Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Again :(


  • This topic is locked This topic is locked
20 replies to this topic

#1 yass

yass

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 01 May 2010 - 06:12 PM

Hi there. My computer is infected again. Not with the same bug but a different one. I cannot access certain sites like gmail or firefox extensions or my college website. Hotmail doesnt work. I haven't tested everythign but lots doesn't work.
Can you please help me fix I scanned with avira and super anti spyware and both found nothing. My mbam has been broken since the rootfix broke it here:
http://www.bleepingcomputer.com/forums/ind...t&p=1600882

Edited by yass, 01 May 2010 - 06:23 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 03 May 2010 - 06:49 AM

schrauber assisted you in January. MBAM has been updated to v1.46 since then. Have you removed the old version and updated to the most current one?

To reinstall/uninstall Malwarebytes' Anti-Malware, please do the following?
  • First uninstall Malwarebytes' Anti-Malware using
    Add/Remove Programs in the Control Panel.
  • Restart the computer.
  • Download the mbam-clean.exe (MBAM Cleanup Utility) and save it to your Desktop.
  • Double-click on mbamclean.exe to start the utility.
  • When the cleanup routine has finished, it will ask to reboot your computer. Please allow the reboot.
  • After the computer restarts, download and install the latest version of Malwarebytes' Anti-Malware (v1.46) from here and reboot your computer.
  • Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning.
If using the Pro version, you will need to reactivate the program using the license key you were sent. If using the free version, then just ignore that part.

Edited by quietman7, 03 May 2010 - 06:55 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 04 May 2010 - 12:08 AM

Thanks quietman! I just mbam-clean. I had uninstalled mbam earlier. I have rebooted and am downloading the new version will update and post scans in morning please. Its 10pm here so i have to sleep :thumbsup: Early day at college tomorrow :flowers: Have to get up at 5:30 >_<

Edited by yass, 04 May 2010 - 12:08 AM.


#4 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 04 May 2010 - 12:19 AM

Oh shoot I got this error when trying to update:

Posted Image


Edit: Actually this reminds me. My avira always pops up saying it failed updating as well. Maybe the virus is stopping my computers antivirus from working? :thumbsup:

Edit: MBAM just popped up, so i clicked start full run :flowers:

Edited by yass, 04 May 2010 - 12:22 AM.


#5 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 04 May 2010 - 02:20 AM

My computer started beeping so I woke up and avira found some issues but mbam didnt note those.
Mbam completed:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/4/2010 12:17:37 AM
mbam-log-2010-05-04 (00-17-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 251622
Time elapsed: 1 hour(s), 55 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Cheat Engine\Systemcallretriever.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Avira picked this stuff up:
Avira AntiVir Personal
Report file date: Monday, May 03, 2010  23:48

Scanning for 2012714 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee		: Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform		: Windows XP
Windows version : (Service Pack 2)  [5.1.2600]
Boot mode	   : Normally booted
Username		: SYSTEM
Computer name   : E58AEB3F9A6342E

