First of all, I am a Windows XP Home User and my primary browser is Mozilla Firefox.
Over the past day or so I have been getting warning messages from AVG about a "HTML-Framer". I have clicked to remove it as a power user and it has gone away. Then today things escalated and I started getting Trojan warnings. I stopped everything I was doing, turned off system restore and ran Malwarebytes. Here's the log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4333
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/20/2010 5:34:11 PM
mbam-log-2010-07-20 (17-34-11).txt
Scan type: Quick scan
Objects scanned: 147432
Time elapsed: 18 minute(s), 13 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
C:\Documents and Settings\Chrissy\Local Settings\Temp\qdliolqr.exe (Rootkit.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\Chrissy\Application Data\svchost.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
C:\Documents and Settings\Chrissy\Local Settings\Temp\4.tmp (Rootkit.Dropper) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows services (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Chrissy\Local Settings\Temp\4.tmp (Rootkit.Dropper) -> Delete on reboot.
C:\Documents and Settings\Chrissy\Local Settings\Temp\qdliolqr.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chrissy\Local Settings\Temp\6.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chrissy\Local Settings\Temp\9.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chrissy\Local Settings\Temporary Internet Files\Content.IE5\C1CO0ITV\PPI[1].exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chrissy\Application Data\chrtmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chrissy\Application Data\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
---
Ok so I rebooted and started up AVG. That's still scanning, but it already came up with two items that it says are blocked from removal:
Phoenix Exploit Kit (type 1112)
Rogue Scanner (type 871)
What do I do to remove them if AVG is blocked from doing so? I'm really frustrated because I'm the one that friends and family go to when THEIR computers get infected! I'd appreciate your assistance ASAP. I am posting this from my desktop; it is only my laptop that has the infection (but only the bedroom has AC, not where the desktop is so...)
I'd appreciate any help you could give !
Chrissy
Back to top
