Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It seems I have a serious infection.


  • Please log in to reply
16 replies to this topic

#1 MAZACOTE71

MAZACOTE71

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 02 April 2010 - 05:17 PM

My AVG 9 antivirus gave me an alert about a rundll32.exe file which had to be quarantined. After that my computer started acting very strange. Whenever I try to go to certain sites from Google it redirects me to some stupid advertisement sites. I was only able to get here through my email. There was also some file called wclean.exe trying to access the web but I blocked it.

I was trying to go to Photobucket to upload a screenshot of the AVG summary. But I keep getting redirected to advertisements.

FYI, I installed a program called Free Ape Player to listen to .ape formatted music. It could be unrelated but I started noticing all the weird stuff after that. I have since removed the program.

When I reboot the computer tells me it's missing some files and will not perform certain operations. I can't run Malwarebytes. I am currently running SuperAntiSpyware. HELP!

I have windows xp.

Update: It only seems to do the redirecting on Firefox and not IE 8.

The computer is freezing up and using 1.3 gygs of PF usage with only 2 programs running.

Edited by MAZACOTE71, 02 April 2010 - 06:38 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 02 April 2010 - 08:08 PM

Hello and welcome.
First is this a school PC? As WClean may be a legit application.

About the files missing.... Are you getting A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message ?

Please post the SUPER scan log when done.

Now run TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 03 April 2010 - 10:08 AM

It's my home computer. Yesterday was the first time I got an AVG alert on this wclean. I started getting alerts on the rundll.32 and a keygen file I've had for some time now.

SASW Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2010 at 02:45 AM

Application Version : 4.35.1000

Core Rules Database Version : 4132
Trace Rules Database Version: 2066

Scan type : Complete Scan
Total Scan Time : 03:39:30

Memory items scanned : 456
Memory threats detected : 0
Registry items scanned : 8853
Registry threats detected : 0
File items scanned : 186360
File threats detected : 0

Here are some of the screenshots I managed to get. Will add any other error or missing file images as the pop up after rebooting.

http://i16.photobucket.com/albums/b13/MAZA...pg?t=1270306392

AVG log:

http://i16.photobucket.com/albums/b13/MAZA...pg?t=1270306650

http://i16.photobucket.com/albums/b13/MAZA...pg?t=1270306676

Another AVG9 alert:

http://i16.photobucket.com/albums/b13/MAZA...pg?t=1270307157


I will complete the other steps and reply. Thanks for the prompt reply yesterday. It took me a while to respond because my PC keeps freezing.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 03 April 2010 - 10:20 AM

HI, I feel MBAM should see some of these and remove..
Also your SAS shows an outdated base
Core Rules Database Version : 4132... now 4765
Trace Rules Database Version: 2066 ... 2577


Open SUPER from icon and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Let us know how the PC is running now.

Edited by boopme, 03 April 2010 - 10:21 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 03 April 2010 - 10:24 AM

It won't run Malwarebytes after installing it. I double click and nothing happens.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 03 April 2010 - 10:30 AM

Uninstall try again. When saving to desktop.In that window rename mbam exe to say zztoy.exe.,then save ,then run.

Install this also run it then install MBAM..
RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
If the computer is rebooted or a reboot occurs along the way you will need to run the application again as the malware programs will start again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 03 April 2010 - 05:11 PM

I finally got the Malwarebytes to work. Although for some reason the desktop shortcut is still unusable after trying everything else. I went into the Program Files Mbytes folder and used the mbamgui.exe instead and got it to work. Here is my log.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3949

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 11:06:09 AM
mbam-log-2010-04-03 (11-06-09).txt

Scan type: Quick scan
Objects scanned: 109205
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgfggesys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mlifebsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gedcabsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mlifebsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gedcabsys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gebbby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


This is my safe mode SASW log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2010 at 04:26 PM

Application Version : 4.35.1000

Core Rules Database Version : 4766
Trace Rules Database Version: 2578

Scan type : Complete Scan
Total Scan Time : 05:12:12

Memory items scanned : 241
Memory threats detected : 0
Registry items scanned : 8890
Registry threats detected : 0
File items scanned : 179138
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.bighealthtree[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz7.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt


FYI. The computer speed seems to have improved. But as I was able to finally navigate into this site now. It still opens advertisement pages. This time now it will let me go where I want it just opens the advertisement on a new tab which is different than what it was doing yesterday. Although faster my web browsing speed seems sluggish (as compared to a couple of days ago).


