Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wife's XP Laptop is infected


  • This topic is locked This topic is locked
15 replies to this topic

#1 fawnlebowitz

fawnlebowitz

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 13 January 2010 - 06:08 PM

Greetings.

My wife's laptop is infected. I am getting the following warnings:

(1) Security Warning: Application cannot be executed. The file rundll43.exe is infected. Do you want to activate your antivirus software now? (sometimes this warning pops up warning that other files infected)

(2) Antivius software alert: Infiltration alert: Your computer is being attached by an interet Virus. It could be a password-stealing attach, a trojan-droppper or similar

(3) Windows Security alert: Application cannot be executed . The file wscntfy.exe is infected. Do you want to activate your antivirus software now?

(4) Spyware Alert! Your computer is infected by spyware - 34 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate Realtime secure protection agains future intrusions. Then it offers buttons to ( a ) Activate your antivirus software and ( b ) Stay Unprotected

And I'm having the following issues:

(5) Windows Security Center pops up, but any IE links opens a browser to http://desktop-antivirus.net/purchase?r=57.15

(6) porno.com sites open up in IE

(7) IE browser is hijacked--can't get anywhere except to the desktop-antivirus site.

(8) Can't run any antivirus software that is on the machine

(9) Opera browser seems to be working, but downloading any antivirus software doesn't run (can download to desktop, but it doesn't run)

Help!

thanks!

Edited by fawnlebowitz, 13 January 2010 - 07:06 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 January 2010 - 06:12 PM

Try running this scan from Safe Mode with Command Prompt:

http://live.sunbeltsoftware.com/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 fawnlebowitz

fawnlebowitz
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 14 January 2010 - 07:00 AM

Okay, I ran Vipre Rescue. in Safe Mode using the Command Prompt. I had to get it to the infected machine using USB.

It did not seem to help any. I am still getting popups and security warnings:

(1) "Antivirus Live" application Wants to performa a scan of my computer

(2) IE is directed to http://desktop-antivirus.microsoft.com/block.php?r=57.15

(3) Security Warning: Application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus software

(4) Windows Seciruty Alert: Windows reports that computer is infected. Antivurs software helps to protect your computer against viruses and other security threats. Click here for the scan your computer.

(5) Can't run Malwarebytes Anti-Malware. Security Warning pops up and says the file mbam2.exe is infected. Do you want to activate your antivirus software now?

(6) Antivirus Software Alert: Infiltration alert: Your computer is being attached by an internet Virus. It could be a password-stealing attack, a trojan-dropper or similar.

(7) and now cant get past the http://desktop-antivirus.microsoft.com/block.php?r=57.15 page using Opera Browser

Here is the xml log from the Vipre Rescue run:

