Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being attacked from IP I think...


  • Please log in to reply
7 replies to this topic

#1 edwardj7337

edwardj7337

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 05 May 2010 - 10:38 PM

Well for the pas few days I have been getting Malware alerts that an IP is trying to infect me. I hate it so much it slows my computer down and when I play games I get less FPS which makes me lag. I saw another thread that had a similar problem but I wanted to get help from someone who knows a bit more. I have scanned my computer with a couple programs but nothing. I need some help asap, I will listen to your guys feedback to get my problem resolved.

Here is the log I got:

17:29:24	(null)	MESSAGE	Protection started successfully
17:33:46	(null)	MESSAGE	Protection started successfully
17:35:45	Compaq_Administrator	MESSAGE	IP Protection started successfully
17:35:57	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:36:15	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:39:14	Compaq_Administrator	DETECTION	C:\WINDOWS\Fonts\pUp1xg6x.exe	Worm.Archive	ALLOW
17:39:14	Compaq_Administrator	DETECTION	C:\WINDOWS\Fonts\pUp1xg6x.exe	Worm.Archive	ALLOW
17:40:30	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:31	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:32	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:34	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:38	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:55	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:56	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:57	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:40:59	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:03	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:20	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:21	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:22	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:24	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:28	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:45	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:46	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:47	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:49	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:41:53	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:42:10	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:42:11	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:42:12	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:42:14	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:42:18	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:42:46	Compaq_Administrator	IP-BLOCK	213.163.89.104
17:42:49	Compaq_Administrator	IP-BLOCK	213.163.89.104
17:42:55	Compaq_Administrator	IP-BLOCK	213.163.89.104
17:45:35	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:45:36	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:45:37	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:45:39	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:45:43	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:00	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:01	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:02	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:04	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:08	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:26	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:27	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:28	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:30	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:34	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:51	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:52	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:53	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:55	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:46:59	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:47:16	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:47:17	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:47:18	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:47:20	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:47:24	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:50:41	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:50:42	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:50:43	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:50:45	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:50:49	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:50:56	Compaq_Administrator	IP-BLOCK	213.163.89.106
17:51:00	Compaq_Administrator	IP-BLOCK	213.163.89.106
17:51:05	Compaq_Administrator	IP-BLOCK	213.163.89.106
17:51:06	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:07	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:08	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:10	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:14	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:18	Compaq_Administrator	IP-BLOCK	213.163.89.106
17:51:21	Compaq_Administrator	IP-BLOCK	213.163.89.106
17:51:26	Compaq_Administrator	IP-BLOCK	213.163.89.106
17:51:31	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:32	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:33	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:35	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:39	Compaq_Administrator	IP-BLOCK	213.163.89.107
17:51:39	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:42	Compaq_Administrator	IP-BLOCK	213.163.89.107
17:51:48	Compaq_Administrator	IP-BLOCK	213.163.89.107
17:51:56	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:57	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:51:58	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:00	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:00	Compaq_Administrator	IP-BLOCK	213.163.89.107
17:52:03	Compaq_Administrator	IP-BLOCK	213.163.89.107
17:52:04	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:09	Compaq_Administrator	IP-BLOCK	213.163.89.107
17:52:21	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:21	Compaq_Administrator	IP-BLOCK	213.163.89.105
17:52:22	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:23	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:24	Compaq_Administrator	IP-BLOCK	213.163.89.105
17:52:25	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:29	Compaq_Administrator	IP-BLOCK	83.133.119.139
17:52:30	Compaq_Administrator	IP-BLOCK	213.163.89.105



Also I get these IP alerts when I join the internet and a WORM alert which I can't find.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 05 May 2010 - 11:05 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by boopme, 05 May 2010 - 11:06 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 edwardj7337

edwardj7337
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 06 May 2010 - 12:13 AM

Okay Thank You for responding here is my log. It actually found something this time but weird I did a Full Scan and it found nothing last time.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/5/2010 10:09:59 PM
mbam-log-2010-05-05 (22-09-59).txt

Scan type: Quick scan
Objects scanned: 135266
Time elapsed: 28 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Compaq_Administrator\Start Menu\Total PC Defender 2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\SystemDefender2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Compaq_Administrator\Start Menu\Total PC Defender 2010\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\SystemDefender2010\Total PC Defender 2010 .exe (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 06 May 2010 - 02:30 PM

These were good finds tho,so next we should get an SAS log.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 edwardj7337

edwardj7337
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 07 May 2010 - 10:41 PM

Dang computer it keeps freezing!

Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2010 at 08:07 PM

Application Version : 4.36.1006

Core Rules Database Version : 4904
Trace Rules Database Version: 2716

Scan type	   : Complete Scan
Total Scan Time : 02:51:26

Memory items scanned	  : 340
Memory threats detected   : 1
Registry items scanned	: 8102
Registry threats detected : 2
File items scanned		: 207485
File threats detected	 : 46

System.BrokenFileAssociation
	HKCR\.exe

Trojan.Agent/Gen-FakeAlert
	C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUJWKRLC.EXE
	C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUJWKRLC.EXE
	C:\WINDOWS\Prefetch\SUJWKRLC.EXE-047AE209.pf

Adware.Tracking Cookie
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@burstbeacon[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ads.undertone[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@serving-sys[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ad.yieldmanager[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@media6degrees[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@burstnet[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@revsci[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@bannertgt[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ad1.clickhype[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@tacoda[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@advertising[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adbrite[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@content.yieldmanager[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@invitemedia[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@rotator.adjuggler[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@questionmarket[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@cdn4.specificclick[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@doubleclick[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@bluestreak[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@bs.serving-sys[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ads.bcserving[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@oasn04.247realmedia[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@www.burstnet[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adserver.adtechus[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@statcounter[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@apmebf[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@at.atwola[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@lucidmedia[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@specificmedia[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@mediaplex[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adlegend[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@yieldmanager[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@atdmt[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@fastclick[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@content.yieldmanager[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adtech[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@www.burstbeacon[1].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@media.adfrontiers[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@zedo[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@specificclick[2].txt
	C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@collective-media[1].txt
	C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
	C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt

Registry Cleaner Trial
	HKU\S-1-5-21-2953103640-2315459261-606963321-1008\Software\SoftwareOnline.com

Rogue.Agent/Gen-Nullo[EXE]
	C:\WINDOWS\SYSTEM32\18467.EXE


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 08 May 2010 - 10:45 AM

We are getting there.
Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.

>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 edwardj7337

edwardj7337
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 08 May 2010 - 02:26 PM

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org



Database version: 4078



Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



5/8/2010 12:24:02 PM

mbam-log-2010-05-08 (12-24-02).txt



Scan type: Full scan (C:\|D:\|)

Objects scanned: 85608

Time elapsed: 2 hour(s), 33 minute(s), 50 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\CW-2\KG.exe (Malware.Tool) -> Quarantined and deleted successfully.

Edited by edwardj7337, 08 May 2010 - 02:27 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 08 May 2010 - 09:02 PM

Things should be much better now.
We will do an online scan and see if there is anything left.

About the KG.exe found: it is a keylogger and is a network-aware worm that spreads itself through shared network drives. It can receive instructions from an IRC channel on a specific IRC server.
If there are other machines connected to this or you have a flash drive they will also need cleaning.

This malware can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.



Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users