Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue.AntiVirusPro and others


  • This topic is locked This topic is locked
11 replies to this topic

#1 Jestrix

Jestrix

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 11 December 2009 - 07:12 PM

Hi -
I need some assistance with trying to rid myself of a few things. I am running win xp sp3.
I have Malwarebytes Antimalware installed and I scan regularly.

I scan regularly and recently it scanned and found some infected files while doing its heuristic and other scan at the end of its scan. This is my work machine and I really do not want to send it off and lose valuable time.

I have tried to let MBAM handle the cleaning. It then asks to reboot and I let it. I rescan and they are all still there.

I have downloaded spybot search & destroy. It did not find anything.
I used the AV software on the machine....Symantec Endpoint...scanned normal and in safe mode and it did not find anything.
A friend suggested AVG Free. I downloaded this and ran it in normal and safe modes and it did not find anything. I have uninstalled this since I already have Endpoint running.

Could these alerts be false since nothing else is found?

My computer runs normal so far. No pop-ups or redirects. Everything is running fine. I would not know I had a problem until MBAM reported it. At least so far :thumbsup:

Please help and let me know if this is real or MBAM is acting wonky.

Thanks a bunch for the assistance!

Log is posted below:

Malwarebytes' Anti-Malware 1.41
Database version: 3288
Windows 5.1.2600 Service Pack 3

Scan type: Quick Scan
Objects scanned: 141973
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\scott\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\socadmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\socadmin\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\scott\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\socadmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 11 December 2009 - 09:18 PM

Hello, first have you rebooted after that scan as it is needed.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Now Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 14 December 2009 - 08:00 PM

Hi and thank you for your instructions. I always reboot when asked to by MBAM but it does not seem to work.

I have followed your directions and ran all programs.

The first log is the MBAM log with the so called infections.

I then ran TFC and it cleaned out all the temp files.

I then ran SUPERAntiSpyware. That will be the next log and it did not find anything.

For fun I reran MBAM just to see and it still found those same objects. That is the third log.

Please review and advise on next steps you think I should take.


Thank you for all your help!




Malwarebytes' Anti-Malware 1.42
Database version: 3361
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/14/2009 9:33:24 AM
mbam-log-2009-12-14 (18-58-24).txt

Scan type: Quick Scan
Objects scanned: 142864
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\scott\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\socadmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\socadmin\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\scott\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\socadmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.


****************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/14/2009 at 02:05 PM

Application Version : 4.31.1000

Core Rules Database Version : 4304
Trace Rules Database Version: 0

Scan type : Complete Scan
Total Scan Time : 02:31:00

Memory items scanned : 278
Memory threats detected : 0
Registry items scanned : 6469
Registry threats detected : 0
File items scanned : 70956
File threats detected : 0




************************************************



Malwarebytes' Anti-Malware 1.42
Database version: 3361
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/14/2009 6:58:24 PM
mbam-log-2009-12-14 (18-58-24).txt

Scan type: Quick Scan
Objects scanned: 142864
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\scott\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\socadmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\socadmin\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\scott\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\scott\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\socadmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 14 December 2009 - 10:04 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 15 December 2009 - 10:00 PM

Here are the results from the rootrepeal scan:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/15 21:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8889000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA746E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8ad2bdc0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8ad2ce28

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ad13e78

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8acfbf70

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8ac77be8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8acb4c38

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ac9abb0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8ad34c98

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8ad30d80

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8acfbe30

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8ad39de8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8ae89078

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8aff4288

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xba1fd6a0

#: 143 Function Name: NtQueryDefaultLocale
Status: Hooked by "C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys" at address 0xa8a718a0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8affa3c8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8adea090

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8ac71b40

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a418fc0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8ad3be50

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8adf8090

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8ae835f0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8adf4090

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ae88670

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ad44b48

==EOF==

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 16 December 2009 - 10:30 AM

Hello.this looks good. How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 16 December 2009 - 06:01 PM

Its running like it always had....fine....I am just wondering why MBAM still alerts to all that stuff?

I guess I need to completely uninstall it...find where it resides in the registry and such and clear it out and re-install MBAM. Any thoughts on this?

Thanks for all your time and effort in this! It is very aprreciative!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 16 December 2009 - 08:34 PM

Hello, two things with MBAM.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.[/list]Back at the main Scanner screen:[list]
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.


1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 25 December 2009 - 01:38 PM

Hi -

I have uninstalled and ran the cleaner. I reinstalled MBAM and reran it. It found the same infections and I proceeded with the clean and let it reboot the machine. I reran the quickscan and it did not find anything. This was on Monday. I reran it today after I booted up, I am on holiday :thumbsup:, and did a quickscan and it found all the same infections again. Any idea whats happening or why MBAM is the only one seeing these? Any ideas what to do next if anything? Logs are posted below and thanks for the help.

Merry Xmas!

Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/19/2009 2:23:56 PM
mbam-log-2009-12-19 (14-23-56).txt

Scan type: Quick Scan
Objects scanned: 143729
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\socadmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\socadmin\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\socadmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.


*************************

Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/19/2009 2:38:36 PM
mbam-log-2009-12-19 (14-38-36).txt

Scan type: Quick Scan
Objects scanned: 143598
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


***********************************

Malwarebytes' Anti-Malware 1.42
Database version: 3428
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/25/2009 1:29:08 PM
mbam-log-2009-12-25 (13-29-08).txt

Scan type: Quick Scan
Objects scanned: 144649
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\socadmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\socadmin\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\socadmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 25 December 2009 - 10:24 PM

Hello ,we will need to go deeper and get this out,but we will.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 27 December 2009 - 12:08 PM

Thanks for all your assistance. I have started a new post with the information requested in your last post in the other forum.

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:33 AM

Posted 27 December 2009 - 12:48 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/281885/rogueantiviruspro-and-a-few-others/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users