Previous Topic Next Topic

Windows Securty 2012 virus

Solved/Closed
Screwed - Jan 27, 2012 at 05:48 PM
 scrwed - Feb 11, 2012 at 04:49 PM
Hello,

I am getting prompts to update my windows security to 2012 and asking my credit card. after some research I have found this virus is a nasty one. But it seems to me I am the only one who cannot run Rkill even through .com .scr .pif .... It downloads then right when it is done the file is gone. Disappears.... I need help... bad. THANK YOU !!


Related:

66 responses

Answer 1 / 66
Anonymous User
Jan 27, 2012 at 09:42 PM
Download exehelper and malwarebytes from a clean PC to infected PC

http://www.raktor.net/exeHelper/exeHelper.com

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/



Boot the PC into safemode with networking


Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Now Install malwarebytes,update and run a FULL SCAN



Download

https://support.kaspersky.com/downloads/utils/tdsskiller.exe

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report



Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
1
Answer 2 / 66
Anonymous User
Jan 28, 2012 at 08:01 PM
I can get back all your programs before that i need logs

Please follow the instructions.

Run malwarebytes,TDSSkiller and GMER and post the logs


Press Windows+R key and type

%temp% and click ok

If you find a folder called SMTMP ,back it up to a safe location

Please post the logs in your next reply
1
screwed
Jan 29, 2012 at 12:44 PM
I cant run Malware bytes. I am in safe mode. Ran Exehelper - ok , then tried to install malwarebytes and got run time error 5 access denied. I apologize for my ignorance. Thank you so much for taking your time & helping me I really appreciate it. I had malwarebytes running a full scan I walked away while it ran which was like an hour and when it finished it disappeared and now I cant get it to run.
0
screwed
Jan 29, 2012 at 12:47 PM
ok changed file name during download.. next reply will be logs I hope.
0
screwed
Jan 29, 2012 at 02:24 PM
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912012902

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/29/2012 3:21:19 PM
mbam-log-2012-01-29 (15-20-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 312002
Time elapsed: 1 hour(s), 1 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LJBJnRHnXfQaR.exe (Trojan.FakeMS) -> Value: LJBJnRHnXfQaR.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger (Security.Hijack) -> Value: Debugger -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matthew Mitchell\Local Settings\Application Data\utq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ljbjnrhnxfqar.exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\all users\application data\b2c9j9obvnp8fi.exe (Rogue.FakeHDD) -> No action taken.
c:\documents and settings\all users\application data\hnqivklguoudnp.exe (Rogue.FakeHDD) -> No action taken.
c:\documents and settings\all users\application data\mrsahbvtphnii.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\all users\application data\o2damvcrztzqor.exe (Rogue.FakeHDD) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\00017768.exe (Trojan.FakeAV.Gen) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\la8e4i9z.exe.part (Trojan.FakeAV) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\qxsjy8oy.exe.part (Trojan.FakeAV) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\icreinstall\videotomp3setup.exe (Adware.Agent) -> No action taken.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\fpishzgukueugzgsyok[1].exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\scandsk1007c_8051[1].exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(10).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(11).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(2).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(3).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(4).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(6).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(7).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(8).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\MOM\application data\auditpol.dll (Trojan.Downloader) -> No action taken.
c:\documents and settings\MOM\local settings\application data\jsc.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\MOM\local settings\application data\nmv.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\MOM\local settings\Temp\msimg32.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Nick\local settings\application data\syssvc.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Nick\local settings\temporary internet files\Content.IE5\CB0PUT8N\video[1].exe (Trojan.FakeAV) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc15.exe (Adware.Hotbar) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc2.exe (Trojan.FakeAlert) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc20.exe (Adware.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc21.exe (Adware.Hotbar) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069897.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069898.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069899.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069902.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP590\A0069945.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP593\A0070743.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP610\A0074933.exe (Trojan.FakeMS) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP629\A0076310.exe (Trojan.FakeMS) -> No action taken.
0
screwed
Jan 29, 2012 at 02:26 PM
after 'RUN' page comes up for Tdsskiller and I click Run it does not run.. can I delete the virus s from Malware bytes??
0
screwed
Jan 29, 2012 at 02:34 PM
So I am stuck on that step and I ran Gmer and I cannot see where you want me to hit Scan. Other than the CMD tab...
0
Answer 3 / 66
Anonymous User
Jan 29, 2012 at 07:50 PM
Hi

> No action taken.

You have not removed infections.

