Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with SAS


  • This topic is locked This topic is locked
21 replies to this topic

#1 Kristina78

Kristina78

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 01 March 2010 - 10:50 PM

Hi having a problem with SAS these same files keep coming back I uninstalled SAS and reinstalled it and today the same
Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\RASCNTRL.DLL
C:\WINDOWS\SYSTEM32\MSDRVE.DLL
C:\WINDOWS\SYSTEM32\SVCPRMPT.DLL
C:\WINDOWS\VMOPTVER.DLL
Files are back

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/01/2010 at 10:54 PM

Application Version : 4.34.1000

Core Rules Database Version : 4628
Trace Rules Database Version: 2440

Scan type : Complete Scan
Total Scan Time : 01:14:30

Memory items scanned : 462
Memory threats detected : 0
Registry items scanned : 5552
Registry threats detected : 0
File items scanned : 22072
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Jane\Cookies\jane@ads.undertone[2].txt
C:\Documents and Settings\Jane\Cookies\jane@ad.wsod[2].txt
C:\Documents and Settings\Jane\Cookies\jane@atdmt[2].txt
C:\Documents and Settings\Jane\Cookies\jane@revsci[2].txt

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\RASCNTRL.DLL
C:\WINDOWS\SYSTEM32\MSDRVE.DLL
C:\WINDOWS\SYSTEM32\SVCPRMPT.DLL
C:\WINDOWS\VMOPTVER.DLL

Edited by Orange Blossom, 01 March 2010 - 10:58 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 03 March 2010 - 09:19 AM

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 03 March 2010 - 05:30 PM

Hi thank you for the help
Malwarebytes' Anti-Malware 1.44
Database version: 3822
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/3/2010 5:41:10 PM
mbam-log-2010-03-03 (17-41-10).txt

Scan type: Quick Scan
Objects scanned: 136498
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 04 March 2010 - 07:42 AM

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 05 March 2010 - 03:23 PM

Hi again
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, March 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 05, 2010 03:03:49
Records in database: 3693272
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 99401
Threats found: 1
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 02:34:56


File name / Threat / Threats count
D:\i386\APPS\App05958\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App06021\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App06699\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App08812\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App09526\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App12072\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App12276\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App12624\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App14401\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App15635\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App20008\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App20918\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App24081\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App25433\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App26163\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App29095\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1

Selected area has been scanned.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 05 March 2010 - 10:22 PM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to begin.
  • If offered the option to get information or buy software. Just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 06 March 2010 - 09:50 PM

Hi I just got done with doing the Dr.Web CureIt scan I do have a question I did the scan in safe mode but under my name usually I know we have to do things under the administrator but when I tried to do it under the administrator the file wasn't there. Hope I did it right lol that took all day long I'm now gonna do the ESET online scanner.

Oh the Dr.Web CureIt didn't find anything

Got done with the ESET online scanner nothing came up either.

Edited by Kristina78, 06 March 2010 - 11:45 PM.


#8 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 13 March 2010 - 02:54 PM

Not sure if you forgot about me or what lol, I ran malwarebytes and SAS today both came back fine but while I was running it each time when it was scanning the D drive Avira kept popping up with these same files
D:\i386\APPS\App05958\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App06021\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App06699\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App08812\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App09526\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App12072\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App12276\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App12624\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App14401\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App15635\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App20008\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App20918\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App24081\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App25433\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App26163\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1
D:\i386\APPS\App29095\oobeconfig.exe Infected: Trojan.Win32.Vilsel.utk 1

#9 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 13 March 2010 - 04:30 PM

Here is the report from Avira



Avira AntiVir Personal
Report file date: Saturday, March 13, 2010 15:09

Scanning for 1849583 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-747044A405