- <SBCSThreatEngineResults version="3.1.2837">
- <summary scanGUID="{86F6582A-1B68-425D-9B46-75F2D51C5B9A}" scanDescription="" threatDefinitionVersion="5616">
- <scannerResults>
<numThreats found="5" ignored="0" />
<numTracesScanned cookies="0" registry="32515" files="73721" folders="7402" processes="12" archives="0" procModule="423" procMemory="0" threads="0" sysModules="75" ssdt="284" ntdllExport="1316" ntosExport="1485" hookIAT="0" scanSysEnter="1" hookDevice="432" hookCodeSectionRing0="14" hookCodeSectionRing3="0" MBR="2" total="117682" />
<numTracesFound cookies="0" registry="47" files="6" folders="1" processes="0" archives="0" procModule="0" procMemory="0" threads="0" sysModules="0" ssdt="0" ntdllExport="0" ntosExport="0" hookIAT="0" scanSysEnter="0" hookDevice="0" hookCodeSectionRing0="0" hookCodeSectionRing3="0" MBR="0" total="54" />
<dateTimeStampUTC start="2010-01-14T01:18:50" end="2010-01-14T04:09:15" />
<errors />
</scannerResults>
- <cleanerResults>
<numThreats deleted="0" quarantined="5" ignored="0" reportonly="0" total="5" />
<dateTimeStampUTC start="2010-01-14T04:09:15" end="2010-01-14T04:10:15" />
<errors />
</cleanerResults>
</summary>
- <scannerOptions scanAllLocalDrives="true" excludeRemovableDrives="true" scanCookies="false" scanProcesses="true" scanProcessThread="true" scanRegistry="true" scanProcessesDeep="true" suspendActiveThreats="true" scanAllUsers="true" useFileNameAndCRC8="true" dontCalcCRC8="false" scanCommonTactics="true" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="true" findLowRiskThreats="true" keepScanRecord="true" maxCheckFileLen="6291456" minCheckFileLen="0" scanVipreSuspicious="false" scanDerivatives="true" scanRootkits="true" scanProcessMemory="true" scanSystemModule="true" ssdt="true" ntdllExport="true" ntosExport="true" hookIAT="true" scanSysEnter="true" scanDevice="true" scanCodeSectionRing0="true" scanCodeSectionRing3="true" scanMBR="true">
<userIncludedPaths />
<userExcludedPaths />
<ignoredThreats />
</scannerOptions>
<cleanerOptions />
- <threats>
- <threat id="4117" name="Cydoor" level="3" category="Adware (General)" type="Adware" quarantineId="{32B4E0C4-D9B8-4223-895D-1036839AB181}" adviseType="3" canQuarantine="true" author="Cydoor Technologies Ltd." optionalScan="0" actionRequested="-1" cleanerResult="3">
<authorURL>cydoor.com</authorURL>
<desc>Adware, also known as advertising software, displays third-party advertising on the computer. The ads can take several forms, including pop-ups, pop-unders, banners, or links embedded within web pages or parts of the Windows interface. Some adware advertising might consists of text ads shown within the application itself or within side bars, search bars, and search results. Adware is often contextually or behaviorally based and tracks browsing habits in order to display ads that are meant to be relevant to the user.</desc>
<threatAdviceDetails>This is an elevated risk and should be removed or quarantined as it may compromise your privacy and security, make unwanted changes to your computer's settings, and negatively impact your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Program Files\AOL Toolbar\toolbar.dll">
<attr n="path" v="C:\Program Files\AOL Toolbar\toolbar.dll" />
<attr n="fileSize" v="459968" />
<attr n="md5" v="20B6F48C045F091CB3C2BB2251F01A5F" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF} -1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF} 1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}" />
<attr n="valueType" v="1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid -1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid 1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid" />
<attr n="valueType" v="1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid32 -1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid32" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid32 1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid32" />
<attr n="valueType" v="1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib -1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib 1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib" />
<attr n="valueType" v="1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib\Version 1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib" />
<attr n="valueType" v="1" />
<attr n="valueName" v="Version" />
</trace>
</traces>
</threat>
- <threat id="43521" name="Trojan.FakeAlert" level="2" category="Trojan" type="Malware" quarantineId="{C426198F-58A1-4FD9-BE23-4F5C7C2A970E}" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="3">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Annie Roesch\Desktop\rkill.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Annie Roesch\Desktop\rkill.exe" />
<attr n="fileSize" v="263168" />
<attr n="crc8" v="AB0F937A19FC0000" />
<attr n="md5" v="BA0BFA88EEA070836BDE3AE479EAEF3C" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\Documents and Settings\Annie Roesch\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\rkill.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Annie Roesch\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\rkill.exe" />
<attr n="fileSize" v="263168" />
<attr n="crc8" v="AB0F937A19FC0000" />
<attr n="md5" v="BA0BFA88EEA070836BDE3AE479EAEF3C" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\Documents and Settings\Annie Roesch\My Documents\rkill.com">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Annie Roesch\My Documents\rkill.com" />
<attr n="fileSize" v="263168" />
<attr n="crc8" v="AB0F937A19FC0000" />
<attr n="md5" v="BA0BFA88EEA070836BDE3AE479EAEF3C" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\Documents and Settings\Annie Roesch\My Documents\rkill.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Annie Roesch\My Documents\rkill.exe" />
<attr n="fileSize" v="263168" />
<attr n="crc8" v="AB0F937A19FC0000" />
<attr n="md5" v="BA0BFA88EEA070836BDE3AE479EAEF3C" />
<attr n="detectionType" v="9" />
</trace>
</traces>
</threat>
- <threat id="243102" name="Antivirus 2008 (TORS1 BUISINESS LTD)" level="2" category="Rogue Security Program" type="Misc" quarantineId="{2AB4547C-E6F4-4D97-847A-59F04E7ECB86}" adviseType="3" canQuarantine="true" author="Innovagest2000" optionalScan="0" actionRequested="-1" cleanerResult="3">
<authorURL>antivirus-scanonline.com</authorURL>
<desc>A Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often though exploits.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="5" dispValue="C:\PROGRAM FILES\ANTIVIRUS2008Y">
<attr n="path" v="C:\PROGRAM FILES\ANTIVIRUS2008Y" />
</trace>
</traces>
</threat>
