Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xp antivirus 2011


  • This topic is locked This topic is locked
20 replies to this topic

#1 hipfan

hipfan

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 23 April 2011 - 12:49 PM

I had this virus two days ago and after alot of reading and using an uninfected laptop and usb stick was able to use fixexe and then start malaware.
I'm not exactly sure if I didn't get it all or my daughter reinfected us from youtube.
The same fix did not work and I have spent hours combing the internet and trying all sorts of things that may have made things worse for all I know.
So I am running XP service pack three, I am stuck in safemode.
I cant access the internet from the infected computer. System restore is a dream. No control panel either.
Everything brings up "which program do you want to open this with?"
I thought I had it when one of the three rkills (msdos version) allowed me to open and start SAS 12378 but it only gets to 2 files checked 2 problems found and then thats it.
The time counter continues (first time I let it go 2 hours), but it never gets passed systembrokenfileassociation.
Any suggestions?
I have managed to get malaware running using a fixexe and rkill combo, but malaware says it was 123 days out of date and it could not connect to update.
I'm afraid to stop the scan, but should I download a newer version to my usb stick and start over?

Edited by hipfan, 23 April 2011 - 01:00 PM.


BC AdBot (Login to Remove)

 


#2 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 24 April 2011 - 02:48 PM

I have managed to get out of safe mode, run malaware with latest definitions and also ran antispyware with latest definitions.
The "windows antivirus 2011" windows seem to be gone.
Now I cant update windows defender (is it because of the resident malaware I have already) or get automatic updates.
AND I am being redirected in both firefox and explorer when I click on google links. Why is neither scan picking these up?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:28 PM

Posted 24 April 2011 - 02:52 PM

Hello please run...


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 24 April 2011 - 06:46 PM

2011/04/24 19:14:46.0890 3932 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/24 19:14:47.0406 3932 ================================================================================
2011/04/24 19:14:47.0406 3932 SystemInfo:
2011/04/24 19:14:47.0406 3932
2011/04/24 19:14:47.0406 3932 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/24 19:14:47.0406 3932 Product type: Workstation
2011/04/24 19:14:47.0406 3932 ComputerName: KELCO
2011/04/24 19:14:47.0406 3932 UserName: User
2011/04/24 19:14:47.0406 3932 Windows directory: C:\WINDOWS
2011/04/24 19:14:47.0406 3932 System windows directory: C:\WINDOWS
2011/04/24 19:14:47.0406 3932 Processor architecture: Intel x86
2011/04/24 19:14:47.0406 3932 Number of processors: 1
2011/04/24 19:14:47.0406 3932 Page size: 0x1000
2011/04/24 19:14:47.0406 3932 Boot type: Normal boot
2011/04/24 19:14:47.0406 3932 ================================================================================
2011/04/24 19:14:47.0734 3932 Initialize success
2011/04/24 19:14:51.0281 0576 ================================================================================
2011/04/24 19:14:51.0281 0576 Scan started
2011/04/24 19:14:51.0281 0576 Mode: Manual;
2011/04/24 19:14:51.0281 0576 ================================================================================
2011/04/24 19:15:03.0265 0576 ================================================================================
2011/04/24 19:15:03.0265 0576 Scan finished
2011/04/24 19:15:03.0265 0576 ================================================================================



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6435

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2011 7:39:05 PM
mbam-log-2011-04-24 (19-39-05).txt

Scan type: Quick scan
Objects scanned: 195847
Time elapsed: 20 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


nothing found that I had to remove, but I restarted anyway

#5 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:04:28 PM

Posted 24 April 2011 - 06:58 PM

You don't get malware from surfing on youtube if no one clicked on an ad. That's a different story as malware authors are trying to find as many vectors as they can to infect in turn as many computers as they can. Where is a fix for every broken file association. I would highly recommend you look for an XP-specific fix since number one, editing and trying to fix it manually can seriously damage things, and two, each version of Windows is very different. What has happened here is that your .EXE file extension has been edited by the rogue to point to itself rather than to Windows where it should be. Until you fix that, you're not going to be able to run MBAM, but when you do find the appropriate file association file, simply follow it's instructions, and then your .exe files should be pointing where they should be again. Then post the logs from MBAM and SAS for us to see.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:28 PM

Posted 24 April 2011 - 07:20 PM

Hello

I cant access the internet from the infected computer.

For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet is working again.


OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.

Everything brings up "which program do you want to open this with?"

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.


System restore is a dream. No control panel either.

I take it a dream means NOT?

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:04:28 PM

Posted 24 April 2011 - 07:23 PM

Silly me. I didn't even think of that. I tend to forget those things. Sorry, guys.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#8 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 April 2011 - 06:00 AM

Sorry guys, guess I wasnt specific enough. I managed to fix all those problems. I am back online, I updated, ran and diposed of a bunch of crap, but didnt save the log. I can restart in normal mode now and I'm not getting any of those popups anymore. However, I still can't use system restore and now have this redirect problem along with not being able to update windows defender or automatic update. I just checked and yes, exe. is missing from my file types. I can't wrap my head around this. When I run malaware and superantispy, what is it doing? Running a fake program? Because neither is finding anything but something is obviously still wrong. I will read up on the exe problem. Is there any magic bullet fixes that have come out recently?