Version information:
BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 05:36:03
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 05:36:03
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 05:36:03
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:20:09
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 01:33:48
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 03:46:20
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 03:46:20
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 03:46:20
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 03:46:20
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 03:46:21
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 03:46:21
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 03:46:21
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 03:46:21
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 03:46:21
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 03:46:22
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 03:46:24
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 03:46:26
VBASE016.VDF : 7.10.5.45 2048 Bytes 3/11/2010 03:46:26
VBASE017.VDF : 7.10.5.46 2048 Bytes 3/11/2010 03:46:26
VBASE018.VDF : 7.10.5.47 2048 Bytes 3/11/2010 03:46:26
VBASE019.VDF : 7.10.5.48 2048 Bytes 3/11/2010 03:46:27
VBASE020.VDF : 7.10.5.49 2048 Bytes 3/11/2010 03:46:27
VBASE021.VDF : 7.10.5.50 2048 Bytes 3/11/2010 03:46:27
VBASE022.VDF : 7.10.5.51 2048 Bytes 3/11/2010 03:46:27
VBASE023.VDF : 7.10.5.52 2048 Bytes 3/11/2010 03:46:28
VBASE024.VDF : 7.10.5.53 2048 Bytes 3/11/2010 03:46:28
VBASE025.VDF : 7.10.5.54 2048 Bytes 3/11/2010 03:46:28
VBASE026.VDF : 7.10.5.55 2048 Bytes 3/11/2010 03:46:28
VBASE027.VDF : 7.10.5.56 2048 Bytes 3/11/2010 03:46:29
VBASE028.VDF : 7.10.5.57 2048 Bytes 3/11/2010 03:46:29
VBASE029.VDF : 7.10.5.58 2048 Bytes 3/11/2010 03:46:29
VBASE030.VDF : 7.10.5.59 2048 Bytes 3/11/2010 03:46:29
VBASE031.VDF : 7.10.5.66 92672 Bytes 3/12/2010 03:46:29
Engineversion : 8.2.1.180
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/22/2010 22:43:16
AESCRIPT.DLL : 8.1.3.17 1032570 Bytes 2/26/2010 03:30:11
AESCN.DLL : 8.1.5.0 127347 Bytes 2/26/2010 03:30:09
AESBX.DLL : 8.1.2.0 254323 Bytes 2/26/2010 03:30:13
AERDL.DLL : 8.1.4.2 479602 Bytes 2/13/2010 19:51:36
AEPACK.DLL : 8.2.1.0 426356 Bytes 3/3/2010 02:33:23
AEOFFICE.DLL : 8.1.0.39 196987 Bytes 2/19/2010 22:20:18
AEHEUR.DLL : 8.1.1.7 2326902 Bytes 2/19/2010 22:20:16
AEHELP.DLL : 8.1.10.1 237942 Bytes 2/26/2010 03:30:08
AEGEN.DLL : 8.1.2.0 373107 Bytes 2/26/2010 03:30:08
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 14:55:33
AECORE.DLL : 8.1.12.2 188790 Bytes 3/3/2010 02:33:21
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/9/2009 03:39:28
AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 22:19:33
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/10/2009 01:11:38
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 05:36:02

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Saturday, March 13, 2010 15:09

Starting search for hidden objects.
'73977' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ccprovsp.exe' - '1' Module(s) have been scanned
Scan process 'capfsem.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'capfasem.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'QOELoader.exe' - '1' Module(s) have been scanned
Scan process 'cctray.exe' - '1' Module(s) have been scanned
Scan process 'shwiconEM.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'type32.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NvMixerTray.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'DevSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'UmxAgent.exe' - '1' Module(s) have been scanned
Scan process 'UmxPol.exe' - '1' Module(s) have been scanned
Scan process 'UmxFwHlp.exe' - '1' Module(s) have been scanned
Scan process 'UmxCfg.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'D:\' <RECOVERY>
D:\i386\APPS\App05958\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App06021\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App06699\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App08812\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App09526\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App12072\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App12276\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App12624\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App14401\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App15635\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App20008\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App20918\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App24081\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App25433\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App26163\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
D:\i386\APPS\App29095\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan

