Avast WEBforum
Other => Viruses and worms => Topic started by: Myles45 on March 03, 2010, 01:39:42 PM
-
Hi all, need some advice please.
I have Avast 4.8 Pro. It detected win32fakeAlert-IH[Drp] today in email attachment
& I sent it to virus chest.
I now have Windows telling me 25 infections found, system integrity threat! Stealth intrusion & various other things constantly. & that I need to activate my copy now!! & also that my firewall is off.
Should I activate antivirus XP 2010? As I understand it's not right to run more than one antivirus software at once. & should I activate the firewall?
How can I tell if the 25 "serious issues" it detected are actually on my system or not? & why has Avast not detected them?
Thanks in advance
regards
myles
-
Hi Myles45
antivirus XP 2010 is a ROGUE.
Download Malwarebytes from http://www.malwarebytes.org/ and updated run quick scan. whatever it founds remove it. After you used malwarebytes, use superantispyware from http://www.superantispyware.com/ also updated and run full scan.
-
Thanks Harman,
I just read a previous thread about UPS email. And that's actually what happened to me( stupidly opened attachment innocently, as we'd had deliveries from them over Xmas )
is there anything else I should do with this in mind?
Also, just went to windows security centre in control panel, to check firewall status & it says in there that "antivirus XP 2010 reports firewall turned off" is it possible that this ROGUE has got in there? & if so is windows security centre compromised also?
I have currently disconnected my PC from Internet. Obviously I need to reconnect to download the antimalware software. Is there anything i should be doing to protect the PC whilst I'm back online. I.e with regards to firewall etc?
Thanks
-
Well usually rogue display fake alert messages and hijacked your security center in order for unsuspected person to purchased. from what I understand you can download both superantispyware and malwarebytes.
xp antivirus 2010 removal guide
http://forums.techarena.in/networking-security/1111989.htm
-
Is there anything i should be doing to protect the PC whilst I'm back online. I.e with regards to firewall etc?
Malwarebytes Antimalware PRO will stop it, a one time fee for a lifetime license www.malwarebytes.org
Automated Removal Instructions for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 using Malwarebytes' Anti-Malware: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010
-
Thanks for replies & links. Have downloaded both softwares & superantispyware is scanning as we speak. I could not run malwarebytes for some reason, I presume the virus it stopping it.
When I do get everything sorted, is it ok to run both of the above alongside avast?
Also is it safe to have any other programs open on my computer whilst doing these scans?
I have sign writing business & could do to be doing a bit of work!!
-
When I do get everything sorted, is it ok to run both of the above alongside avast?
Yes, see my signatur
I could not run malwarebytes for some reason, I presume the virus it stopping it.
the first 5 steps in the guide i sendt is about how to fix that.
If that does not work you can try the manuall removal guide harman123 sendt
Also is it safe to have any other programs open on my computer whilst doing these scans?
Not sure, but i would not do it
-
If you have trouble installing or running MalwareBytes If you got them downloaded rename the setup file then try installing them again.
Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes' AntiMalware
Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.
-
If you have trouble installing or running MalwareBytes If you got them downloaded rename the setup file then try installing them again.
Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes' AntiMalware
Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.
Or download this: http://download.bleepingcomputer.com/grinler/rkill.com first and run it. This will shut the Rogue down and allow you to install and run MBAM (usually).
If you're running SAS though, that should do it. Just wait until it removes the rogue, and reboot, then MBAM should be able to install afterwards.
-
Or download this: http://download.bleepingcomputer.com/grinler/rkill.com first and run it. This will shut the Rogue down and allow you to install and run MBAM (usually).
If you're running SAS though, that should do it. Just wait until it removes the rogue, and reboot, then MBAM should be able to install afterwards.
[/quote]
Thanks for that, just did it & it seems to have stopped the Rogue, but when I try to run MBAM a box opens asking me what program I want to use to open the exe. file what do I use to open it?
-
Looks like your malwarebytes download is corrupt. Try to download fresh copy again.
-
Yeah, it's an .exe. You don't need anything to open it, it should open by itself.