Version information:
BUILD.DAT	   : 10.0.0.561	 32098 Bytes   3/18/2010 15:46:00
AVSCAN.EXE	  : 10.0.2.3	  433832 Bytes	3/8/2010 00:57:10
AVSCAN.DLL	  : 10.0.2.2	   45928 Bytes	3/2/2010 19:48:47
LUKE.DLL		: 10.0.2.3	  104296 Bytes	3/8/2010 01:33:04
LUKERES.DLL	 : 10.0.0.1	   12648 Bytes   2/11/2010 06:40:49
VBASE000.VDF	: 7.10.0.0	19875328 Bytes   11/6/2009 16:05:36
VBASE001.VDF	: 7.10.1.0	 1372672 Bytes  11/19/2009 02:27:49
VBASE002.VDF	: 7.10.3.1	 3143680 Bytes   1/20/2010 00:37:42
VBASE003.VDF	: 7.10.3.75	 996864 Bytes   1/26/2010 23:37:42
VBASE004.VDF	: 7.10.4.203   1579008 Bytes	3/5/2010 18:29:03
VBASE005.VDF	: 7.10.6.82	2494464 Bytes   4/15/2010 17:15:29
VBASE006.VDF	: 7.10.6.83	   2048 Bytes   4/15/2010 17:15:29
VBASE007.VDF	: 7.10.6.84	   2048 Bytes   4/15/2010 17:15:30
VBASE008.VDF	: 7.10.6.85	   2048 Bytes   4/15/2010 17:15:30
VBASE009.VDF	: 7.10.6.86	   2048 Bytes   4/15/2010 17:15:30
VBASE010.VDF	: 7.10.6.87	   2048 Bytes   4/15/2010 17:15:30
VBASE011.VDF	: 7.10.6.88	   2048 Bytes   4/15/2010 17:15:31
VBASE012.VDF	: 7.10.6.89	   2048 Bytes   4/15/2010 17:15:31
VBASE013.VDF	: 7.10.6.90	   2048 Bytes   4/15/2010 17:15:31
VBASE014.VDF	: 7.10.6.91	   2048 Bytes   4/15/2010 17:15:31
VBASE015.VDF	: 7.10.6.92	   2048 Bytes   4/15/2010 17:15:31
VBASE016.VDF	: 7.10.6.93	   2048 Bytes   4/15/2010 17:15:32
VBASE017.VDF	: 7.10.6.94	   2048 Bytes   4/15/2010 17:15:32
VBASE018.VDF	: 7.10.6.95	   2048 Bytes   4/15/2010 17:15:32
VBASE019.VDF	: 7.10.6.96	   2048 Bytes   4/15/2010 17:15:32
VBASE020.VDF	: 7.10.6.97	   2048 Bytes   4/15/2010 17:15:32
VBASE021.VDF	: 7.10.6.98	   2048 Bytes   4/15/2010 17:15:33
VBASE022.VDF	: 7.10.6.99	   2048 Bytes   4/15/2010 17:15:33
VBASE023.VDF	: 7.10.6.100	  2048 Bytes   4/15/2010 17:15:33
VBASE024.VDF	: 7.10.6.101	  2048 Bytes   4/15/2010 17:15:33
VBASE025.VDF	: 7.10.6.102	  2048 Bytes   4/15/2010 17:15:33
VBASE026.VDF	: 7.10.6.103	  2048 Bytes   4/15/2010 17:15:34
VBASE027.VDF	: 7.10.6.104	  2048 Bytes   4/15/2010 17:15:34
VBASE028.VDF	: 7.10.6.105	  2048 Bytes   4/15/2010 17:15:34
VBASE029.VDF	: 7.10.6.106	  2048 Bytes   4/15/2010 17:15:34
VBASE030.VDF	: 7.10.6.107	  2048 Bytes   4/15/2010 17:15:34
VBASE031.VDF	: 7.10.6.116	100352 Bytes   4/18/2010 19:00:31
Engineversion   : 8.2.1.220 
AEVDF.DLL	   : 8.1.1.3	   106868 Bytes   2/13/2010 19:16:21
AESCRIPT.DLL	: 8.1.3.26	 1286521 Bytes   4/17/2010 17:16:10
AESCN.DLL	   : 8.1.5.0	   127347 Bytes   2/26/2010 01:38:41
AESBX.DLL	   : 8.1.2.1	   254323 Bytes   3/17/2010 18:09:47
AERDL.DLL	   : 8.1.4.6	   541043 Bytes   4/17/2010 17:16:06
AEPACK.DLL	  : 8.2.1.1	   426358 Bytes   4/15/2010 07:20:12
AEOFFICE.DLL	: 8.1.0.41	  201083 Bytes   3/17/2010 18:09:46
AEHEUR.DLL	  : 8.1.1.24	 2613623 Bytes   4/17/2010 17:15:55
AEHELP.DLL	  : 8.1.11.3	  242039 Bytes   4/15/2010 07:19:57
AEGEN.DLL	   : 8.1.3.7	   373106 Bytes   4/17/2010 17:15:41
AEEMU.DLL	   : 8.1.1.0	   393587 Bytes  11/10/2009 16:04:22
AECORE.DLL	  : 8.1.13.1	  188790 Bytes   4/15/2010 07:19:53
AEBB.DLL		: 8.1.0.3		53618 Bytes   9/10/2009 19:15:06
AVWINLL.DLL	 : 10.0.0.0	   19304 Bytes   1/14/2010 19:03:38
AVPREF.DLL	  : 10.0.0.0	   44904 Bytes   1/14/2010 19:03:35
AVREP.DLL	   : 10.0.0.8	   62209 Bytes   2/18/2010 23:47:40
AVREG.DLL	   : 10.0.1.2	   52072 Bytes   1/29/2010 18:47:41
AVSCPLR.DLL	 : 10.0.2.3	   83304 Bytes	3/8/2010 01:02:30
AVARKT.DLL	  : 10.0.0.13	 227176 Bytes	3/8/2010 00:48:41
AVEVTLOG.DLL	: 10.0.0.8	  203112 Bytes   1/26/2010 16:53:30
SQLITE3.DLL	 : 3.6.19.0	  355688 Bytes   1/28/2010 19:57:58
AVSMTP.DLL	  : 10.0.0.17	  63848 Bytes   3/16/2010 22:38:56
NETNT.DLL	   : 10.0.0.0	   11624 Bytes   2/19/2010 21:41:00
RCIMAGE.DLL	 : 10.0.0.26	2550120 Bytes   1/28/2010 20:10:20
RCTEXT.DLL	  : 10.0.46.0	  97128 Bytes	3/5/2010 17:09:41

