We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
PC Infected Full of TROJANS......Can’t Delete & Keep Coming Back!!
Options
Associate
Posts: 186 Forumite
in Techie Stuff
Hi, I’m going to have to give fair bit of info so that you can get as clearer picture as possible, so please bear with me.
I’ve got Windows XP with Kaspersky Internet Security Suite 2010. I was on a couple of Football streaming sites yesterday and soon after my PC and Kaspersky was all over the place.
I get a couple of Kaspersky Alarm messages that say:
1)
Object: C:\WINDOWS\system32\msbyylfy.dll
Trojan program: Trojan-GameThief.Win32.OnLineGames.wjk
& 2)
Object: C:Windows\system\User.dll Trojan Program:
Trojan.Win32.patched.gq
I keep on getting prompts from Kaspersky about Trojans in the system, the PC has really slowed down, Internet browsing (which may not be recommended) is very slow, programs like Microsoft Word freeze.
Kaspersky isn’t scanning properly either, when I try to it just stops. Its automatic Threat Detection feauture that is suppose to Delete & Disinfect Viruses and Threats isn't working, and whatever it does do, the Trojans keep on coming back even though Kaspersky says that after Restarting PC Threats will be Removed!
Here is Kaspersky's Threat Detection Log:
Status: Detected (events: 1) 31/03/2010 01:15:59 Detected Trojan program Trojan-Downloader.Win32.Delf.zyx http://download.xwche.com/setup.exe...0785//2//ASPack Status: Detected (events: 2) 31/03/2010 00:15:02 Detected malicious URL http://pozeml.com/oc/box.txt
[img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] [img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] 31/03/2010 01:16:03 Detected malicious URL http://img.ub8.net/banner.exe?t=0.9174008 [img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] [img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] Status: Detected (events: 3) 31/03/2010 05:09:52 Detected Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\user32.DLL 31/03/2010 00:16:02 Detected Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp//PE_Patch.UPX 31/03/2010 01:29:43 Detected Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp//PE_Patch.UPX Status: Deleted (events: 12) 31/03/2010 00:15:46 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp 31/03/2010 00:15:46 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp//PE_Patch.UPX//UPX 31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp 31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp//PE_Patch.UPX 31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp//PE_Patch.UPX//UPX 31/03/2010 01:17:37 Deleted Trojan program Trojan-Dropper.Win32.Agent.buvq C:\WINDOWS\system32\660436.exe 31/03/2010 01:29:25 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp 31/03/2010 01:29:25 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp//PE_Patch.UPX//UPX 31/03/2010 04:12:57 Deleted Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\user32.DLL 31/03/2010 04:19:00 Deleted Trojan program Trojan-GameThief.Win32.OnLineGames.wjik C:\WINDOWS\system32\msbyylfy.dll 31/03/2010 04:44:21 Deleted Trojan program Trojan-Clicker.Win32.Refpron.jy C:\WINDOWS\system32\3298914.exe 31/03/2010 04:44:21 Deleted Trojan program Trojan-Clicker.Win32.Refpron.jy C:\WINDOWS\system32\3298914.exe//# Status: Will be disinfected when the computer is restarted (events: 1) 31/03/2010 05:09:52 Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\USER32.dll
For Trojan.Win32.Patched.gq Kaspersky doesn't even attempt to do anything.
I've also got Malwarebytes Anti-Malware on my PC so I did a quickscan with it several times because Kaspersky didn't seem to be able to remove anything. Anyway, the last scan I ran with Malwarebytes resulted in it detecting 33 infected objects, probably also due to the fact that my internet connection was still On!
Here is the log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3935 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 31/03/2010 04:09:35 mbam-log-2010-03-31 (04-09-35).txt Scan type: Quick scan Objects scanned: 107392 Time elapsed: 46 minute(s), 54 second(s) Memory Processes Infected: 2 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 7 Registry Data Items Infected: 4 Folders Infected: 1 Files Infected: 12 Memory Processes Infected: C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> No action taken. Memory Modules Infected: C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken. Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken. Files Infected: C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\1018167.exe (Trojan.Agent.Gen) -> No action taken. C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken. C:\WINDOWS\system32\8308054.exe (Trojan.Agent.Gen) -> No action taken. C:\WINDOWS\Temp\VRT18.tmp (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken. C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> No action taken. C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> No action taken.
Even after Malwarebytes found infected objects and required the PC to be Restarted for the Infected objects to be deleted, when I did so I kept on getting the same messages from Kaspersky and it was back to square one with the Trojans still there!