Run malwarebytes scan again.Right click on infection results-Select all

Now click on REMOVE infections

I want you to run malwarebytes in normal mode(full scan ) and post the clean log

Download

https://www.broadcom.com/support/security-center

Launch it,it should ask for a restart,let me know what it finds

Try to run GMER after removing infections found by FIXTDSS

Download

http://public.avast.com/~gmerek/aswMBR.exe


Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here
1
screwed
Jan 30, 2012 at 06:17 PM
Thank You So Much!!!
0
screwed
Jan 30, 2012 at 06:22 PM
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912012902

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2012 7:19:27 PM
mbam-log-2012-01-30 (19-19-27).txt

Scan type: Quick scan
Objects scanned: 252435
Time elapsed: 1 hour(s), 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 69
Registry Values Infected: 18
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LJBJnRHnXfQaR.exe (Trojan.FakeMS) -> Value: LJBJnRHnXfQaR.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 (Security.Hijack) -> Value: 0 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 (Security.Hijack) -> Value: 1 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 (Security.Hijack) -> Value: 2 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 (Security.Hijack) -> Value: 3 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 (Security.Hijack) -> Value: 4 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 (Security.Hijack) -> Value: 5 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 (Security.Hijack) -> Value: 6 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 (Security.Hijack) -> Value: 7 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 (Security.Hijack) -> Value: 8 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 (Security.Hijack) -> Value: 9 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 (Security.Hijack) -> Value: 10 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 (Security.Hijack) -> Value: 11 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 (Security.Hijack) -> Value: 12 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 (Security.Hijack) -> Value: 13 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 (Security.Hijack) -> Value: 14 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 (Security.Hijack) -> Value: 15 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=8051&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matthew Mitchell\Local Settings\Application Data\utq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ljbjnrhnxfqar.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\mrsahbvtphnii.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\o2damvcrztzqor.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\b2c9j9obvnp8fi.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\hnqivklguoudnp.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\isecurity.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\application data\auditpol.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc15.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc20.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc21.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\rstrui.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\00017768.exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\la8e4i9z.exe.part (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\qxsjy8oy.exe.part (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\icreinstall\videotomp3setup.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\local settings\Temp\msimg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\local settings\application data\jsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\local settings\application data\nmv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Nick\local settings\application data\syssvc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\scandsk1007c_8051[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\fpishzgukueugzgsyok[1].exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\Nick\local settings\temporary internet files\Content.IE5\CB0PUT8N\video[1].exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
0
screwed
Jan 30, 2012 at 11:53 PM
so you wanted me to post the clean log, well I ran it again and there was 22 infections still the 2nd scan.... so i will keep scanning and removing until it is clean.....
0
Answer 4 / 66
Anonymous User
Jan 30, 2012 at 06:43 PM
Download

https://download.bleepingcomputer.com/grinler/unhide.exe

Boot into safemode with networking,

Launch it,allow it to run ,it should restore all your hidden files

Please follow the instructions.

Run malwarebytes once in normal mode( fullscan),post the clean log alone

Run TDSSkiller and GMER as instructed in my first reply and post the logs


Press Windows+R key and type

%temp% and click ok

If you find a folder called SMTMP ,back it up to a safe location

Let me know how it went.

Please follow my instructions.Do not post the EXEHELPER.COM log everytime

Thanks
1
Anonymous User
Jan 30, 2012 at 06:48 PM
If you cant run TDSSkiller

Download

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Launch it,it should ask for a restart,let me know what it finds

Try to run GMER after removing infections found by FIXTDSS
0
screwed
Jan 30, 2012 at 11:54 PM
so you wanted me to post the clean log, well I ran it again and there was 22 infections still the 2nd scan.... so i will keep scanning and removing until it is clean..... unless otherwise directed///
0
screwed
Jan 30, 2012 at 11:56 PM
im posting this here becuase it will be hidden after restart. 2nd scan Log -
Objects scanned: 315178
Time elapsed: 4 hour(s), 45 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP593\A0070743.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP610\A0074933.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP629\A0076310.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078354.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078355.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078356.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078357.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069902.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069897.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069898.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069899.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP590\A0069945.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\application data\Sun\Java\deployment\cache\6.0\41\776bf8a9-4faf98ad (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(10).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(11).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(2).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(3).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(4).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(6).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(7).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(8).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
0
Screwed
Feb 2, 2012 at 04:01 PM
I am sorry for not posting the clean log but i have ran the scan over 6 times and I cannot get my system clean..... So that is why there is no clean log.... Dont delete this thread I am continuing to run scans and delete infections...
0
Screwed
Feb 2, 2012 at 04:02 PM
unhidefix wont run
Tdsskiller wont run
Tdss Fix did work and says Backdoor.Tidserv has NOT been found
Gmer said no system modifications have been found
0

Didn't find the answer you are looking for?