Wait, harman123 told you to try renaming the .exe before in this thread. If you did, make sure the file extension is correct (.exe). It's probably better to just download MBAM again anyway though, just to be safe.
-
OK,
Now I think I have a problem!! :'(
Avast found several more viruses after SAS scan & advised shut down & boot scan which I did & now that computer has restarted... No exe files will open when I click them & none have opened in the system tray including avast & SAS What do I do now please
-
This is what avast found in boot scan:
11/06/2008 21:50
Scan of all local drives
Number of searched folders: 7031
Number of tested files: 102098
Number of infected files: 0
----------------------------------------
03/03/2010 20:34
Scan of all local drives
File C:\Documents and Settings\Administrator\Local Settings\Application Data\trz17B.tmp is infected by Win32:Malware-gen, Moved to chest
File C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP818\A0142120.exe is infected by Win32:Malware-gen, Moved to chest
Number of searched folders: 12766
Number of tested files: 196252
Number of infected files: 2
-
First disable your system restore and after you clean up your system, then re enable it.
-
First disable your system restore and after you clean up your system, then re enable it.
Hi Harman,
Thanks for reply, How do I do that, also whilst I'm here, still, this is what was found also by Avast & put in chest:
avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on 03 March 2010 08:14:34
* VPS: 100302-1, 02/03/2010
*
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3F.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\41.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\102.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11E.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\174.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\176.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\178.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{ACFA268F-DEB7-4194-BC40-51C6AA35E441} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{876E24D7-C2C8-435F-BD5A-1E269A5C41C9} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{D0120B1C-340F-4B65-87C0-4FA470DE0207} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{4E855F6F-B60F-492B-BF70-384AC0C0015E} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\180.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\182.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\19E.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1A0.tmp [L] Win32:FakeAlert-IH [Drp] (0)
File was successfully moved to chest...
*
* Task stopped: 03 March 2010 20:30:46
* Run-time was 12 hour(s), 16 minute(s), 12 second(s)
*
*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on 03 March 2010 22:42:50
* VPS: 100303-0, 03/03/2010
*
Do I take it from these results that Avast has now quarantined Superantispyware??
-
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{ACFA268F-DEB7-4194-BC40-51C6AA35E441} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{876E24D7-C2C8-435F-BD5A-1E269A5C41C9} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{D0120B1C-340F-4B65-87C0-4FA470DE0207} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-03-2010 - 17-45-50\{4E855F6F-B60F-492B-BF70-384AC0C0015E} [L] Win32:Rootkit-gen [Rtk] (0)
File was successfully moved to chest...
Looks like False positive above
enable or disable system restore
http://support.microsoft.com/kb/310405
-
So what does that mean? A false positive?
& where do I go from here?
A couple of times now I had a window come up saying something like sys32 dll not found, what does this mean?
-
False alarm on superantispyware. Are you able to run any .exe and what about malwarebytes. Did you scan it?
The system32 file does not contain a .dll file called system32.dll, so if you had it, you had something you should not have had.
Or in other words, Windows XP Home & Professional does not contain any such .dll in their registry. I would suggest you reboot your
system to safe mode and scan with malwarebytes, superantispyware, and avast.
SYS32.DLL
http://www.prevx.com/filenames/2081204388492639399-X1/SYS32.DLL.html
-
Malwarebytes safe mode info: http://forums.malwarebytes.org/index.php?showtopic=5590
Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro
-
No cant open any exe files it seems,
Never managed to open malwarebytes after it download. I still have the setup application file but it wont open
If I go into control panel & double click anything in there a box comes up saying C:\Windows\system32\rundll32.exe Application not found.
Similarly if I go to Start - All programs & click any of the programs it either says application not found or "Open with" box opens.
You said to disable restore, but would it not be better to try to restore to a previous point if possible?
Thanks
-
Do NOT Restore your computer, it will restore back all the malwares you just clean up.
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.
http://myantispyware.com/forum/rundll32-exe-application-not-found-t1761.html
-
Go http://www.dougknox.com/xp/file_assoc.htm and download and run the EXE file association fix.
Are you able to run programs ending in EXE now?
-
Do NOT Restore your computer, it will restore back all the malwares you just clean up.