Out of panick and ignorance, I installed SuperAntiSpyware on the PC to see if I got any joy, obviously not, but it detected 11 Infected objects when I ran a quickscan, here is the log:
SUPERAntiSpyware Scan Log http://www.superantispyware.com
Generated 03/31/2010 at 04:46 AM Application Version : 4.35.1000 Core Rules Database Version : 4744 Trace Rules Database Version: 1978 Scan type : Quick Scan Total Scan Time : 00:14:45 Memory items scanned : 352 Memory threats detected : 1 Registry items scanned : 391 Registry threats detected : 8 File items scanned : 6153 File threats detected : 2 Trojan.Agent/Gen-Virut[WinLogo] C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE C:\WINDOWS\Prefetch\WINLOGO.EXE-184FCAAF.pf Trojan.DNSChanger-Codec HKLM\Software\1 HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5 HKLM\Software\9 HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5
I don't know how these Trojans got in but they seem to have some sort of "backup" and can't be Deleted or just keep coming back.
Kaspersky seems pretty obsolete, whereas a program like Malwarebytes Anti-Malware seems to detect quite a lot of the Infected objects but they still remain, and when Malwarebytes wrongly gives the all CLEAR, Kaspersky is still giving the same prompts.........I'm sorry if I'm not making much sense but none of this is making sense to me!
Sorry for going on and if I haven't managed to be cohesive.....but I'm sure there are people out there who have come across this......please kindly give me Clear, Step by Step instructions on how to rid my PC of these Trojans.
Probably a bit late, but I don't know if its best not to connect to the internet in the meantime?
SORRY if some of the info was all over the place, the PC really is playing up!
I'm really stressed out about this......
THANK YOU!!
Kind regards,
Jay
I’ve got Windows XP with Kaspersky Internet Security Suite 2010. I was on a couple of Football streaming sites yesterday and soon after my PC and Kaspersky was all over the place.
I get a couple of Kaspersky Alarm messages that say:
1)
Object: C:\WINDOWS\system32\msbyylfy.dll
Trojan program: Trojan-GameThief.Win32.OnLineGames.wjk
& 2)
Object: C:Windows\system\User.dll Trojan Program:
Trojan.Win32.patched.gq
I keep on getting prompts from Kaspersky about Trojans in the system, the PC has really slowed down, Internet browsing (which may not be recommended) is very slow, programs like Microsoft Word freeze.
Kaspersky isn’t scanning properly either, when I try to it just stops. Its automatic Threat Detection feauture that is suppose to Delete & Disinfect Viruses and Threats isn't working, and whatever it does do, the Trojans keep on coming back even though Kaspersky says that after Restarting PC Threats will be Removed!
Here is Kaspersky's Threat Detection Log:
Status: Detected (events: 1) 31/03/2010 01:15:59 Detected Trojan program Trojan-Downloader.Win32.Delf.zyx http://download.xwche.com/setup.exe...0785//2//ASPack Status: Detected (events: 2) 31/03/2010 00:15:02 Detected malicious URL http://pozeml.com/oc/box.txt
[img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] [img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] 31/03/2010 01:16:03 Detected malicious URL http://img.ub8.net/banner.exe?t=0.9174008 [img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] [img]data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJK!!!kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7[/img] Status: Detected (events: 3) 31/03/2010 05:09:52 Detected Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\user32.DLL 31/03/2010 00:16:02 Detected Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp//PE_Patch.UPX 31/03/2010 01:29:43 Detected Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp//PE_Patch.UPX Status: Deleted (events: 12) 31/03/2010 00:15:46 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp 31/03/2010 00:15:46 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp//PE_Patch.UPX//UPX 31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp 31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp//PE_Patch.UPX 31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp//PE_Patch.UPX//UPX 31/03/2010 01:17:37 Deleted Trojan program Trojan-Dropper.Win32.Agent.buvq C:\WINDOWS\system32\660436.exe 31/03/2010 01:29:25 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp 31/03/2010 01:29:25 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp//PE_Patch.UPX//UPX 31/03/2010 04:12:57 Deleted Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\user32.DLL 31/03/2010 04:19:00 Deleted Trojan program Trojan-GameThief.Win32.OnLineGames.wjik C:\WINDOWS\system32\msbyylfy.dll 31/03/2010 04:44:21 Deleted Trojan program Trojan-Clicker.Win32.Refpron.jy C:\WINDOWS\system32\3298914.exe 31/03/2010 04:44:21 Deleted Trojan program Trojan-Clicker.Win32.Refpron.jy C:\WINDOWS\system32\3298914.exe//# Status: Will be disinfected when the computer is restarted (events: 1) 31/03/2010 05:09:52 Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\USER32.dllFor Trojan.Win32.Patched.gq Kaspersky doesn't even attempt to do anything.