Ask a question
Answer 5 / 66
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,162
Feb 1, 2012 at 04:01 PM
Hello,

Nobody has replied to you since January 31st. How is your system behaving? Do you need further help?
1
Screwed
Feb 2, 2012 at 01:11 PM
Yes I still need help... I am still having the same issues. 10 to 15 messages saying system 32 failed to write messages, "system Check" comes up and tells me I have a few errors and then wants me to update and give my CC info... I know this is a virus. I am using Malware Bytes in safe mode because I have no programs or documents shown, I have to download it every time I restart , I use it to Scan and delete infections but I cannot get it to get the Pc completely clean. I ran Tdsskiller and it told me some Virus called Backdoor was found but I dont know what to do after that... I also tried the Gmer app but I have no idea what it is for.... I would like to find out how to delete this System Check virus and get back my files...
0
Screwed
Feb 2, 2012 at 01:14 PM
Im sorry I cant run Tdsskiller I ran the other one the wonderful person that was helping me sundar7701 - told me to use, FixTdss. After my malware scan today I will run the Fixtdss again and write down the infection it finds and await further instruction... Unless I should do something else....
0
Screwed
Feb 2, 2012 at 02:11 PM
Gmer says it found No System Modification
0
Anonymous User
Feb 2, 2012 at 02:13 PM
Hi

You're not following any instructions as suggested.

I'm still waiting for you to post the malwarebytes clean log

Did you run UNHIDE fix which i gave?

You said TDSSkiller is not working but now you say that tdsskiller found backdoor

You're not interested in running GMER and aswMBR

You're still waiting for instructions when you did not post the logs and you are not following my instructions

I'm sorry but how can i help you ?
0
Screwed
Feb 2, 2012 at 02:14 PM
3rd time I ran this and still getting infections... As far as I know (Backdoor.Bot) is what tdssfix found... Running Malware until I get a clean system...

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912020206

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2012 3:11:41 PM
mbam-log-2012-02-02 (15-11-41).txt

Scan type: Quick scan
Objects scanned: 252408
Time elapsed: 46 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KndCLIWLJesl.exe (Rogue.Agent.SA) -> Value: KndCLIWLJesl.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAwhgCLyHSr.exe (Rogue.Agent.SA) -> Value: PAwhgCLyHSr.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\matthew mitchell\local settings\Temp\131068.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\Temp\278524.exhttp://ccm.net/forum/affich-637813-windows-securty-2012-virus#tope -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912020206

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2012 3:11:41 PM
mbam-log-2012-02-02 (15-11-41).txt

Scan type: Quick scan
Objects scanned: 252408
Time elapsed: 46 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KndCLIWLJesl.exe (Rogue.Agent.SA) -> Value: KndCLIWLJesl.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAwhgCLyHSr.exe (Rogue.Agent.SA) -> Value: PAwhgCLyHSr.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\matthew mitchell\local settings\Temp\131068.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\Temp\278524.exe -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\Temp\wpbt0.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\setup[1].exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\kndcliwljesl.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\pawhgclyhsr.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.

c:\documents and settings\matthew mitchell\local settings\Temp\wpbt0.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\setup[1].exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\kndcliwljesl.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\pawhgclyhsr.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.
0
Answer 6 / 66
Anonymous User
Feb 2, 2012 at 04:22 PM
Press Windows+R key and type

cmd and click ok

Now run these commands


cd\

cd Windows\System32

attrib -h c:\*.* /s /d

Allow it to run,till it makes your files to unhide.

I will wait for MALWAREBYTES AND ASWMBR log

Do not click on ADD COMMENTS,i want you to click on REPLY OPTION at the bottom of the page and post the LOGS

Thanks
1
Answer 7 / 66
Anonymous User
Feb 2, 2012 at 05:41 PM
Go ahead and run the commands as instructed in previous post
1
Answer 8 / 66
Anonymous User
Feb 2, 2012 at 08:45 PM
Download

http://www.geekstogo.com/forum/files/file/441-mbrcheck/

Double click MBRCheck.exe

It will show a Black screen with some information that will contain either the below line if no problem is found:

Press ENTER to exit...

Or

you will see more information like below if a problem is found:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log on the desktop,post the log result
1
Answer 9 / 66
Anonymous User
Feb 2, 2012 at 10:15 PM
Did you restart your computer?

Did you face any issues?

