Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Recovery issue


  • Please log in to reply
2 replies to this topic

#1 gpence

gpence

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 03 June 2011 - 02:51 PM

One of my users got the Windows XP Recovery "virus" last evening. He was RDCed into his desktop from home. I looked this morning and recognized it was not really a hard drive failure. I looked at the guide which suggested removing the Hidden attribute and running Anti-MalwareBytes (which I did). I ran it twice which returned diseased files. I cleaned it. I still can't get IE to work, etc. Where do I go from here?

Thanks,
Glenn

Edited by Budapest, 03 June 2011 - 04:09 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 gpence

gpence
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 03 June 2011 - 03:13 PM

Sorry, meant to include the log files from MBAM:

First Run ==============================================

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2011 11:01:47 AM
mbam-log-2011-06-03 (11-01-47).txt

Scan type: Quick scan
Objects scanned: 152544
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\documents and settings\all users\application data\ooyecuncneni.exe (Trojan.FakeMS) -> 708 -> Unloaded process successfully.
c:\documents and settings\all users\application data\18145060.exe (Trojan.FakeMS) -> 2148 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OoyECuNcnEni (Trojan.FakeMS) -> Value: OoyECuNcnEni -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ooyecuncneni.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\18145060.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

==============================================================================================

Second run: ==============================

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2011 12:30:09 PM
mbam-log-2011-06-03 (12-30-09).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 224021
Time elapsed: 34 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\symantec\srtsp\quarantine\apq6.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

===============================================================================================

Third run: ========================================

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2011 12:40:57 PM
mbam-log-2011-06-03 (12-40-57).txt

Scan type: Quick scan
Objects scanned: 152367
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

============== end of third scan log =====================================

Thanks,
Glenn

#3 gpence

gpence
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 06 June 2011 - 08:13 AM

I think we've gotten this one fixed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users