Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My PC is infected with Trojan Virus!


  • This topic is locked This topic is locked
42 replies to this topic

#1 phoenix85

phoenix85

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 15 June 2010 - 10:58 PM

Hi members!

I was browsing the web earlier today when I noticed that some of the webpages were downloading slowly. Upon further observation,
I noticed that the Windows security center has been switched off. The anti-virus program ( running Kaspersky Anti-Virus 6.0) was not to be found
on the Windows taskbar. I couldn't start the both anti-virus program and MalwareBytes manually.

Tried to restart Windows in safe mode but the PC gave a blue screen with stop error message.
The message went like this

xxx STOP:0X0000007B (0XF78A2528, 0XC0000034, 0X00000000,0X00000000)

Luckily, I had the SUPER anti-spyware installer and ran the application upon which I received the following results:-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2010 at 09:51 PM

Application Version : 4.34.1000

Core Rules Database Version : 5070
Trace Rules Database Version: 2882

Scan type : Complete Scan
Total Scan Time : 00:21:12

Memory items scanned : 391
Memory threats detected : 0
Registry items scanned : 4949
Registry threats detected : 5
File items scanned : 17515
File threats detected : 58

Trojan.Dropper/Malevo-NV
[games] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE
C:\WINDOWS\Prefetch\GAMES.EXE-2D21ACC6.pf

Adware.Tracking Cookie
C:\Documents and Settings\Twinkle\Cookies\twinkle@atdmt[1].txt
C:\Documents and Settings\Twinkle\Cookies\twinkle@tacoda[2].txt
C:\Documents and Settings\Twinkle\Cookies\twinkle@specificclick[2].txt
C:\Documents and Settings\Twinkle\Cookies\twinkle@advertising[2].txt
C:\Documents and Settings\Twinkle\Cookies\twinkle@doubleclick[1].txt
C:\Documents and Settings\Twinkle\Cookies\twinkle@media6degrees[1].txt
C:\Documents and Settings\John\Cookies\john@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@mediatracker[1].txt
C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt
C:\Documents and Settings\John\Cookies\john@tribalfusion[2].txt
C:\Documents and Settings\John\Cookies\john@findouter[2].txt
C:\Documents and Settings\John\Cookies\john@adx.bidsystem[2].txt
C:\Documents and Settings\John\Cookies\john@static.freewebs.getclicky[1].txt
C:\Documents and Settings\John\Cookies\john@test.coremetrics[1].txt
C:\Documents and Settings\John\Cookies\john@chitika[1].txt
C:\Documents and Settings\John\Cookies\john@burstnet[2].txt
C:\Documents and Settings\John\Cookies\john@apmebf[1].txt
C:\Documents and Settings\John\Cookies\john@advertising[1].txt
C:\Documents and Settings\John\Cookies\john@tripod[1].txt
C:\Documents and Settings\John\Cookies\john@precisionclick[1].txt
C:\Documents and Settings\John\Cookies\john@aotracker[1].txt
C:\Documents and Settings\John\Cookies\john@adbrite[1].txt
C:\Documents and Settings\John\Cookies\john@perf.overture[1].txt
C:\Documents and Settings\John\Cookies\john@www.googleadservices[2].txt
C:\Documents and Settings\John\Cookies\john@collective-media[1].txt
C:\Documents and Settings\John\Cookies\john@astrology-insight[1].txt
C:\Documents and Settings\John\Cookies\john@media6degrees[1].txt
C:\Documents and Settings\John\Cookies\john@www.astrology-insight[1].txt
C:\Documents and Settings\John\Cookies\john@at.atwola[1].txt
C:\Documents and Settings\John\Cookies\john@trafficmp[1].txt
C:\Documents and Settings\John\Cookies\john@invitemedia[1].txt
C:\Documents and Settings\John\Cookies\john@manulife.122.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@revsci[2].txt
C:\Documents and Settings\John\Cookies\john@tacoda[1].txt
C:\Documents and Settings\John\Cookies\john@2o7[1].txt
C:\Documents and Settings\John\Cookies\john@99counters[1].txt
C:\Documents and Settings\John\Cookies\john@burstbeacon[1].txt
C:\Documents and Settings\John\Cookies\john@atdmt[1].txt
C:\Documents and Settings\John\Cookies\john@bizrate[1].txt
C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt
C:\Documents and Settings\John\Cookies\john@fastclick[2].txt
C:\Documents and Settings\John\Cookies\john@kontera[2].txt
C:\Documents and Settings\John\Cookies\john@media.photobucket[1].txt
C:\Documents and Settings\John\Cookies\john@msnportal.112.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@neccorp.112.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
C:\Documents and Settings\John\Cookies\john@specificclick[2].txt
C:\Documents and Settings\John\Cookies\john@smartadserver[2].txt
C:\Documents and Settings\John\Cookies\john@www.burstbeacon[1].txt
C:\Documents and Settings\John\Cookies\john@xiti[1].txt
C:\Documents and Settings\John\Cookies\john@yamaha.122.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@zedo[2].txt
C:\Documents and Settings\John\Cookies\john@zitracker[1].txt