- <threat id="4062385" name="Spyware Protect 2009" level="3" category="Rogue Security Program" type="Misc" quarantineId="{4E5EF110-5D6D-4B81-8817-981501EF974F}" adviseType="3" canQuarantine="true" author="Magic software Inc" optionalScan="0" actionRequested="-1" cleanerResult="3">
<authorURL>sp-protect2009.com</authorURL>
<desc>A Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often though exploits.</desc>
<threatAdviceDetails>This is an elevated risk and should be removed or quarantined as it may compromise your privacy and security, make unwanted changes to your computer's settings, and negatively impact your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan -1">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\aazalirt 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="aazalirt" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\dkekkrkska 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="dkekkrkska" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\dkewiizkjdks 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="dkewiizkjdks" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\id 1">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="1" />
<attr n="valueName" v="id" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\iddqdops 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="iddqdops" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\ienotas 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="ienotas" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\iqmcnoeqz 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="iqmcnoeqz" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\irprokwks 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="irprokwks" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\jikglond 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="jikglond" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\jiklagka 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="jiklagka" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\jrjakdsd 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="jrjakdsd" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\jungertab 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="jungertab" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\kitiiwhaas 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="kitiiwhaas" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\kkwknrbsggeg 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="kkwknrbsggeg" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\klopnidret 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="klopnidret" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\knkd 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="knkd" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\krkdkdkee 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="krkdkdkee" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\krkmahejdk 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="krkmahejdk" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\krtawefg 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="krtawefg" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\krujmmwlrra 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="krujmmwlrra" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\ktknamwerr 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="ktknamwerr" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\kuruhccdsdd 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="kuruhccdsdd" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\ooorjaas 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="ooorjaas" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\oranerkka 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="oranerkka" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\oropbbsee 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="oropbbsee" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\otnnbektre 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="otnnbektre" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\otowjdseww 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="otowjdseww" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\otpeppggq 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="otpeppggq" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\ready 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="ready" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\rkaskssd 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="rkaskssd" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\ronitfst 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="ronitfst" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\salrtybek 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="salrtybek" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\seeukluba 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="seeukluba" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\skaaanret 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="skaaanret" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\tobmygers 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="tobmygers" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\tobykke 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="tobykke" />
</trace>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan\zibaglertz 4">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-1115660624-3444473219-2309180909-1006\Software\AvScan" />
<attr n="valueType" v="4" />
<attr n="valueName" v="zibaglertz" />
</trace>
</traces>
</threat>
- <threat id="4117470" name="Exploit.PDF-JS.Gen (v)" level="2" category="Exploit" type="Malware" quarantineId="{5DA79CF7-94BB-486B-97B4-DB686DC8603E}" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="3">
<authorURL />
<desc>An Exploit is software or code that targets security vulnerabilities, usually in the operating system or browser, but may also target vulnerabilities in other programs. Exploits are typically used to install malicious software on the victim's computer without the victim's knowledge or consent. An Exploit may be used to install malware that gives the attacker complete access to and control of the affected computer from a remote location.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Annie Roesch\Local Settings\Temporary Internet Files\Content.IE5\J13C0CGR\pdffile[1].pdf">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Annie Roesch\Local Settings\Temporary Internet Files\Content.IE5\J13C0CGR\pdffile[1].pdf" />
<attr n="fileSize" v="8978" />
<attr n="md5" v="ACBE5E7FD72E0B6791F71B8CEACA2150" />
</trace>
</traces>
</threat>
</threats>
</SBCSThreatEngineResults>

