Windows Securty 2012 virus [Solved]

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Jan 28, 2012 2:42am GMT

Download exehelper and malwarebytes from a clean PC to infected PC

http://www.raktor.net/exeHelper/exeHelper.com

http://en.kioskea.net/download/download-105-malwarebytes-anti-malware

Boot the PC into safemode with networking

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Now Install malwarebytes,update and run a FULL SCAN

Download

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report

Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Jan 29, 2012 1:01am GMT

I can get back all your programs before that i need logs

Please follow the instructions.

Run malwarebytes,TDSSkiller and GMER and post the logs

Press Windows+R key and type

%temp% and click ok

If you find a folder called SMTMP ,back it up to a safe location

Please post the logs in your next reply

View all 5 comments

screwed - Jan 29, 2012 5:44pm GMT

I cant run Malware bytes. I am in safe mode. Ran Exehelper - ok , then tried to install malwarebytes and got run time error 5 access denied. I apologize for my ignorance. Thank you so much for taking your time & helping me I really appreciate it. I had malwarebytes running a full scan I walked away while it ran which was like an hour and when it finished it disappeared and now I cant get it to run.

screwed - Jan 29, 2012 5:47pm GMT

ok changed file name during download.. next reply will be logs I hope.

screwed - Jan 29, 2012 7:24pm GMT

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912012902

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/29/2012 3:21:19 PM
mbam-log-2012-01-29 (15-20-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 312002
Time elapsed: 1 hour(s), 1 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LJBJnRHnXfQaR.exe (Trojan.FakeMS) -> Value: LJBJnRHnXfQaR.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger (Security.Hijack) -> Value: Debugger -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matthew Mitchell\Local Settings\Application Data\utq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ljbjnrhnxfqar.exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\all users\application data\b2c9j9obvnp8fi.exe (Rogue.FakeHDD) -> No action taken.
c:\documents and settings\all users\application data\hnqivklguoudnp.exe (Rogue.FakeHDD) -> No action taken.
c:\documents and settings\all users\application data\mrsahbvtphnii.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\all users\application data\o2damvcrztzqor.exe (Rogue.FakeHDD) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\00017768.exe (Trojan.FakeAV.Gen) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\la8e4i9z.exe.part (Trojan.FakeAV) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\qxsjy8oy.exe.part (Trojan.FakeAV) -> No action taken.
c:\documents and settings\Guest\local settings\Temp\icreinstall\videotomp3setup.exe (Adware.Agent) -> No action taken.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\fpishzgukueugzgsyok[1].exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\scandsk1007c_8051[1].exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(10).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(11).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(2).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(3).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(4).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(6).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(7).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(8).exe (Rogue.MSRemovalTool) -> No action taken.
c:\documents and settings\MOM\application data\auditpol.dll (Trojan.Downloader) -> No action taken.
c:\documents and settings\MOM\local settings\application data\jsc.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\MOM\local settings\application data\nmv.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\MOM\local settings\Temp\msimg32.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Nick\local settings\application data\syssvc.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Nick\local settings\temporary internet files\Content.IE5\CB0PUT8N\video[1].exe (Trojan.FakeAV) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc15.exe (Adware.Hotbar) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc2.exe (Trojan.FakeAlert) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc20.exe (Adware.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc21.exe (Adware.Hotbar) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069897.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069898.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069899.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069902.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP590\A0069945.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP593\A0070743.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP610\A0074933.exe (Trojan.FakeMS) -> No action taken.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP629\A0076310.exe (Trojan.FakeMS) -> No action taken.

screwed - Jan 29, 2012 7:26pm GMT

after 'RUN' page comes up for Tdsskiller and I click Run it does not run.. can I delete the virus s from Malware bytes??

screwed - Jan 29, 2012 7:34pm GMT

So I am stuck on that step and I ran Gmer and I cannot see where you want me to hit Scan. Other than the CMD tab...

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Jan 30, 2012 12:50am GMT

Hi

> No action taken.

You have not removed infections.