Adware.Flash Tracking Cookie
C:\Documents and Settings\Twinkle\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\QDTY72BK\CARD.CRICKET.TIMESOFINDIA.INDIATIMES.COM
C:\Documents and Settings\Twinkle\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\QDTY72BK\IA.MEDIA-IMDB.COM
C:\Documents and Settings\Twinkle\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\QDTY72BK\MSNBCMEDIA.MSN.COM

Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman [ C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe ]
HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY


Please note that the application automatically chose the entries to be removed except for the ones that had Malware trace and Disabled.SecurityCenterOption as headers since they contained registry key entries. I'm not entirely sure if I can delete these safely.
Also to be noted the following file-: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE is listed on startup programs when
running msconfig utility and i have it disabled. The threats have been quarantined but not removed.

After running the scan, I restarted the computer to see if it runs normally but in vain. I still can't access Anti-Virus program or MalwareBytes. Can't presently access windows Xp in safe mode. However, I can still run SUPER anti-spyware and update without any issues.
I have also tried to run ESET online scan but without any luck.

PC INfo:

Windows XP Pro Ver. 2002 SP3
AMD Athlon Processor 2650se
1.6 GHz, 896 MB RAM.
Using Mozilla Firefox as default browser.

Need assistance asap. Thanks

Edit: Talked to my fellow user who apparently visited some random myspace page and downloaded some animation file. (.gif file) and had it all deleted from the system, I think.
In addition, I'm aware of the Adobe Reader critical flaw ( have Adobe reader 9.0) and hadn't deleted authplay.dll before discovering the virus. I have it deleted at the moment as well as updated flash to the latest version Adobe flash 10.1.

Edited by phoenix85, 15 June 2010 - 11:34 PM.


BC AdBot (Login to Remove)

 


#2 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 24 June 2010 - 10:42 PM

Hello..

Would like to inform the respective moderators/team members that the virus problem on my desktop PC is very much active.
I am using a public PC to post messages online. Eagerly waiting for the much needed assistance.

Thank you.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 24 June 2010 - 10:46 PM

You can remove everything found by SUPERAntiSpyware.

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Copy it over to the problem computer on a CD or pen drive if you need to.

Double-click the file to run it. A command window will open briefly. Then run another SUPERAntiSpyware scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 25 June 2010 - 06:56 AM

Thank you for your response Budapest.

I deleted all the files quarantined in SUPER Anti-spyware as per your instructions. Tried to repair anti-virus software
(Kaspersky Anti-Virus 6.0 for Windows Workstations) and failed. It's listed in Add/Remove Programs but the program is disabled.

I should note that I ran the SUPER Anti-spyware twice- once before rkill.scr. Although not requested, I am posting the logs for your reference.



SUPERAntiSpyware Scan Log (Before running rkill.scr)
http://www.superantispyware.com

Generated 06/25/2010 at 06:14 AM

Application Version : 4.34.1000

Core Rules Database Version : 5117
Trace Rules Database Version: 2929

Scan type : Complete Scan
Total Scan Time : 00:40:38

Memory items scanned : 373
Memory threats detected : 0
Registry items scanned : 4939
Registry threats detected : 7
File items scanned : 46269
File threats detected : 6

Trojan.Dropper/Malevo-NV
[games] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE

Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman [ C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe ]
HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Security.HiJack[ImageFileExecutionOptions]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONIME.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONIME.EXE#Debugger

Adware.Tracking Cookie
C:\Documents and Settings\John\Cookies\john@ad.wsod[2].txt
C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt
C:\Documents and Settings\John\Cookies\john@msnportal.112.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@questionmarket[2].txt




SUPERAntiSpyware Scan Log (Post rkill.scr application)
http://www.superantispyware.com

Generated 06/25/2010 at 07:24 AM

Application Version : 4.34.1000

Core Rules Database Version : 4596
Trace Rules Database Version: 2929

Scan type : Complete Scan
Total Scan Time : 00:39:12

Memory items scanned : 375
Memory threats detected : 0
Registry items scanned : 4927
Registry threats detected : 4
File items scanned : 46280
File threats detected : 0

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Security.HiJack[ImageFileExecutionOptions]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONIME.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONIME.EXE#Debugger


By the way, I am not posting the rkill.log file under C:\. I just reports that the following file was terminated..