#4 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:58 PM

Posted 14 January 2010 - 07:26 AM

fawnlebowitz


Heh heh heh....

Good luck w/the removal.

Edited by Union_Thug, 14 January 2010 - 07:39 AM.


#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 14 January 2010 - 04:18 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Copy it over to the problem computer on a CD or pen drive if you need to.

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes (see instructions below). Post the Malwarebytes log.

===============

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 fawnlebowitz

fawnlebowitz
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 15 January 2010 - 06:29 AM

Dear Budapest, thank you, this is helping a lot!

While i was waiting for your most recent reply, I ran Super Anti Spyware. I have the included log below.

I was able to run rkill.scr.

I was able to run Malwarebytes ANti malware, but i couldn't get the most recent updates (at first). I ran a full scan without update, then was able to download updates and did a quick scan, then ran another full scan with updates. I ran the 2nd full scan overnight.

Sometime when full scan was running (or after?) i got a popup from Resident Shield Alert.

This morning i am able to open stuff in IE and Opera properly and i am not getting all the popups!

But i did get another popup from Resident Shield Alert

Please let me know the next step based on the logs below.

thank you!

Below are my logs:

Super Anti Spyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/14/2010 at 05:51 PM

Application Version : 4.33.1000

Core Rules Database Version : 4477
Trace Rules Database Version: 2295

Scan type : Complete Scan
Total Scan Time : 01:58:59

Memory items scanned : 527
Memory threats detected : 0
Registry items scanned : 5285
Registry threats detected : 19
File items scanned : 24744
File threats detected : 4

Rogue.Advanced AntiVirus 2008
HKU\S-1-5-21-1115660624-3444473219-2309180909-1006\Software\Antivirus2008y
HKLM\Software\Antivirus2008y
HKLM\Software\Antivirus2008y#VerStr
HKLM\Software\Antivirus2008y#VerInt
HKLM\Software\Antivirus2008y#Cnt
HKLM\Software\Antivirus2008y#Lng
HKLM\Software\Antivirus2008y#UnInsAct
HKLM\Software\Antivirus2008y#MAbbr
HKLM\Software\Antivirus2008y#Type
HKLM\Software\Antivirus2008y#FoundInfo
HKLM\Software\Antivirus2008y#FoundCount
HKLM\Software\Antivirus2008y#PID
HKLM\Software\Antivirus2008y#FirstRun
HKLM\Software\Antivirus2008y#Root
HKLM\Software\Antivirus2008y#ExeFileName
HKLM\Software\Antivirus2008y#TIns
HKLM\Software\Antivirus2008y#aid
HKLM\Software\Antivirus2008y#lid
HKLM\Software\Antivirus2008y#affid

Rogue.AntiVirus XP 2008
C:\Documents and Settings\Annie Roesch\Application Data\Antivirus2008y
C:\Documents and Settings\Annie Roesch\Start Menu\Antivirus2008y\Antivirus 2008.lnk
C:\Documents and Settings\Annie Roesch\Start Menu\Antivirus2008y\Uninstall Antivirus 2008.lnk
C:\Documents and Settings\Annie Roesch\Start Menu\Antivirus2008y


Malwarebytes full Scan log, without updates

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/14/2010 10:27:10 PM
mbam-log-2010-01-14 (22-27-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221341
Time elapsed: 1 hour(s), 38 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\setup.player (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\setup.player.2k2 (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes Anti-malware log; with updates; Quick Scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3566
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/14/2010 10:59:15 PM
mbam-log-2010-01-14 (22-59-15).txt

Scan type: Quick Scan
Objects scanned: 146972
Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(malicious items detected)No



MalwareBytes Anti-malware Full Scan with Update Definitions:


Malwarebytes' Anti-Malware 1.44
Database version: 3566
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/15/2010 5:42:48 AM
mbam-log-2010-01-15 (05-42-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 222307
Time elapsed: 1 hour(s), 43 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Resident Shield Popup:

I can't figure out how to load an image, but

It is a Resident Shield Alert

It says Multiple Threat Detection

and provides four files that are supposedly infected

ANd gives the following choices:
Remove Selected Infections OR Remove all unhealed Infections OR Close

I just closed it.

What is next?

thanks!

Edited by fawnlebowitz, 15 January 2010 - 07:01 AM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 15 January 2010 - 03:33 PM

Please run another SUPERAntiSpyware scan in Safe Mode.