I've also got Malwarebytes Anti-Malware on my PC so I did a quickscan with it several times because Kaspersky didn't seem to be able to remove anything. Anyway, the last scan I ran with Malwarebytes resulted in it detecting 33 infected objects, probably also due to the fact that my internet connection was still On!
Here is the log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3935 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 31/03/2010 04:09:35 mbam-log-2010-03-31 (04-09-35).txt Scan type: Quick scan Objects scanned: 107392 Time elapsed: 46 minute(s), 54 second(s) Memory Processes Infected: 2 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 7 Registry Data Items Infected: 4 Folders Infected: 1 Files Infected: 12 Memory Processes Infected: C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> No action taken. Memory Modules Infected: C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken. Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken. Files Infected: C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\1018167.exe (Trojan.Agent.Gen) -> No action taken. C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken. C:\WINDOWS\system32\8308054.exe (Trojan.Agent.Gen) -> No action taken. C:\WINDOWS\Temp\VRT18.tmp (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken. C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> No action taken. C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> No action taken.
Even after Malwarebytes found infected objects and required the PC to be Restarted for the Infected objects to be deleted, when I did so I kept on getting the same messages from Kaspersky and it was back to square one with the Trojans still there!
Out of panick and ignorance, I installed SuperAntiSpyware on the PC to see if I got any joy, obviously not, but it detected 11 Infected objects when I ran a quickscan, here is the log:
SUPERAntiSpyware Scan Log http://www.superantispyware.com
Generated 03/31/2010 at 04:46 AM Application Version : 4.35.1000 Core Rules Database Version : 4744 Trace Rules Database Version: 1978 Scan type : Quick Scan Total Scan Time : 00:14:45 Memory items scanned : 352 Memory threats detected : 1 Registry items scanned : 391 Registry threats detected : 8 File items scanned : 6153 File threats detected : 2 Trojan.Agent/Gen-Virut[WinLogo] C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE C:\WINDOWS\Prefetch\WINLOGO.EXE-184FCAAF.pf Trojan.DNSChanger-Codec HKLM\Software\1 HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5 HKLM\Software\9 HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5
I don't know how these Trojans got in but they seem to have some sort of "backup" and can't be Deleted or just keep coming back.
Kaspersky seems pretty obsolete, whereas a program like Malwarebytes Anti-Malware seems to detect quite a lot of the Infected objects but they still remain, and when Malwarebytes wrongly gives the all CLEAR, Kaspersky is still giving the same prompts.........I'm sorry if I'm not making much sense but none of this is making sense to me!
Sorry for going on and if I haven't managed to be cohesive.....but I'm sure there are people out there who have come across this......please kindly give me Clear, Step by Step instructions on how to rid my PC of these Trojans.
Probably a bit late, but I don't know if its best not to connect to the internet in the meantime?
SORRY if some of the info was all over the place, the PC really is playing up!
I'm really stressed out about this......
THANK YOU!!
Kind regards,
Jay
0
Comments
-
Download and run hijack this http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
Post results here ans someone can advise you on what needs doingEvery day when I wake up I thank the Lord I'm WELSH. .0 -
PC & Internet very slow......just about managed to download......Trend Micro suggested to Scan & Log, after doing so in a matter of seconds this is what it showed:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:38:29, on 31/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\Desktop\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\4440226.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [rmosnq] RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\Desktop\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236393556446
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\Desktop\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5064 bytes
Any ideas please?0 -
Hi
The problem is once the lier is IN your system you can not trust ANYTHING in your system!!! therefore you need to scan the hard drive outside of your system (NOT booting from the hard drive)
The best known ways to get rid of a hosed PC are:
1. Burn it:eek:
2. TOTALLY reformat and re install:(
3. Take your hard drive out and put it in another PC as a SLAVE drive and then do a scan of the slave drive:)
4. Us a "live" linux CD that contain a virus scanner in it and boot from the CD IN your OWN PC and then scan your hard drive:j... Google = linux live cd with virus scannerIT is for every one not just those that can see, know how or have a lot of money...0 -
First off DON'T PANIC!
Your first post is a bit confusing, you said......Out of panick and ignorance, I installed SuperAntiSpyware.....nothing wrong at all with SAS.
Try SAS again but update it first before running a full scan and delete anything it finds.
When you have done that run a full scan with Malwarebytes but update it first before running a full scan, delete anything it finds and then post the log file in your next message.
