Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What to delete?


  • This topic is locked This topic is locked
2 replies to this topic

#1 Rumsy

Rumsy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 26 February 2010 - 01:11 PM

I had Paladin Anti-Virus bullbleep on my computer. (Which by the way, runs right through McAfee) Which was no big deal, thankfully after tricking it into letting Malwarebytes run I performed a full system scan and cleaned what I could and sent the rest to quarantine. I haven't ever familiarized myself with all of the processes of Vista, and figured I should probably post the quarantined files in hopes you all could tell me whats safe to delete. Wouldn't want to delete anything I need. Especially the registry files? I don't feel right just deleting them without asking. Thanks in advance.

Btw, the log file says "Quarantined and Deleted Succesfully" while all of the ones that say that appear in quarantine awaiting to be deleted. (38 items in quarantine.)
Sorry, it's easier just to post the log file. Ctrl+F "quarantine" thumbup2.gif

CODE
Malwarebytes' Anti-Malware 1.44
Database version: 3767
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/20/2010 1:39:19 PM
mbam-log-2010-02-20 (13-39-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245732
Time elapsed: 52 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\ProgramData\dutudari\dutudari.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\Windows\System32\FastUv32.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastuserswitchingcompatibility (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\PotDll.PotGo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eventcreatexp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paladin antivirus (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startup (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\programdata\gadataji\gadataji.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\programdata\dutudari\dutudari.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\programdata\gadataji\gadataji.dll  -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files (x86)\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\gadataji\gadataji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\ProgramData\dutudari\dutudari.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\Windows\System32\FastUv32.dll (Backdoor.Bot) -> Delete on reboot.
C:\Users\Brian\AppData\Local\Temp\eventcreatexp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\nihovoja\nihovoja.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DALVP1M\ad[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DALVP1M\mdyfelge[1].htm (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DALVP1M\ysautnmg[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USI6MPQU\mqlselg[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USI6MPQU\vzgomuf[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZGZ7LP61\bfzhfdywe[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZGZ7LP61\ycpxe[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Temp\hiod.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Paladin Antivirus\pav.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Paladin Antivirus\pavext.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Paladin Antivirus\phook.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Paladin Antivirus\uninstall.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\fmfdisk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\FastUv32.dll (Backdoor.Bot) -> Delete on reboot.
C:\Windows\SysWOW64\fmfdisk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus Support.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Uninstall Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\ProgramData\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Brian\Desktop\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\Users\Brian\Desktop\Paladin Antivirus Support.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Brian\downloads\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


P.S.S. Don't try to download a crack for Starcraft 2 Beta. This is what happens. tongue.gif

Edited by Rumsy, 26 February 2010 - 01:13 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 01 March 2010 - 06:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 06 March 2010 - 07:03 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users