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_feb100df\guard_slideup.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Deviating risk categories...........: -PHISH,

Start of the scan: Monday, May 03, 2010  23:48

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'TSVNCache.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'VzFw.exe' - '1' Module(s) have been scanned
Scan process 'VzCdbSvc.exe' - '1' Module(s) have been scanned
Scan process 'VCSW.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LxrSII1s.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080747.exe'
C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080747.exe
	[DETECTION] Is the TR/VB.Downloader.Gen Trojan
Begin scan in 'C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080748.exe'
C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080748.exe
	[DETECTION] Is the TR/VB.Downloader.Gen Trojan

Beginning disinfection:
C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080748.exe
	[DETECTION] Is the TR/VB.Downloader.Gen Trojan
	[WARNING]   The file was ignored!
C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080747.exe
	[DETECTION] Is the TR/VB.Downloader.Gen Trojan
	[WARNING]   The file was ignored!


End of the scan: Monday, May 03, 2010  23:48
Used time: 00:03 Minute(s)

The scan has been done completely.

	  0 Scanned directories
	 35 Files were scanned
	  2 Viruses and/or unwanted programs were found
	  0 Files were classified as suspicious
	  0 files were deleted
	  0 Viruses and unwanted programs were repaired
	  0 Files were moved to quarantine
	  0 Files were renamed
	  0 Files cannot be scanned
	 33 Files not concerned
	  0 Archives were scanned
	  2 Warnings
	  0 Notes


The scan results will be transferred to the Guard.

That one I didnt quarantine but then a 3rd popped up which i quarntined:

Avira AntiVir Personal
Report file date: Monday, May 03, 2010  23:49

Scanning for 2012714 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee		: Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform		: Windows XP
Windows version : (Service Pack 2)  [5.1.2600]
Boot mode	   : Normally booted
Username		: SYSTEM
Computer name   : E58AEB3F9A6342E