Beginning disinfection:
D:\i386\APPS\App05958\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4bfe064b.qua'!
D:\i386\APPS\App06021\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a7a7e1c.qua'!
D:\i386\APPS\App06699\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a7f66b4.qua'!
D:\i386\APPS\App08812\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a815724.qua'!
D:\i386\APPS\App09526\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a804fec.qua'!
D:\i386\APPS\App12072\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a7e5f7c.qua'!
D:\i386\APPS\App12276\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a7d76c4.qua'!
D:\i386\APPS\App12624\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4a7c6e8c.qua'!
D:\i386\APPS\App14401\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '48792c6c.qua'!
D:\i386\APPS\App15635\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '487637a4.qua'!
D:\i386\APPS\App20008\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '48773ffc.qua'!
D:\i386\APPS\App20918\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4f048af4.qua'!
D:\i386\APPS\App24081\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4f0592cc.qua'!
D:\i386\APPS\App25433\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4f029a04.qua'!
D:\i386\APPS\App26163\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4f03a25c.qua'!
D:\i386\APPS\App29095\oobeconfig.exe
[DETECTION] Is the TR/Vilsel.utk Trojan
[NOTE] The file was moved to '4f00ad94.qua'!


End of the scan: Saturday, March 13, 2010 16:38
Used time: 1:28:21 Hour(s)

The scan has been done completely.

10173 Scanned directories
326696 Files were scanned
16 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
16 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
326678 Files not concerned
8289 Archives were scanned
2 Warnings
18 Notes
73977 Objects were scanned with rootkit scan
0 Hidden objects were found

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 14 March 2010 - 07:40 AM

Your Avira log indicates it was able to deal with these TR/Vilsel.utk Trojan files. Are they still reappearing after subsequent scans?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 15 March 2010 - 09:07 PM

Yes just rescanned with Malwarebytes and Avira kept popping up with the same files

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 16 March 2010 - 06:33 AM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
D:\i386\APPS\App05958\oobeconfig.exe
D:\i386\APPS\App06021\oobeconfig.exe
D:\i386\APPS\App06699\oobeconfig.exe
D:\i386\APPS\App08812\oobeconfig.exe
D:\i386\APPS\App09526\oobeconfig.exe
D:\i386\APPS\App12072\oobeconfig.exe
D:\i386\APPS\App12276\oobeconfig.exe
D:\i386\APPS\App12624\oobeconfig.exe
D:\i386\APPS\App14401\oobeconfig.exe
D:\i386\APPS\App15635\oobeconfig.exe
D:\i386\APPS\App20008\oobeconfig.exe
D:\i386\APPS\App20918\oobeconfig.exe
D:\i386\APPS\App24081\oobeconfig.exe
D:\i386\APPS\App25433\oobeconfig.exe 
D:\i386\APPS\App26163\oobeconfig.exe
D:\i386\APPS\App29095\oobeconfig.exe

:Commands
[start explorer]
[reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 16 March 2010 - 10:31 AM

:thumbsup: As you can see says files not found lol I don't know whats going on, I'm gonna run both SAS & Malwarebtyes and Avira and see if it shows up again.

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder D:\i386\APPS\App05958\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App06021\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App06699\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App08812\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App09526\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App12072\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App12276\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App12624\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App14401\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App15635\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App20008\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App20918\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App24081\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App25433\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App26163\oobeconfig.exe not found.
File/Folder D:\i386\APPS\App29095\oobeconfig.exe not found.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.10.0 log created on 03162010_113412

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 PM

Posted 16 March 2010 - 10:37 AM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Kristina78

Kristina78
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 16 March 2010 - 12:51 PM

SAS came back clean but Malwarebytes just got done here is the report I haven't taken the action yet but those files are back

Malwarebytes' Anti-Malware 1.44
Database version: 3873
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/16/2010 2:01:27 PM
mbam-log-2010-03-16 (14-01-21).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 241120
Time elapsed: 53 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004434.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004435.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004436.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004437.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004438.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004439.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004440.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004441.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004442.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004443.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004444.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004445.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004446.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004447.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004448.exe (Trojan.Vilsel) -> No action taken.
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP23\A0004449.exe (Trojan.Vilsel) -> No action taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users