I want you to run aswmbr and TDSSkiller now

Launch mbrcheck.exe ,press N to exit.Post the latest MBR check log on the desktop
1
Answer 10 / 66
Anonymous User
Feb 2, 2012 at 10:46 PM
You cant run because you still have a infected MBR

37 GB \\.\PhysicalDrive0 MBR Code Faked!

I want you to follow the instructions again


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel


Press 1 at this stage ,type YES and press ENTER

delete the mbrcheck logs present in desktop

Restart the PC and rerun mbrcheck to generate log,post it here
1
Answer 11 / 66
Anonymous User
Feb 2, 2012 at 11:01 PM
Thats ok ,lets try another way

run mbrcheck again,press 2

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel


Press 0(NOT 1) at this stage ,type YES and press ENTER

Restart the PC and let me know IF you can run TDSSkiller and aswmbr
1
Answer 12 / 66
Anonymous User
Feb 3, 2012 at 05:57 PM
I want you to run TDSSkiller using this method

http://ccm.net/faq/18862-rootkit-boot-sst

Follow the procedures given there

You should be able to run TDSSkiller

Delete the unknown modules alone as described in the pictures,let me know how it went
1
Answer 13 / 66
Anonymous User
Feb 4, 2012 at 10:21 AM
Thats a great improvement,I want you to restart the PC ,run TDSSkiller again,run aswmbr again and post the new logs

TDSSkiller log is present in C drive.Make sure you get the latest one
1
Screwed
Feb 4, 2012 at 10:33 AM
Your awesome to help me like this, I appreciate it sooo Much. Anywhere you go for help it is either half assed help or super super expensive . THANK You
0
Answer 14 / 66
Anonymous User
Feb 4, 2012 at 08:32 PM
That looks good

Download

https://download.bleepingcomputer.com/sUBs/ComboFix.exe

Close any open browsers or any other programs that are open.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer



In your next post I need the following

* Log from Combofix
* How is the computer doing now?
1
Screwed
Feb 4, 2012 at 11:11 PM
So I only have the trial version of Malware bytes as you gave me, and It wont give me an option to disable protection since I dont have the full version. So i just uninstalled it and rebooted and then ran combofix. It went all the way through and got stuck on "creating a log" step for 35 min.... I am trying again and it still says combofix has detected the following antivirus realtime protection: *** "Malware Protection Center" ***..... I have no idea how to disable this as I dont even know what it is, I was assuming it as Malware Bytes.... SORRY!!!
0
Answer 15 / 66
Anonymous User
Feb 5, 2012 at 12:26 AM
I want you to run combofix once again(need not post the log)

Restart your PC twice

Press Windows+R key and type

combofix /uninstall

click ok

This should uninstall your combofix

Download

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

Launch it,it will close all running programs

click on START,it should ask for reboot

Download

https://download.bleepingcomputer.com/farbar/MiniToolBox.exe

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Make sure to post the logs by clicking on REPLY
1
Answer 16 / 66
Anonymous User
Feb 6, 2012 at 09:41 PM
I'm sorry,i didnot see it

Uninstall eset online scanner,norton online scan

You do not have an antivirus.

I would recommend you installing AVG or avira free versions

Your RAM size is low.It is better to upgrade it to 1 GB

What are the issues you face now?
1
Answer 17 / 66
Anonymous User
Feb 8, 2012 at 10:20 AM
You're most welcome

I want you to do this

Turn off system restore,restart the PC,turn on system restore and create a new restore point

https://support.microsoft.com/en-us/help/310405

good luck
1
Answer 18 / 66
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,162
Feb 8, 2012 at 04:06 PM
@Sundar, That was a lot of hard work! Fantastic noble acheivement! Congratulations! You are a winner!

Ambucias

P.S. Your last advice is also right on!

(I was following as some of the logs got filtered and I restored them)
1
scrwed
Feb 11, 2012 at 04:49 PM
I am so glad i found this website and got such awesome advice.... Recommended to everyone..
0
Answer 19 / 66
Screwed
Jan 28, 2012 at 12:07 PM
I dont have any options in my start menu everything is blank. How to I run safe mode through a command line?
0
Screwed
Jan 28, 2012 at 12:29 PM
Sorry I mean when I try to hit F2 during boot it wont let me. gotta try F8 now.
0
Screwed
Jan 28, 2012 at 12:31 PM
Trying to get the comp to give me the safe mode screen after just killing it w/ out shut down.
0
Screwed
Jan 28, 2012 at 12:56 PM
so no programs in safe mode appear either....
0
Screwed
Jan 28, 2012 at 01:07 PM
Cannot get any logs either because admin tools is also empty
0
screwed
Jan 28, 2012 at 01:21 PM
exeHelper by Raktor
Build 20100414
Run at 14:20:09 on 01/28/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
0
Answer 20 / 66
Screwed
Feb 2, 2012 at 05:16 PM
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912020206

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2012 6:14:05 PM
mbam-log-2012-02-02 (18-14-05).txt

Scan type: Quick scan
Objects scanned: 252420
Time elapsed: 16 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0