Version information:
BUILD.DAT	   : 10.0.0.561	 32098 Bytes   3/18/2010 15:46:00
AVSCAN.EXE	  : 10.0.2.3	  433832 Bytes	3/8/2010 00:57:10
AVSCAN.DLL	  : 10.0.2.2	   45928 Bytes	3/2/2010 19:48:47
LUKE.DLL		: 10.0.2.3	  104296 Bytes	3/8/2010 01:33:04
LUKERES.DLL	 : 10.0.0.1	   12648 Bytes   2/11/2010 06:40:49
VBASE000.VDF	: 7.10.0.0	19875328 Bytes   11/6/2009 16:05:36
VBASE001.VDF	: 7.10.1.0	 1372672 Bytes  11/19/2009 02:27:49
VBASE002.VDF	: 7.10.3.1	 3143680 Bytes   1/20/2010 00:37:42
VBASE003.VDF	: 7.10.3.75	 996864 Bytes   1/26/2010 23:37:42
VBASE004.VDF	: 7.10.4.203   1579008 Bytes	3/5/2010 18:29:03
VBASE005.VDF	: 7.10.6.82	2494464 Bytes   4/15/2010 17:15:29
VBASE006.VDF	: 7.10.6.83	   2048 Bytes   4/15/2010 17:15:29
VBASE007.VDF	: 7.10.6.84	   2048 Bytes   4/15/2010 17:15:30
VBASE008.VDF	: 7.10.6.85	   2048 Bytes   4/15/2010 17:15:30
VBASE009.VDF	: 7.10.6.86	   2048 Bytes   4/15/2010 17:15:30
VBASE010.VDF	: 7.10.6.87	   2048 Bytes   4/15/2010 17:15:30
VBASE011.VDF	: 7.10.6.88	   2048 Bytes   4/15/2010 17:15:31
VBASE012.VDF	: 7.10.6.89	   2048 Bytes   4/15/2010 17:15:31
VBASE013.VDF	: 7.10.6.90	   2048 Bytes   4/15/2010 17:15:31
VBASE014.VDF	: 7.10.6.91	   2048 Bytes   4/15/2010 17:15:31
VBASE015.VDF	: 7.10.6.92	   2048 Bytes   4/15/2010 17:15:31
VBASE016.VDF	: 7.10.6.93	   2048 Bytes   4/15/2010 17:15:32
VBASE017.VDF	: 7.10.6.94	   2048 Bytes   4/15/2010 17:15:32
VBASE018.VDF	: 7.10.6.95	   2048 Bytes   4/15/2010 17:15:32
VBASE019.VDF	: 7.10.6.96	   2048 Bytes   4/15/2010 17:15:32
VBASE020.VDF	: 7.10.6.97	   2048 Bytes   4/15/2010 17:15:32
VBASE021.VDF	: 7.10.6.98	   2048 Bytes   4/15/2010 17:15:33
VBASE022.VDF	: 7.10.6.99	   2048 Bytes   4/15/2010 17:15:33
VBASE023.VDF	: 7.10.6.100	  2048 Bytes   4/15/2010 17:15:33
VBASE024.VDF	: 7.10.6.101	  2048 Bytes   4/15/2010 17:15:33
VBASE025.VDF	: 7.10.6.102	  2048 Bytes   4/15/2010 17:15:33
VBASE026.VDF	: 7.10.6.103	  2048 Bytes   4/15/2010 17:15:34
VBASE027.VDF	: 7.10.6.104	  2048 Bytes   4/15/2010 17:15:34
VBASE028.VDF	: 7.10.6.105	  2048 Bytes   4/15/2010 17:15:34
VBASE029.VDF	: 7.10.6.106	  2048 Bytes   4/15/2010 17:15:34
VBASE030.VDF	: 7.10.6.107	  2048 Bytes   4/15/2010 17:15:34
VBASE031.VDF	: 7.10.6.116	100352 Bytes   4/18/2010 19:00:31
Engineversion   : 8.2.1.220 
AEVDF.DLL	   : 8.1.1.3	   106868 Bytes   2/13/2010 19:16:21
AESCRIPT.DLL	: 8.1.3.26	 1286521 Bytes   4/17/2010 17:16:10
AESCN.DLL	   : 8.1.5.0	   127347 Bytes   2/26/2010 01:38:41
AESBX.DLL	   : 8.1.2.1	   254323 Bytes   3/17/2010 18:09:47
AERDL.DLL	   : 8.1.4.6	   541043 Bytes   4/17/2010 17:16:06
AEPACK.DLL	  : 8.2.1.1	   426358 Bytes   4/15/2010 07:20:12
AEOFFICE.DLL	: 8.1.0.41	  201083 Bytes   3/17/2010 18:09:46
AEHEUR.DLL	  : 8.1.1.24	 2613623 Bytes   4/17/2010 17:15:55
AEHELP.DLL	  : 8.1.11.3	  242039 Bytes   4/15/2010 07:19:57
AEGEN.DLL	   : 8.1.3.7	   373106 Bytes   4/17/2010 17:15:41
AEEMU.DLL	   : 8.1.1.0	   393587 Bytes  11/10/2009 16:04:22
AECORE.DLL	  : 8.1.13.1	  188790 Bytes   4/15/2010 07:19:53
AEBB.DLL		: 8.1.0.3		53618 Bytes   9/10/2009 19:15:06
AVWINLL.DLL	 : 10.0.0.0	   19304 Bytes   1/14/2010 19:03:38
AVPREF.DLL	  : 10.0.0.0	   44904 Bytes   1/14/2010 19:03:35
AVREP.DLL	   : 10.0.0.8	   62209 Bytes   2/18/2010 23:47:40
AVREG.DLL	   : 10.0.1.2	   52072 Bytes   1/29/2010 18:47:41
AVSCPLR.DLL	 : 10.0.2.3	   83304 Bytes	3/8/2010 01:02:30
AVARKT.DLL	  : 10.0.0.13	 227176 Bytes	3/8/2010 00:48:41
AVEVTLOG.DLL	: 10.0.0.8	  203112 Bytes   1/26/2010 16:53:30
SQLITE3.DLL	 : 3.6.19.0	  355688 Bytes   1/28/2010 19:57:58
AVSMTP.DLL	  : 10.0.0.17	  63848 Bytes   3/16/2010 22:38:56
NETNT.DLL	   : 10.0.0.0	   11624 Bytes   2/19/2010 21:41:00
RCIMAGE.DLL	 : 10.0.0.26	2550120 Bytes   1/28/2010 20:10:20
RCTEXT.DLL	  : 10.0.46.0	  97128 Bytes	3/5/2010 17:09:41