Run malwarebytes scan again.Right click on infection results-Select all

Now click on REMOVE infections

I want you to run malwarebytes in normal mode(full scan ) and post the clean log

Download

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Launch it,it should ask for a restart,let me know what it finds

Try to run GMER after removing infections found by FIXTDSS

Download

http://public.avast.com/~gmerek/aswMBR.exe

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

screwed - Jan 30, 2012 11:17pm GMT

Thank You So Much!!!

screwed - Jan 30, 2012 11:22pm GMT

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912012902

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2012 7:19:27 PM
mbam-log-2012-01-30 (19-19-27).txt

Scan type: Quick scan
Objects scanned: 252435
Time elapsed: 1 hour(s), 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 69
Registry Values Infected: 18
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LJBJnRHnXfQaR.exe (Trojan.FakeMS) -> Value: LJBJnRHnXfQaR.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 (Security.Hijack) -> Value: 0 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 (Security.Hijack) -> Value: 1 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 (Security.Hijack) -> Value: 2 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 (Security.Hijack) -> Value: 3 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 (Security.Hijack) -> Value: 4 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 (Security.Hijack) -> Value: 5 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 (Security.Hijack) -> Value: 6 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 (Security.Hijack) -> Value: 7 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 (Security.Hijack) -> Value: 8 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 (Security.Hijack) -> Value: 9 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 (Security.Hijack) -> Value: 10 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 (Security.Hijack) -> Value: 11 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 (Security.Hijack) -> Value: 12 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 (Security.Hijack) -> Value: 13 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 (Security.Hijack) -> Value: 14 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 (Security.Hijack) -> Value: 15 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=8051&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matthew Mitchell\Local Settings\Application Data\utq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ljbjnrhnxfqar.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\mrsahbvtphnii.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\o2damvcrztzqor.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\b2c9j9obvnp8fi.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\hnqivklguoudnp.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\isecurity.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\application data\auditpol.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc15.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc20.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-789336058-1604221776-1801674531-501\Dc21.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\rstrui.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\00017768.exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\la8e4i9z.exe.part (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\qxsjy8oy.exe.part (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\local settings\Temp\icreinstall\videotomp3setup.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\local settings\Temp\msimg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\local settings\application data\jsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\MOM\local settings\application data\nmv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Nick\local settings\application data\syssvc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\scandsk1007c_8051[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\fpishzgukueugzgsyok[1].exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\Nick\local settings\temporary internet files\Content.IE5\CB0PUT8N\video[1].exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

screwed - Jan 31, 2012 4:53am GMT

so you wanted me to post the clean log, well I ran it again and there was 22 infections still the 2nd scan.... so i will keep scanning and removing until it is clean.....

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Jan 30, 2012 11:43pm GMT

Download

http://download.bleepingcomputer.com/grinler/unhide.exe

Boot into safemode with networking,

Launch it,allow it to run ,it should restore all your hidden files

Please follow the instructions.

Run malwarebytes once in normal mode( fullscan),post the clean log alone

Run TDSSkiller and GMER as instructed in my first reply and post the logs

Press Windows+R key and type

%temp% and click ok

If you find a folder called SMTMP ,back it up to a safe location

Let me know how it went.

Please follow my instructions.Do not post the EXEHELPER.COM log everytime

Thanks

View all 5 comments

sundar7701 - Jan 30, 2012 11:48pm GMT

If you cant run TDSSkiller

Download

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Launch it,it should ask for a restart,let me know what it finds

Try to run GMER after removing infections found by FIXTDSS

screwed - Jan 31, 2012 4:54am GMT

so you wanted me to post the clean log, well I ran it again and there was 22 infections still the 2nd scan.... so i will keep scanning and removing until it is clean..... unless otherwise directed///

screwed - Jan 31, 2012 4:56am GMT

im posting this here becuase it will be hidden after restart. 2nd scan Log -
Objects scanned: 315178
Time elapsed: 4 hour(s), 45 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP593\A0070743.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP610\A0074933.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP629\A0076310.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078354.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078355.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078356.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP630\A0078357.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069902.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069897.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069898.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP589\A0069899.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3983c03a-f7a8-4e74-8111-8b150eae382e}\RP590\A0069945.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\application data\Sun\Java\deployment\cache\6.0\41\776bf8a9-4faf98ad (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(10).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(11).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(2).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(3).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(4).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(6).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(7).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\my documents\my videos\FlexView\new folder\clean(8).exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.

Screwed - Feb 2, 2012 9:01pm GMT

I am sorry for not posting the clean log but i have ran the scan over 6 times and I cannot get my system clean..... So that is why there is no clean log.... Dont delete this thread I am continuing to run scans and delete infections...

Screwed - Feb 2, 2012 9:02pm GMT

unhidefix wont run
Tdsskiller wont run
Tdss Fix did work and says Backdoor.Tidserv has NOT been found
Gmer said no system modifications have been found

Answer

+1

Ambucias 7292Posts February 1, 2010Registration date ModeratorStatus May 24, 2012Last seen Feb 1, 2012 9:01pm GMT

Hello,

Nobody has replied to you since January 31st. How is your system behaving? Do you need further help?

