Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Alert Virus has hijacked my daughter's laptop


  • This topic is locked This topic is locked
55 replies to this topic

#1 jgasco68

jgasco68

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 09:19 AM

My daughter received an alert of malicious software on her computer, along with a license expiration notice on her protection.. and then instead of coming and getting me, she started clicking away.
It is a Dell laptop, running Windows XP *not sure what service pack*.. and now I am afraid her Operating System is a lost cause. I was able to get to microsoft.com and download the malicious software removal tool, but when I tried to run it on her computer, it would not open. I downloaded the same software removal tool on my computer, put it on a USB key, and tried to run it that way, with no luck either. I shut down the computer, and tried to restart in SAFE mode, and I lost everything except the desktop background, and an official looking pop up window which says.. "Control Center .. Best PC Health Components." It lists several option ICONS on the window.. Security Items.. removal antiviruses.. web firewalls.. data encryption.. etc. Along with "Problems were detected" and a bar to "FIX PROBLEMS".. which takes you to a license renewal window. There is NO Windows tool bar.. no start button.. no desktop icons anymore. I cannot access ANYTHING on her computer at all. If you try to close the window.. it states "operation not allowed" I am afraid it is beyond help. Does anyone have any advice?


EDIT: Topic moved to the Am I Infected forum ~ Elise

Edited by elise025, 07 February 2010 - 10:01 AM.


BC AdBot (Login to Remove)

 


#2 Arctic

Arctic

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 07 February 2010 - 10:55 AM

Forewarning, I'm not a usual technician on this forum. Just trying to lend a hand.
Mods: same as usual if you want this help gone, i will take it down.

Your infection sounds quite bad.

I would start with trying to boot to safe mode (tapping F8 during boot) and choosing safe mode with networking.

At that time, installing Malwarebytes anti malware, updating and performing a full scan.

Removing all entires found and trying to restart.

Please reply with the results
I can only help.. If i know what the problem is.

we never have time to do things right, but we always have time to do them again

LAWL

#3 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 11:47 AM

I was able to get it to start up in safe mode.. logged on as administrator and was able to get Malwarebytes installed. It ran the quick scan.. found 168 infections.. and I clicked on remove. It could not remove some of them, and said that they were scheduled to be removed on reboot of system. I restarted the system normally, and had the same problem as stated above so I shut down again, and tried to go back into safe mode. THIS TIME.. the same screen as listed above appeared in safe mode as well.. and I was not able to get back to Malwarebytes or any other files.. even in safe mode. I was able to get logs of what was in the system and where.. but I don't know if that will do me any good or not. I am at my wits end with this thing.

#4 Arctic

Arctic

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 07 February 2010 - 11:53 AM

Try this while in safe mode.

If you have a secondary computer to download programs through put them on a flash drive and transfer them

else you should be able to just download the following files with another name

First you should download rkill from a known good source.
While downloading just to be safe, you may want to rename the files from something other than rkill.

http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr

When running rkill on windows 7 or vista you will need to right click and use the "run as administrator" option.


Try running rkill a few times, the dos box should pop up saying it is terminating known malware processes.
If the exe does not work, try the com version.

Once rkill successfully runs, a notepad file should open up with what it stopped.


Now, don't restart the computer.

Remove malewarebytes if its installed, and reinstall it.
Update to the latest definitions.
To be on the safe side i would suggest running a full system scan.
Any entires it finds, try to remove them.

If your internet is not working, navigate to Internet explorer -> Internet Options-> Connections tab -> Lan Settings-> uncheck use a proxy server
I can only help.. If i know what the problem is.

we never have time to do things right, but we always have time to do them again

LAWL

#5 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 12:03 PM

I cannot get anything to open up even in safe mode anymore. Neither on her account or as admin. It goes to that screen and has removed all use of any of the windows functions. No icons.. task bar or start menu

#6 Arctic

Arctic

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 07 February 2010 - 12:09 PM

Have you attempted using control + alt + delete

choosing new task

and then typing explorer

?

Edited by Arctic, 07 February 2010 - 12:09 PM.

I can only help.. If i know what the problem is.

we never have time to do things right, but we always have time to do them again

LAWL

#7 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 12:22 PM

No I had not tried that ... and thank you. That worked. I ran rkill on it.. and the log didn't show that it had stopped any processes but seemed to be done awful fast. I am going to try to run Malwarebytes again, this time doing a full scan and see if it makes a difference

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:27 PM

Posted 07 February 2010 - 12:26 PM

Please post the MBAM log here (no need to re-run it). You will find the log in MBAM on the Logs tab.