Then boot back into normal mode and run another Malwarebytes scan.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 fawnlebowitz

fawnlebowitz
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 16 January 2010 - 08:01 AM

Okay, I ran SuperAntiSpyware in Safe Mode, not infections found

I ran MalwareBytes AntiSpyware in regular mode and no infections found.

I have no popups; IE seems to be working okay

Below are the logs

Let me know my next step..

Log from SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2010 at 07:33 PM

Application Version : 4.33.1000

Core Rules Database Version : 4482
Trace Rules Database Version: 2295

Scan type : Complete Scan
Total Scan Time : 02:29:07

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 5481
Registry threats detected : 0
File items scanned : 28248
File threats detected : 0


Log from MalwareBytes:


Malwarebytes' Anti-Malware 1.44
Database version: 3573
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/16/2010 7:06:39 AM
mbam-log-2010-01-16 (07-06-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220672
Time elapsed: 1 hour(s), 48 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 16 January 2010 - 04:18 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Also, let me know how your computer is running.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 fawnlebowitz

fawnlebowitz
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 17 January 2010 - 08:21 AM

Dear Budapest:

I was able to download Dr. Web Curit directly to this computer from internet, i did not need to use a usb-stick to transfer from another computer.

Just some feedback: the CNET site had a 175-day old version of CureIt so i had to update it. also, the Dr. Web site is in Russian, so it took me a while to figure out how to download from that site.

I followed your directions except i did not see your guidance to un-check heuristics. So I ran it with Heuristics checked. Let me know if I should run again.

Also, when scan finished, it did not give me the option for CURE ==> Move Incurable. I could have deleted the files, but i did not do that either; i just rebooted to normal mode.

as you see in the log below, it found ComboFix. I have not run combofix based on other recommendations on this site.

Dr. Web Cureit Log:



ComboFix.exe\32788R22FWJFW\List-C.bat;C:\Documents and Settings\Annie Roesch\Desktop\Antivirus Stuff\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe;C:\Documents and Settings\Annie Roesch\Desktop\Antivirus Stuff;Archive contains infected objects;Moved.;
EarthLink Setup.msi/stream001\uninstll.exe;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access\EarthLink Setup.msi/stream001;Probably STPAGE.Trojan;;
stream001;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;
EarthLink Setup.exe;C:\Program Files\Online Services\EarthLink;Archive contains infected objects;Moved.;
A0157469.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP481;Probably DLOADER.Trojan;;
A0163096.exe\32788R22FWJFW\List-C.bat;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488\A0163096.exe;Probably BATCH.Virus;;
A0163096.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488;Archive contains infected objects;Moved.;
EarthLink Setup.msi/stream001\uninstll.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488\A0163097.exe/Windows\access\EarthLink Setup.m;Probably STPAGE.Trojan;;
stream001;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488\A0163097.exe/Windows\access;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488\A0163097.exe/Windows\access;Archive contains infected objects;;
A0163097.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488;Archive contains infected objects;Moved.;



The computer is running much better than it was a few days ago:No Popups
Can open sites in IE correctly
Can open sites in Opera Browser correctly
Can download files from internet
Browser isn't hijacked
Can open task manager
Can open Windows-Explorer correctly using windows-E key
Please let me know if i should run CUREIT again with Heuristics checked-off

also let me know what next steps should be to ensure this doesn't happen again.

Finally, yesterday (or the day before), we must have cleaned something up because Windows started automatically updated to Windows XP SP3 from SP2. I let it complete that upgrade to SP3.

thank you!!

Edited by fawnlebowitz, 17 January 2010 - 08:31 AM.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 17 January 2010 - 04:26 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 fawnlebowitz

fawnlebowitz
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 17 January 2010 - 06:45 PM

Okay, I did a new System Restore Point and used Cleanmgr to clean out the old ones

Also for Java, i only have :

J2SE Runtime Environment 5.0

What is next?

thanks!

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 17 January 2010 - 07:14 PM

That Java entry is out of date. You should remove it and then get the latest from here:

http://java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 fawnlebowitz

fawnlebowitz
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Virginia
  • Local time:08:58 PM

Posted 18 January 2010 - 07:42 AM

BudaPest:

I now have Java™ 6 Update 17 loaded onto my machine.

What is the next step?

thanks!

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 18 January 2010 - 04:20 PM

You're good to go. Here's some reading material:

http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users