Update: I'm still getting unwanted advertising pages. Adobe Acrobat is being launched for no reason.

Edited by MAZACOTE71, 03 April 2010 - 07:55 PM.


#8 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 03 April 2010 - 08:01 PM

I don't know if this helps any but here are 2 screenshots of my task manager:


http://i16.photobucket.com/albums/b13/MAZA...r04-03-10-1.jpg


http://i16.photobucket.com/albums/b13/MAZA...r04-03-10-2.jpg

#9 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 03 April 2010 - 09:30 PM

OK yet another update. AVG found a program called AVE.exe. Now all my .exe filer and shortcut are not recognized. AVG supposedly removed the infection but my PC is still having the same problems.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 03 April 2010 - 10:48 PM

Hello, those images are too small to see.

We are getting thru this.
Run FixExe.reg

FixExe.reg
....click Run when the box opens


Make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it.

Rerun MBAM..

Run an online scan. Post the 2 new logs and an udate on things.

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 04 April 2010 - 03:14 PM

MBAM Log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3949

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 3:30:42 AM
mbam-log-2010-04-04 (03-30-42).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 290724
Time elapsed: 3 hour(s), 34 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgdabbsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byyaxysys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byyaxysys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Carlos\My Documents\My Downloads\Apps\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
D:\Carlos\My Documents\Downloads\KEY AUTODESK PRODUCT 2010\AUTODESK KEY 2010\X64\XF-A2010.EXE (Trojan.Agent.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{145F4D89-60D7-4F90-BF28-AAC90812C7BB}\RP13\A0004612.exe (Rogue.Installer) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{145F4D89-60D7-4F90-BF28-AAC90812C7BB}\RP13\A0004613.exe (Rogue.Installer) -> Quarantined and deleted successfully.


ESET Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f6150dd8402d9842aebaf552ef7539bc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-04 07:22:00
# local_time=2010-04-04 02:22:00 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22253867 22253867 0 0
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=183786
# found=9
# cleaned=9
# scan_time=35134
D:\Carlos\My Documents\Downloads\Nero 8 Ultra Edition 8.3.2.1b\Nero-8.3.2.1b_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Carlos\My Documents\Downloads\RegistryFix V6.2 + Serial\registryfix.exe a variant of Win32/Adware.ErrorClean application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Carlos\My Documents\My Downloads\Downloads\1Click DVD Copy 5.0.3.5\1clickdvdcopysetup.exe probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
D:\Carlos\My Documents\My Downloads\Musica\TVUPlayer.zip probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
D:\Carlos\My Documents\SoftwareBCKP\Sony Media (Vegas 6, Sound Forge 8, DVD Architect 3, CD Arch.rar probably a variant of Win32/TrojanClicker.Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Bitlord\Downloads\Cool Edit Pro 2.1.exe probably a variant of Win32/StartPage trojan (deleted - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Bitlord\Downloads\Sony Acid PRO 6\Sony.ACID.Pro.v6.0c.Incl.Keygen-SSG\keygen.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Bitlord\Downloads\Sony ACID Pro v6.0c Incl Keygen\keygen.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Bitlord\Downloads\Sony.ACID.Pro.v6.0c.Incl.Keygen-SSG\keygen.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
DLL:pipe not connected. attempts=120

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 04 April 2010 - 04:40 PM

How are things now?
Cracking and keygen tools are often obtained via peer-to-peer (P2P) or file sharing programs which too are a security risk. The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications. Read P2P Software User Advisories, Risks of File-Sharing Technology and P2P file sharing: Anticipate the risks....


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 04 April 2010 - 04:47 PM

My browser appears to be hijacked still. I will post the log ASAP. Thanks again for everything.

#14 MAZACOTE71

MAZACOTE71
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 04 April 2010 - 05:02 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3954

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 5:02:14 PM
mbam-log-2010-04-04 (17-02-14).txt

Scan type: Quick scan
Objects scanned: 110716
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qopolmsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnonnnsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnonnnsys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 04 April 2010 - 05:37 PM

Seems we have a Vundo that needs to be dug out.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 and not here,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users