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_feb100df\guard_slideup.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Deviating risk categories...........: -PHISH,

Start of the scan: Monday, May 03, 2010  23:49

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'TSVNCache.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'VzFw.exe' - '1' Module(s) have been scanned
Scan process 'VzCdbSvc.exe' - '1' Module(s) have been scanned
Scan process 'VCSW.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LxrSII1s.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080749.exe'
C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080749.exe
	[DETECTION] Is the TR/PSW.Dybalom.ami Trojan

Beginning disinfection:
C:\System Volume Information\_restore{3FB54717-8ED4-4CF6-8316-1C34E468C3C0}\RP747\A0080749.exe
	[DETECTION] Is the TR/PSW.Dybalom.ami Trojan
	[NOTE]	  The file was moved to the quarantine directory under the name '4e5360b7.qua'.


End of the scan: Monday, May 03, 2010  23:51
Used time: 00:00 Minute(s)

The scan has been done completely.

	  0 Scanned directories
	 34 Files were scanned
	  1 Viruses and/or unwanted programs were found
	  0 Files were classified as suspicious
	  0 files were deleted
	  0 Viruses and unwanted programs were repaired
	  1 Files were moved to quarantine
	  0 Files were renamed
	  0 Files cannot be scanned
	 33 Files not concerned
	  0 Archives were scanned
	  0 Warnings
	  1 Notes


The scan results will be transferred to the Guard.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 04 May 2010 - 06:11 AM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your Avira scan were in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 4052. Last I checked it was 4064.

If you cannot update through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware
Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 04 May 2010 - 05:00 PM

Hey mate thanks I started this in the mornign before I left. Here are the results
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Tuesday, May 4, 2010
 Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Tuesday, May 04, 2010 12:41:34
 Records in database: 4046283
--------------------------------------------------------------------------------

Scan settings:
	scan using the following database: extended
	Scan archives: yes
	Scan e-mail databases: yes

Scan area - My Computer:
	C:\
	D:\
	E:\
	F:\
	G:\
	H:\
	I:\
	J:\

Scan statistics:
	Objects scanned: 111966
	Threats found: 3
	Infected objects found: 5
	Suspicious objects found: 0
	Scan duration: 02:57:01