That way I can see what was removed and what might cause this problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 12:34 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3701
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

2/7/2010 11:34:25 AM
mbam-log-2010-02-07 (11-34-25).txt

Scan type: Quick Scan
Objects scanned: 129131
Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 6
Registry Keys Infected: 25
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 11
Files Infected: 116

Memory Processes Infected:
C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe (Trojan.Tracur) -> Unloaded process successfully.
C:\Documents and Settings\Administrator\Application Data\Control-Center\ccagent.exe (Rogue.PClean) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\aqiboqutunag.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\dskquoui32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\rpsadx.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\39.tmp (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\__c0032691.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00ED0B4.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00bde2bd-9bc5-4053-b8ed-5fb4bc6c2f7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00bde2bd-9bc5-4053-b8ed-5fb4bc6c2f7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014ddbd5-43fd-4d14-8741-aa94b286ada6} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014ddbd5-43fd-4d14-8741-aa94b286ada6} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\34b0fcbd777 (Trojan.Tracur) -> Delete on reboot.
HKEY_CLASSES_ROOT\premiereadvertisingplatform.premiereadvertisingplatform (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{338bfb9a-ea66-7554-fb44-df75ba3936ac} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1cac32c4-1d91-9430-9efd-947861eb3b39} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{547395d9-934a-ced6-b851-f238c86079e5} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{547395d9-934a-ced6-b851-f238c86079e5} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\premiereadvertisingplatform.premiereadvertisingplatform.1 (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{418d86be-7386-4f1a-83e0-53604adbda74} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kwanzy Service (Adware.Kwanzy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0032691 (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\PremiereAdvertisingPlatform.dll (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremiereAdvertisingPlatform (Adware.PlayMP3z) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ukelep (Trojan.Hiloti) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Tracur) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccagent.exe (Rogue.PClean) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: rpsadx.dll -> Delete on reboot.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Program Files\alggui.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\dskquoui32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\dskquoui32.dll -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\Owner\Application Data\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\PremiereAdvertisingPlatform (Adware.PlayMP3z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Program Files\Your PC Protector (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Your PC Protector (Rogue.PcProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\corpol32.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\rpsadx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ipsecsvc32.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\aqiboqutunag.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\dskquoui32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\39.tmp (Trojan.Tracur) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Control-Center\ccagent.exe (Rogue.PClean) -> Quarantined and deleted successfully.
C:\Program Files\PremiereAdvertisingPlatform\PremiereAdvertisingPlatform.dll (Adware.PlayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\adc32.dll (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\downloads\update_for_media_player_(KB972036)(2).exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\downloads\update_for_media_player_(KB972036)(3).exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\downloads\update_for_media_player_(KB972036)(4).exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\downloads\update_for_media_player_(KB972036).exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\64.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cryptdll32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cryptnet32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3d8thk32.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3dx9_2832.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\datime32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dsound3d32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dssec32.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dx8vb32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eapolqec32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\filemgmt32.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\info.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshlps.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win66.tmp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\KWA125.tmp\upgrade.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\KWA3F.tmp\upgrade.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3A.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\92.exe (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\cewsnoamrx.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\rcmwosaxen.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\Sdp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\ube107.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wsmcnxaroe.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YTBH0QLY\get[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\DealAssistant\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\DealAssistant\DAUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\DealAssistant\dealassistant.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\PlayMP3.exe (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\PremiereAdvertisingPlatform\uninstall.exe (Adware.PlayMP3z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PlayMP3z\Run PlayMP3z.pif (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy\kwanzy.dll (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy\kwanzy.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy\uninstall.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Kwanzy\kwanzy141.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1860871911v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1860871911v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1860871911v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1860871911v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1860871911v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1860871911v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1860871911v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1860871911v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1860871911v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Program Files\Your PC Protector\Your PC Protector.exe (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\dbsinit.exe (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\wispex.html (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\pix.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\t1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\t2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\Thumbs.db (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\up1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\up2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w11.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w3.jpg (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\word.doc (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Your PC Protector\Your PC Protector.lnk (Rogue.PcProtector) -> Quarantined and deleted successfully.
C:\Your PC Protector.lnk (Rogue.PcProtector) -> Quarantined and deleted successfully.
C:\Program Files\alggui.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\oulwsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\mozilla firefox\searchPlugins\kwanzy131.xml (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Program Files\mozilla firefox\searchPlugins\kwanzy141.xml (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Program Files\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0032691.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00C0A09.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00ED0B4.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0070ADC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c009FC90.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00BFCE5.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Backdoor.Bot) -> Quarantined and deleted successfully.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:27 PM

Posted 07 February 2010 - 01:05 PM

Please let me know what happens when you try to boot in normal mode now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 01:09 PM

The same thing happens. I window pops up saying "control center" and windows explorer is not running. I have to control alt delete and end the control center.. then new task, to get explorer up and running. (Thanks much Arctic for that one!) I ran Malwarebytes again, and it came up with 7 more infections.. but have not restarted it since then. I can find the Control Center program in the control panel.. but I am afraid to click on it to remove it.. and from what I have read that will not help anyhow will it?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:27 PM

Posted 07 February 2010 - 01:19 PM

Please post the new MBAM log as well.

It certainly can't hurt to try to uninstall the Control Center using Add/Remove programs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 01:22 PM

I was finally able to get one of the versions of Rkill to find the control center program.. and stop it. I uninstalled the malwarebytes and reinstalled it, and I am running it again. Will post that log as soon as it is done.

#14 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 February 2010 - 01:40 PM

WOOOOOOOHHHOOOOOOOOO!!!! It looks like I finally dug it out of the system! Thank you so much guys. Everyone who helped. My daughter is so happy she is about to break her face from smiling.
After running the Rkill.com *the one that finally found the Control Center program and stopped it*... I reinstalled Malwarebytes, and ran it and it found no infections. I then went into the control panel, found the same program in there.. and clicked on remove, and windows did it's thing. I held my breath and restarted the computer.. and so far it looks like it is GONE!

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:27 PM

Posted 07 February 2010 - 02:05 PM

How are things running now? Any problems left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users