PS. Make sure you are disconnected from the internet when scanning0 -
Lots of people I am sure will give you advice on how to clean up your computer, but there is only one 100% safe solution. Back up all of your data files (docs, photos, emails etc) to a USB stick or drive, then get out your Windows CD and format the drive and re-install. It is a pain, because you have to install all of your programs again and set everything up, but it is still quicker than "disinfecting" your computer over and over again. As soon as you get Windows up and running, get all the Windows updates immediately, install your anti-virus software (Microsoft Security essentials is a good choice if you want a free one). Apart from anything else, you will be amazed at how quickly your computer will run again - like the day you bought it.
Good luck!0 -
Yes this is right however there are particular nasty stuff that will not go away with a normal format, they are rare but they do exist called "root kits" But that aside...
1. If you backup your data, Make sure you use a few AV systems to check your backups as this will most probably contain viruses too
2. Before fresh install Disconnect your PC from any network and router.
3. After fresh install FIRST make sure you are behind a NAT firewall router that is set to Factory standards (Some viruses CAN change your router settings and open holes to get in again!!), Most modern broadband routers is so called NAT firewalls
Maybe you need to download these from a clean PC.
4. Immediately install an AV system BEFORE you connect to the network or INTERNET.
5. Then install FireFox internet browser OR and IE7 as a minimum.
6. If you are on XP or Vista look at installing Microsoft Steady State or Comodo Time Machine
7. Then only go on the Internet and do Windows update.IT is for every one not just those that can see, know how or have a lot of money...0 -
Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds:idea:0 -
TICK and FIX these in hijack ~
C:\WINDOWS\system32\w.exe
C:\WINDOWS\System32\4440226.exe
O4 - HKLM\..\Run: [rmosnq] RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w:idea:0 -
Unable to update SuperAntiSpyware before Scan, just wouldn't do it,
did Full scan and Deleted infected objects, here is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/31/2010 at 01:47 PM
Application Version : 4.35.1000
Core Rules Database Version : 4744
Trace Rules Database Version: 1978
Scan type : Complete Scan
Total Scan Time : 01:30:29
Memory items scanned : 514
Memory threats detected : 2
Registry items scanned : 5011
Registry threats detected : 25
File items scanned : 16468
File threats detected : 10
Adware.Vundo/Variant-MSE
C:\WINDOWS\SYSTEM32\MSYBLKYA.DLL
C:\WINDOWS\SYSTEM32\MSYBLKYA.DLL
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\BTWSVC.DLL
C:\WINDOWS\SYSTEM32\BTWSVC.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Firdus\Cookies\firdus@tribalfusion[2].txt
Trojan.Agent/Gen-RefPron
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#Type
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#Start
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Security
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum#NextInstance
Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE30BE9F-7FF9-45B5-A1EA-9D3A35EC3062}\RP2\A0000552.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE30BE9F-7FF9-45B5-A1EA-9D3A35EC3062}\RP2\A0000553.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE30BE9F-7FF9-45B5-A1EA-9D3A35EC3062}\RP2\A0000554.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE30BE9F-7FF9-45B5-A1EA-9D3A35EC3062}\RP2\A0000555.OCX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE30BE9F-7FF9-45B5-A1EA-9D3A35EC3062}\RP2\A0000556.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE30BE9F-7FF9-45B5-A1EA-9D3A35EC3062}\RP2\A0000558.EXE
Trojan.Agent/Gen-FakeAV
C:\WINDOWS\TEMP\VRT17.TMP
Was able to update Malwarebytes, however could not do Full Scan as it just stops or PC stops running, able to do Quick Scan and remved infected objects, here is the log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3938
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
31/03/2010 20:00:48
mbam-log-2010-03-31 (20-00-48).txt
Scan type: Quick scan
Objects scanned: 107188
Time elapsed: 5 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\t1p0_66367433367.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\t1p2_108145452171.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Firdus\Local Settings\Temp\Ct0.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\Ct0.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT14A1.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT14B.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT945.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRTA30.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Cmojaa.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
*Everytime I restart the PC, I get the follwoing message in a box when it loads to Windows XP Desktop:
RUNDLL
Error loading C:Windows\System32\msyblkya.dll
The specified module could not be found
*I have Ticked & Fixed:
O4 - HKLM\..\Run: [rmosnq] RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w on Hijackthis, I haven't restarted PC to see if above message still shows.
I couldn't find the following as stated by alieEnRIK when I Scanned with Hijack this agin in order to Tick & Fix:
C:\WINDOWS\system32\w.exe
C:\WINDOWS\System32\4440226.exe
Thank you for all your suggestions so far........if I can run programs to get rid of this
great and please keep on advising..........if anyone knows if I could fix it manually by going into Registry or DOS mode (don't know if I'm making sense actually) I'm open to that.........I guess if I have to, wiping the system may have be the way to go
Thank you!0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards