBAM log/ go here L@@K.

Start at the section.. Automated Removal Instructions for Windows Antivirus Pro using Malwarebytes' Anti-Malware:

After completing the scan post the log for review.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 07 September 2009 - 07:19 PM

When I tried looking in Control Panel, my whole explorer disappeared. I cannot see my taskbars or my desktop programs. I can open up task manager but I cannot open explorer. I dunno what to do now. I cannot do anything.

#4 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 07 September 2009 - 08:23 PM

I somehow ran combofix but I couldn't create a restore point, I couldn't disable Avira but it seemed to have deleted the popups and the fake antivirus, I still cannot see my taskbar or any desktop items. Also, I still cannot open Malware Bytes.

#5 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 07 September 2009 - 11:34 PM

I successfully ran combofix this time and created the system restore point. Problem is that I cannot open up the log it created. I rebooted and still have no explorer. I gotten about no help from the countless sites I've visited and I'm starting to get worried.

#6 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 08 September 2009 - 12:22 AM

I know this site does not recommend me running combofix by myself but some other site said and I did it. It helped me remove whatever kept popping up and helped me start Malware Bytes again. I am now currently running a scan of my computer with MB and will hopefully post the log when it is done. Sorry for all these replies but I've never had anything like this happen to my computer. I've had it up and running since 2003 with no problems.

#7 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 08 September 2009 - 02:09 AM

Here is my MBAM log.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/8/2009 3:05:26 AM
mbam-log-2009-09-08 (03-05-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 261881
Time elapsed: 1 hour(s), 45 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 72

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10432814 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90442806 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\igfxtray.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\windows Police Pro.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hjgruifewlthca.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hjgruillvyqcxa.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\UACtubkgkuhyl.dll.vir (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drivers\hjgruifoioujtu.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[10].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[3].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[4].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[5].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[6].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[7].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[8].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8702F640\GreenAV_Install[9].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\9DUWCZ3E\GreenAV_Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\9DUWCZ3E\GreenAV_Install[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HKGC4FLR\GreenAV_Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HKGC4FLR\GreenAV_Install[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HKGC4FLR\GreenAV_Install[3].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRY33XMW\GreenAV_Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRY33XMW\GreenAV_Install[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRY33XMW\GreenAV_Install[3].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRY33XMW\GreenAV_Install[4].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ppc.exe (Trojan.Agent.V) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacb102.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:04 PM

Posted 08 September 2009 - 08:50 AM

OK!! that was a real break.. let's see if we can get what's left.
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 08 September 2009 - 11:12 AM

I'm sorry but I won't be able to do this for a few hours as I'm at work. Luckily, I downloaded SAS last night but did not run it. As soon as I get home I will be doing exactly as you instructed.

#10 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 September 2009 - 09:08 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2009 at 03:35 AM

Application Version : 4.28.1010

Core Rules Database Version : 4085
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 10:17:04

Memory items scanned : 200
Memory threats detected : 0
Registry items scanned : 7400
Registry threats detected : 43
File items scanned : 167095
File threats detected : 130

Trojan.Agent/Gen-Ertfor
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}

Trojan.Agent/Gen-ClickSpy
HKU\S-1-5-21-3238977419-1099186054-1588254653-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9915F504-5FCC-402E-B360-1FA364EFC4DE}
HKCR\CLSID\{9915F504-5FCC-402E-B360-1FA364EFC4DE}
HKCR\CLSID\{9915F504-5FCC-402E-B360-1FA364EFC4DE}
HKCR\CLSID\{9915F504-5FCC-402E-B360-1FA364EFC4DE}\InProcServer32
HKCR\CLSID\{9915F504-5FCC-402E-B360-1FA364EFC4DE}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\KLYPNZJNEDD.DLL

Rootkit.Agent/Gen-NetCard
HKLM\System\ControlSet001\Services\netskt
C:\WINDOWS\SYSTEM32\NETSKT.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_netskt
HKLM\System\ControlSet002\Services\netskt
HKLM\System\ControlSet002\Enum\Root\LEGACY_netskt
HKLM\System\CurrentControlSet\Services\netskt
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_netskt

Adware.Avenue Media/Internet Optimizer
HKU\S-1-5-21-3238977419-1099186054-1588254653-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Trojan.DollarRevenue
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat

Rogue.AdvancedVirusRemover
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#Advanced Virus Remover [ C:\Program Files\AdvancedVirusRemover\PAVRM.exe ]
HKU\S-1-5-21-3238977419-1099186054-1588254653-1006\Software\Microsoft\Windows\CurrentVersion\Run#Advanced Virus Remover [ C:\Program Files\AdvancedVirusRemover\PAVRM.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#Advanced Virus Remover [ C:\Program Files\AdvancedVirusRemover\PAVRM.exe ]
HKU\.DEFAULT\Software\AVR
HKU\.DEFAULT\Software\AVR#LastVFC
HKU\.DEFAULT\Software\AVR#VirList
HKU\.DEFAULT\Software\AVR#LastD
HKU\.DEFAULT\Software\AVR#LastScan
HKU\S-1-5-18\Software\AVR
HKU\S-1-5-18\Software\AVR#LastVFC
HKU\S-1-5-18\Software\AVR#VirList
HKU\S-1-5-18\Software\AVR#LastD
HKU\S-1-5-18\Software\AVR#LastScan

Rootkit.Agent/Gen
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE#start
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE#type
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE#group
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE#imagepath
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\main
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\main\injector
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\modules
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\modules#SKYNETrk.sys
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\modules#SKYNETcmd.dll
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\Enum
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\Enum#0
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\Enum#Count
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\Enum#NextInstance
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\Enum#1
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETUFNNTSIE\Enum#INITSTARTFAILED

Trojan.Dropper/Gen
C:\DOCUMENTS AND SETTINGS\DIEN\LOCAL SETTINGS\APPLICATION DATA\YAHOO\WIDGET ENGINE\UNZIPPED\INFORMER.WIDGET\INFORMER.WIDGET\CONTENTS\APPLICATIONS\MAILCOMMANDER.EXE

Adware.Tracking Cookie
.2o7.net [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\tgay3oz0.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\tgay3oz0.default\cookies.txt ]
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@247realmedia[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@2o7[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@a.websponsors[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ad.zanox[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ad1.clickhype[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adbrite[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adecn[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.addynamix[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.bootcampmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.doubleagent[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.gamersmedia[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.imarketservices[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.mediamayhemcorp[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.pointroll[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.vidsense[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.widgetbucks[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.xapads[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adserver.adtechus[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adtech[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adultfriendfinder[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@advanced-virusremover2009[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@advertising[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adxpose[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@affiliates.commissionaccount[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@apmebf[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@azjmp[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@bannerfountain[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@bardondirect.directtrack[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@bluestreak[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@bs.serving-sys[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@burstbeacon[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@burstnet[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@cache.trafficmp[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@casalemedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@cdn4.specificclick[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@chitika[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@clicksor[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@collective-media[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@content.yieldmanager[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@content.yieldmanager[3].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@cp.findsumpin[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@crackle[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@da-tracking[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@date.ventivmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@directtrack[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@eas.apm.emediate[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@enhance[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@extrabanner[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@fastclick[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@foundbanner[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@havamedia[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@homestore.122.2o7[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@icebanner[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@imrworldwide[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@insightexpressai[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@interclick[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@invitemedia[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@kontera[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@kronos.bravenet[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@libertymutual.112.2o7[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@linotraffic[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@media.mtvnservices[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@media2.gamook[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@media6degrees[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@mediaplex[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@mediatraffic[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@myroitracking[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@nextag[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@oasn04.247realmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@overture[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@piousbanner524[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@poweredbanner[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@pro-market[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@questionmarket[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@realmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@rotator.adjuggler[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@server.cpmstar[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@server.iad.liveperson[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@server.iad.liveperson[3].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@serving-sys[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@socialmedia[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@specificclick[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@specificmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@statcounter[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@statse.webtrendslive[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@termbanner199[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@trackalyzer[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tracking.realtor[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@trafficmp[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@trendbanner[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tribalfusion[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@us.starmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@webads.hookedmediagroup[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@wiperbanner453[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.burstbeacon[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.burstnet[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.findstuff[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.googleadservices[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.icityfind[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.socialtrack[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@yieldmanager[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@zedo[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@zoobanner[2].txt

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE

Adware.Accoona
C:\PROGRAM FILES\THEMEXP\THEMEXP.ORG FILE\ATOOLBAR400011.EXE

n-CASE (SongSpy)
C:\WINDOWS\BUNDLES\MSBB.EXE

WebRebates Silent Installer
C:\WINDOWS\BUNDLES\WEBREBATES_AUTO_INSTALLSILENT.EXE

Trojan.SmartLoad
C:\WINDOWS\DRSMARTLOAD2.DAT

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WNSAPIIT.EXE

Trojan.Agent/Gen-Tmp[Corona]
C:\WINDOWS\TEMP\CPV.EXE

Rogue.Agent/Gen-ProtectionSystem[Core]
C:\WINDOWS\TEMP\UACB298.TMP

Rogue.Agent/Gen-ProtectionSystem[Uninstall]
C:\WINDOWS\TEMP\UACB400.TMP

Trojan.Agent/Gen-Loader
C:\WINDOWS\TEMP\YNCFOBYNIM.EXE

Trace.Known Threat Sources
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VX2USJV0\footer_dots[1].gif
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VX2USJV0\sp[1].gif
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JHEJ3SM\shopica_logo_bott[1].gif
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OW545IJG\shopica_logo_top[1].gif
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VX2USJV0\style[1].css
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VX2USJV0\js[1].js
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OW545IJG\excalm[1].gif

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:04 PM

Posted 09 September 2009 - 09:41 AM

Good,
Rerun MBAM (MalwareBytes) like this: tell me how it is running after that.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 September 2009 - 12:40 PM

When I tried to update MBAM it said error code and then when I tried to update SAS, it said my firewall is blocking it. Problem is, I can't access my control panel because I have no explorer. Anyways my MBAM database is from 8/3/2009, I'm doing a quick scan right now anyways.

Also, I'm wondering what do I do with all the quarantined items MBAM and SAS found?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:04 PM

Posted 09 September 2009 - 12:58 PM

Itms in Quaratine can no longer harm your PC. They are put there first in the event they are critical to the PC's smooth operation. If after afew days the PC is running fine you can delete them. Leaving them there forever is no problem either.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 thedemoninside

thedemoninside
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 September 2009 - 01:07 PM

Ok thanks for the replies, this is the new MBAM scan log.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/9/2009 2:04:06 PM
mbam-log-2009-09-09 (14-04-06).txt

Scan type: Quick Scan
Objects scanned: 98005
Time elapsed: 18 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:04 PM

Posted 09 September 2009 - 01:10 PM

Looks clear any more issues on here?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users