C:\WINDOWS\system32\imapi.exe

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 25 June 2010 - 04:04 PM

Are you now able to scan with Malwarebytes?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 25 June 2010 - 05:27 PM

No. Just SUPER.

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 25 June 2010 - 05:39 PM

Please boot your computer into Safe Mode and then run another scan with SUPERAntiSpyware.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 25 June 2010 - 06:09 PM

Hi mate..

I couldn't run windows xp pro in safe mode. It gave me a STOP error (see Post#1).
Now I cannot even start Windows xp in normal mode. I choose /Safeboot option under msconfig.

Right after the initial process, I tapped the F8 key to view menu screen with these options..

1) 3 Safe Modes
2) Last known configuration..
3) Start Windows normally.

Now, how I do undo /safeboot option without logging into Windows Xp?
System did not come with bootable CD. This system had windows xp pro..

I do have a Windows XP Home edition installation CD with me. But I don't think I can fix the boot.ini file since they are
two different versions.

Edited by phoenix85, 25 June 2010 - 06:46 PM.


#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 25 June 2010 - 06:57 PM

You can use the XP Home CD to boot into the Recovery Console. See here:

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Scroll down to the section: Problems that can occur by forcing Safe Mode using the System Configuration Utility
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 25 June 2010 - 09:48 PM

I was able to load Windows XP by renaming boot.ini file to boot.ini.bak as per the tutorial.
Now where exactly do I rename the .bak file to .ini file so as to uncheck /safeboot flag?

Tried to do that by doing this..Start-Run-cmd- ren C:\Boot.ini.bak Boot.ini
Gave me an error that said " The system cannot find the file specified".

I'd like to mention that as soon as I logged in, the My Documents window started popping up. This happens every time I restart.
Other than that, I can load into Windows under normal mode.

Couldn't find boot.ini under msconfig command. I did a search and found this file instead-boot.ini.backup in
C:\WINDOWS\pss

Edited by phoenix85, 25 June 2010 - 09:53 PM.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 26 June 2010 - 12:15 AM

The boot.ini is in the root directory C:\. You have to have hidden and system files visible to be able to see it.

http://www.microsoft.com/windowsxp/using/h...iddenfiles.mspx
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 26 June 2010 - 12:39 AM

No luck mate..

I chose to view hidden files and couldn't find the boot.ini in the root directory C:\.
Found a system file named pagefile which is about 1.31GB :thumbsup:

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 26 June 2010 - 12:46 AM

Try unchecking "Hide protected operating system files".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 26 June 2010 - 02:52 AM

A couple of updates...

1) I still did not find boot.ini file in C:\ directory ( After checking both "show hidden files" and unchecking "hide protected operating system files").
Did a search for boot.ini and got these results-

C:\WINDOWS\Boot.ini.bak
C:\WINDOWS\pss\boot.ini.backup


2) Made another attempt to run SUPER scan and i got the threats quarantined and removed.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2010 at 02:28 AM

Application Version : 4.34.1000

Core Rules Database Version : 5121
Trace Rules Database Version: 2933

Scan type : Complete Scan
Total Scan Time : 00:39:28

Memory items scanned : 396
Memory threats detected : 0
Registry items scanned : 4929
Registry threats detected : 7
File items scanned : 46444
File threats detected : 2

Trojan.Dropper/Malevo-NV
[games] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\GAMES.EXE
C:\windows\Prefetch\GAMES.EXE-2D21ACC6.pf

Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman [ C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe ]
HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Security.HiJack[ImageFileExecutionOptions]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONIME.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONIME.EXE#Debugger




3) I then restarted the computer and ran rkill.scr application.
Now I ran MalwareBytes :thumbsup: and ran a complete scan(after update). Got all the threats quarantined and removed. Here's the log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4242

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/26/2010 3:02:45 AM
mbam-log-2010-06-26 (03-02-45).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 193934
Time elapsed: 24 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-AwareAdmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsvchst.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ad-aware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prevx.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\John\Local Settings\Temp\tmp11.exe (Trojan.IRCBrute) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{544AABCA-D009-412C-8BDA-68B0E357C453}\RP128\A0017181.exe (Trojan.IRCBrute) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmpvs4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

4) Tried to reinstall Kaspersky Anti-Virus and failed.

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 26 June 2010 - 02:59 AM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users