#9 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 April 2011 - 06:31 AM

I ran sfc and it took awhile but never asked for my disc (didnt have service pack 2 on it anyway) and when I came back from coffee, it was gone, no log no nothing..just gone.
I just reread the earlier response and will try the doug exe fix right after another malaware scan finishes. Right away a broken file association came up.

Edited by hipfan, 25 April 2011 - 07:40 AM.


#10 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 April 2011 - 11:20 AM

This was the last scan done this morning. I left the computer on for the night with firefox running and there were multiple pages open to adult friend finder and the like in the morning.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/25/2011 at 08:44 AM

Application Version : 4.51.1000

Core Rules Database Version : 6912
Trace Rules Database Version: 4724

Scan type : Quick Scan
Total Scan Time : 00:25:40

Memory items scanned : 397
Memory threats detected : 0
Registry items scanned : 2181
Registry threats detected : 1
File items scanned : 7736
File threats detected : 85

System.BrokenFileAssociation
HKCR\.exe

Adware.Tracking Cookie
media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\FJNUCVL9 ]
stat.easydate.biz [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\FJNUCVL9 ]
C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adcentriconline[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.ask[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.associatedcontent[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.networldmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.networldmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pureleads[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserving.ezanga[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@associatedcontent.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@azjmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn.jemamedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.blue-square-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.blue-square-media[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicks.search312[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@findnevada[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@friendfinder[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@in.getclicky[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@indieclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interchangecorporation.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mtvn.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@networldmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@optimize.indieclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@p343t1s4246440.kronos.bravenetmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@p365t1s3560002.kronos.bravenetmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracking.waterfrontmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@traveladvertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@vitamine.networldmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.findnevada[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.findsearchengineresults[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.inteletrack[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.mediaquantics[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.mediatraffic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.popuptraffic[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@xiti[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.happytofind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[1].txt
.bizzclick.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\iyp2l4n5.default\cookies.sqlite ]

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:28 PM

Posted 25 April 2011 - 11:23 AM

Ok, we still can do 2 things here ,one at atime.

Let's run an online scan.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 April 2011 - 11:24 AM

This is the last scan that picked up anything. Since then I have ran this one three more times and it hasnt found anything.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6433

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2011 9:28:36 AM
mbam-log-2011-04-24 (09-28-36).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 278663
Time elapsed: 2 hour(s), 27 minute(s), 33 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\documents and settings\User\local settings\application data\gdq.exe (Trojan.FakeAlert) -> 2108 -> Unloaded process successfully.
c:\documents and settings\User\local settings\application data\gdq.exe (Trojan.FakeAlert) -> 2820 -> Unloaded process successfully.
c:\documents and settings\User\local settings\application data\gdq.exe (Trojan.FakeAlert) -> 4016 -> Unloaded process successfully.
c:\documents and settings\User\local settings\application data\gdq.exe (Trojan.FakeAlert) -> 304 -> Unloaded process successfully.
c:\documents and settings\User\local settings\application data\gdq.exe (Trojan.FakeAlert) -> 1472 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\gdq.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\gdq.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\gdq.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\gdq.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\User\local settings\application data\gdq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\Sun\Java\deployment\cache\6.0\51\12bcd073-31034725 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\C360j.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.8471175528183142.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:28 PM

Posted 25 April 2011 - 11:31 AM

That was good do the ESEt as you say you still have those pop up pages.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 April 2011 - 11:39 AM

I have started the eset. Eset said I had windows defender on, but when I went to shut it off, defender said it was already off. So I started the scan anyway.
I downloaded defender after all this stuff started.

#15 hipfan

hipfan
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 April 2011 - 02:17 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=cc1229934fd6844fb36777ca5f9537af
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-25 06:58:31
# local_time=2011-04-25 02:58:32 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 36866948 36866948 0 0
# compatibility_mode=5889 16768382 100 100 0 143573760 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=117235
# found=8
# cleaned=0
# scan_time=8497
C:\Documents and Settings\User\My Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\pss\syuwo.exeStartup a variant of Win32/Kryptik.MXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\jar_cache5351969366586591083.tmp a variant of Win32/Kryptik.MXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\jar_cache9037596083551009114.tmp a variant of Win32/Kryptik.MWI trojan (unable to clean) 00000000000000000000000000000000 I
G:\downloads\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
G:\downloads\QuickTime Pro v7.60.92 for Windows XPVista.rar a variant of Win32/Keygen.AR application (unable to clean) 00000000000000000000000000000000 I
G:\My Music\eat my brain.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
G:\My Music\Tom Petty - a woman in love.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users