View all 5 comments

Screwed - Feb 2, 2012 6:11pm GMT

Yes I still need help... I am still having the same issues. 10 to 15 messages saying system 32 failed to write messages, "system Check" comes up and tells me I have a few errors and then wants me to update and give my CC info... I know this is a virus. I am using Malware Bytes in safe mode because I have no programs or documents shown, I have to download it every time I restart , I use it to Scan and delete infections but I cannot get it to get the Pc completely clean. I ran Tdsskiller and it told me some Virus called Backdoor was found but I dont know what to do after that... I also tried the Gmer app but I have no idea what it is for.... I would like to find out how to delete this System Check virus and get back my files...

Screwed - Feb 2, 2012 6:14pm GMT

Im sorry I cant run Tdsskiller I ran the other one the wonderful person that was helping me sundar7701 - told me to use, FixTdss. After my malware scan today I will run the Fixtdss again and write down the infection it finds and await further instruction... Unless I should do something else....

Screwed - Feb 2, 2012 7:11pm GMT

Gmer says it found No System Modification

sundar7701- Feb 2, 2012 7:13pm GMT

Hi

You're not following any instructions as suggested.

I'm still waiting for you to post the malwarebytes clean log

Did you run UNHIDE fix which i gave?

You said TDSSkiller is not working but now you say that tdsskiller found backdoor

You're not interested in running GMER and aswMBR

You're still waiting for instructions when you did not post the logs and you are not following my instructions

I'm sorry but how can i help you ?

Screwed - Feb 2, 2012 7:14pm GMT

3rd time I ran this and still getting infections... As far as I know (Backdoor.Bot) is what tdssfix found... Running Malware until I get a clean system...

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912020206

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2012 3:11:41 PM
mbam-log-2012-02-02 (15-11-41).txt

Scan type: Quick scan
Objects scanned: 252408
Time elapsed: 46 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KndCLIWLJesl.exe (Rogue.Agent.SA) -> Value: KndCLIWLJesl.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAwhgCLyHSr.exe (Rogue.Agent.SA) -> Value: PAwhgCLyHSr.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\matthew mitchell\local settings\Temp\131068.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\Temp\278524.exhttp://en.kioskea.net/forum/affich-637813-windows-securty-2012-virus#tope -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912020206

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2012 3:11:41 PM
mbam-log-2012-02-02 (15-11-41).txt

Scan type: Quick scan
Objects scanned: 252408
Time elapsed: 46 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KndCLIWLJesl.exe (Rogue.Agent.SA) -> Value: KndCLIWLJesl.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAwhgCLyHSr.exe (Rogue.Agent.SA) -> Value: PAwhgCLyHSr.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\matthew mitchell\local settings\Temp\131068.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\Temp\278524.exe -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\Temp\wpbt0.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\setup[1].exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\kndcliwljesl.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\pawhgclyhsr.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.

c:\documents and settings\matthew mitchell\local settings\Temp\wpbt0.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\matthew mitchell\local settings\temporary internet files\Content.IE5\6P820VR1\setup[1].exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\kndcliwljesl.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\pawhgclyhsr.exe (Rogue.Agent.SA) -> Quarantined and deleted successfully.

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 2, 2012 9:22pm GMT

Press Windows+R key and type

cmd and click ok

Now run these commands

cd\

cd Windows\System32

attrib -h c:\*.* /s /d

Allow it to run,till it makes your files to unhide.

I will wait for MALWAREBYTES AND ASWMBR log

Do not click on ADD COMMENTS,i want you to click on REPLY OPTION at the bottom of the page and post the LOGS

Thanks

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 2, 2012 10:41pm GMT

Go ahead and run the commands as instructed in previous post

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 3, 2012 1:45am GMT

Download

http://ad13.geekstogo.com/MBRCheck.exe

Double click MBRCheck.exe

It will show a Black screen with some information that will contain either the below line if no problem is found:

Press ENTER to exit...

Or

you will see more information like below if a problem is found:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log on the desktop,post the log result

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 3, 2012 3:15am GMT

Did you restart your computer?

Did you face any issues?