File name / Threat / Threats count
C:\Documents and Settings\SONY VAIO\Desktop\Downloads\mirc635.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.g	1
C:\Documents and Settings\SONY VAIO\Desktop\Downloads\tightvnc-1.3.10-setup.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370	1
C:\Documents and Settings\SONY VAIO\Desktop\Downloads\vnc-4_1_3-x86_win32.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad	2
C:\Program Files\mIRC\mirc.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.g	1

Selected area has been scanned.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 05 May 2010 - 10:20 AM

In regards to the Kaspersky scan results, please read:As the scan indicates, the file is not-a-virus. However, some programs may at times be detected by anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. If you installed or recognize the program, then you can ignore the detection. If not, then it can be removed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 08 May 2010 - 12:51 AM

Is there anyway I can get the latest MBAM file. My USB port on the computer is no good :thumbsup: My other computer is also infected right now so maybe its better for alternative source. Is there like a download link? :flowers:

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 08 May 2010 - 06:33 AM

Database download links:
http://malwarebytes.gt500.org/
http://www.gt500.org/malwarebytes/
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
http://www.majorgeeks.com/Malwarebytes_Ant...base_d6025.html

Unfortunately, none of those links advise the database version number. However, after downloading the file you can hover your mouse over it to see the exact version.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 08 May 2010 - 11:28 AM

All those links give me file version 1.4060.0.0
But i think you have above 4064. Should i try running a scan with 4060 see if it cleans things up and try another update? :thumbsup:

#12 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 08 May 2010 - 01:42 PM

I just ran it with 4060 and it gave me 0 objects found.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/8/2010 11:26:01 AM
mbam-log-2010-05-08 (11-26-01).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 254627
Time elapsed: 1 hour(s), 56 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Do you think version 4064 will really find anything if version 4060 didnt? I still cant access mail websites and some forums. :thumbsup:

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 08 May 2010 - 02:33 PM

Check your Proxy settings in Internet Explorer to make sure malware did not alter them. If so, that can affect your ability to browse or download tools required for disinfection:
  • Open Internet Explorer > click Tools > Internet Options > Connections tab.
  • Click the LAN Settings... button and uncheck Use a proxy server for your LAN
    or change the settings to the proxy you normally use if you previously reconfigured it.
  • Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  • Click Ok and then click Ok again.
  • Close Internet Explorer and restart the computer.
  • An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide.
Check your Proxy settings in Firefox to make sure malware did not alter them:
  • Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  • Under the Connection section click on the Settings... button.
  • Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  • Click Ok and then click OK again.
  • Close Firefox and restart the computer.
For other browsers, please refer to How to configure browser proxy settings.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 08 May 2010 - 05:56 PM

Drats that's not it :thumbsup:
Neither one had a proxy set up.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 08 May 2010 - 08:37 PM

Please download hosts.zip and save it to your Desktop.
Be sure to read and print out these Install Instructions with screenshots for the MVPS HOSTS File if you need them.
  • Extract (unzip) the file to its own folder C:\hosts. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open up the hosts folder and double-click on the mvps.bat file to run the script.
  • When running the mvps.bat file you may see a DOS window indicating the Previous version was saved and renamed...Press any key to continue...
  • Press any key and the DOS windows will close.
  • The script will rename your present HOSTS file to HOSTS.MVP and copy the new HOSTS file to the correct location on your system.
  • If any installed security programs provide an alert about changes to the HOSTS file, allow the change.
  • You can read more about what we are doing in Blocking Unwanted Parasites with a Hosts File.
Note: You may have to overwrite the hosts file in "Safe Mode" if you get "an access denied message" when trying to do it in normal mode.

If you encounter a problem with the zipped version, try using an alternative zipping tool like 7zip or ExtractNow. If you still encounter problems, then use the MVPS HOSTS File text version. Go to File in the top menu and select "Save As", then save hosts.txt to your desktop. Rename it hosts without an extension. Go to the folder containing your existing HOSTS file and rename it HOSTS.MVP. Then copy the hosts file on your desktop into the same folder where you renamed the existing file.

Note: If using Vista or Windows 7, be aware that they require special instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users