I want you to run aswmbr and TDSSkiller now

Launch mbrcheck.exe ,press N to exit.Post the latest MBR check log on the desktop

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 3, 2012 3:46am GMT

You cant run because you still have a infected MBR

37 GB \\.\PhysicalDrive0 MBR Code Faked!

I want you to follow the instructions again

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Press 1 at this stage ,type YES and press ENTER

delete the mbrcheck logs present in desktop

Restart the PC and rerun mbrcheck to generate log,post it here

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 3, 2012 4:01am GMT

Thats ok ,lets try another way

run mbrcheck again,press 2

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Press 0(NOT 1) at this stage ,type YES and press ENTER

Restart the PC and let me know IF you can run TDSSkiller and aswmbr

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 3, 2012 10:57pm GMT

I want you to run TDSSkiller using this method

http://en.kioskea.net/faq/18862-rootkit-boot-sst

Follow the procedures given there

You should be able to run TDSSkiller

Delete the unknown modules alone as described in the pictures,let me know how it went

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 4, 2012 3:21pm GMT

Thats a great improvement,I want you to restart the PC ,run TDSSkiller again,run aswmbr again and post the new logs

TDSSkiller log is present in C drive.Make sure you get the latest one

Screwed - Feb 4, 2012 3:33pm GMT

Your awesome to help me like this, I appreciate it sooo Much. Anywhere you go for help it is either half assed help or super super expensive . THANK You

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 5, 2012 1:32am GMT

That looks good

Download

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Close any open browsers or any other programs that are open.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next post I need the following

* Log from Combofix
* How is the computer doing now?

Screwed - Feb 5, 2012 4:11am GMT

So I only have the trial version of Malware bytes as you gave me, and It wont give me an option to disable protection since I dont have the full version. So i just uninstalled it and rebooted and then ran combofix. It went all the way through and got stuck on "creating a log" step for 35 min.... I am trying again and it still says combofix has detected the following antivirus realtime protection: *** "Malware Protection Center" ***..... I have no idea how to disable this as I dont even know what it is, I was assuming it as Malware Bytes.... SORRY!!!

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 5, 2012 5:26am GMT

I want you to run combofix once again(need not post the log)

Restart your PC twice

Press Windows+R key and type

combofix /uninstall

click ok

This should uninstall your combofix

Download

http://oldtimer.geekstogo.com/TFC.exe

Launch it,it will close all running programs

click on START,it should ask for reboot

Download

http://download.bleepingcomputer.com/farbar/MiniToolBox.exe

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Make sure to post the logs by clicking on REPLY

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 7, 2012 2:41am GMT

I'm sorry,i didnot see it

Uninstall eset online scanner,norton online scan

You do not have an antivirus.

I would recommend you installing AVG or avira free versions

Your RAM size is low.It is better to upgrade it to 1 GB

What are the issues you face now?

Answer

+1

sundar7701 1771Posts July 13, 2011Registration date May 12, 2012Last seen Feb 8, 2012 3:20pm GMT

You're most welcome

I want you to do this

Turn off system restore,restart the PC,turn on system restore and create a new restore point

http://support.microsoft.com/kb/310405

good luck

Answer

+1

Ambucias 7292Posts February 1, 2010Registration date ModeratorStatus May 24, 2012Last seen Feb 8, 2012 9:06pm GMT

@Sundar, That was a lot of hard work! Fantastic noble acheivement! Congratulations! You are a winner!

Ambucias

P.S. Your last advice is also right on!

(I was following as some of the logs got filtered and I restored them)

scrwed - Feb 11, 2012 9:49pm GMT

I am so glad i found this website and got such awesome advice.... Recommended to everyone..

Answer

+0

Screwed Jan 28, 2012 5:07pm GMT

I dont have any options in my start menu everything is blank. How to I run safe mode through a command line?

View all 6 comments

Screwed - Jan 28, 2012 5:29pm GMT

Sorry I mean when I try to hit F2 during boot it wont let me. gotta try F8 now.

Screwed - Jan 28, 2012 5:31pm GMT

Trying to get the comp to give me the safe mode screen after just killing it w/ out shut down.

Screwed - Jan 28, 2012 5:56pm GMT

so no programs in safe mode appear either....

Screwed - Jan 28, 2012 6:07pm GMT

Cannot get any logs either because admin tools is also empty

screwed - Jan 28, 2012 6:21pm GMT

exeHelper by Raktor
Build 20100414
Run at 14:20:09 on 01/28/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

screwed - Jan 28, 2012 6:23pm GMT

exeHelper by Raktor
Build 20100414
Run at 14:22:13 on 01/28/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Answer

+0

Screwed Feb 2, 2012 10:16pm GMT

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 912020206

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2012 6:14:05 PM
mbam-log-2012-02-02 (18-14-05).txt

Scan type: Quick scan
Objects scanned: 252420
Time elapsed: 16 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Windows Securty 2012 virus [Solved/Closed]

Windows Securty 2012 virus »

Paul Hermelin (CEO, Capgemini) : "We expect to join the top 10 in the US soon"