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.
http://myantispyware.com/forum/rundll32-exe-application-not-found-t1761.html
OK just did all that, & when I got to double click fix.reg on desktop, registry editor box came up saying:
Cannot import C:Documents & settings\Administrator\Desktop\fix.reg:The specified file is not a registry script.
You can only import binary registry files from within the registry editor
-
Go http://www.dougknox.com/xp/file_assoc.htm and download and run the EXE file association fix.
Are you able to run programs ending in EXE now?
BINGO!!! downloaded & now just opened Malwarebytes setup wizard.
I presume I should continue to set up this & run a full scan straight away should I or should I re boot first?
Thanks again
Regards
Myles :)
-
Install malwarebytes and update it then run full scan. If malwarebytes ask reboot in order to complete removal of malwares then you click "yes".
-
Just running full scan now with malwarebytes. When that's finished should I also do full scans with avast & superantispyware before I do anything else? (will post results shortly)
Will I also need to still go thru the procedure to remove the original problem of antivirus XP 2010?
Just out of interest, after I rebooted last time had a box come up:
RUNDLL: error loading nynw.wmo. The specified module could not be found.
What does this mean?
-
OK, So, finished scan with Malwarebytes, Here's the log:
Malwarebytes' Anti-Malware 1.44
Database version: 3823
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
04/03/2010 02:21:42
mbam-log-2010-03-04 (02-21-02).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 326435
Time elapsed: 1 hour(s), 13 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe nynw.wmo mynleeq) Good: (Explorer.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Administrator\My Documents\Application files\freezip.exe (Trojan.Agent) -> No action taken.
Now here is log file from SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/03/2010 at 05:36 PM
Application Version : 4.34.1000
Core Rules Database Version : 4634
Trace Rules Database Version: 2446
Scan type : Complete Scan
Total Scan Time : 02:32:14
Memory items scanned : 652
Memory threats detected : 2
Registry items scanned : 6990
Registry threats detected : 16
File items scanned : 122780
File threats detected : 5
Trojan.Agent/Gen-Frauder
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\3E.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\3E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\3E.TMP
C:\WINDOWS\SYSTEM32\NYNW.WMO
Trojan.Agent/Gen-Rogue[AV]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\AV.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\AV.EXE
C:\WINDOWS\Prefetch\AV.EXE-09240382.pf
Adware.MyWebSearch
HKU\S-1-5-21-2158612188-1835295398-4226529277-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-21-2158612188-1835295398-4226529277-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
Trojan.Agent/Gen
HKCR\idid
HKCR\idid#url1
HKCR\idid#url2
Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
would it be safe to restore any of these files?
Thanks[/color]
-
your Malwarebytes log says " No action taken. " you have to click the " REMOVE SELECTED " button after the scan to quarantine the infections
-
your Malwarebytes log says " No action taken. " you have to click the " REMOVE SELECTED " button after the scan to quarantine the infections
Hi Pondus,
Yes I see that now, not sure why it said that actually as I did remove, here's log now;
Malwarebytes' Anti-Malware 1.44
Database version: 3823
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
04/03/2010 02:23:17
mbam-log-2010-03-04 (02-23-16).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 326435
Time elapsed: 1 hour(s), 13 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe nynw.wmo mynleeq) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Administrator\My Documents\Application files\freezip.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Is it safe to delete all these files from quarantine? or do I need to find replacements for any of them first?
-
Also It seems that XP antivirus has been uninstalled. but according to the manual removal link I was sent earlier in this topic, on opening taskmanager & processes tab, it says to delete image names svchost.exe . Do I still need to do this as it crops up in the process list 8 times.
It also said to delete the following REG keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
Which are still in the registry, I just want to be certain it's safe or necessary to do so first.
And Finally, here is scan result from Avast, there are a few items that it says it could not scan, are these potential threats?
avast! Virus Cleaner Tool - version 1.0.211 Ansi
Creating log file: C:\Program Files\Alwil Software\Avast4\DATA\log\cleaner.log
3/4/2010, 8:48:27 AM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (28.1s).
----------
Files scanning started...
C:\Documents and Settings\Administrator\Application Data\Skype\myles.brewer\dc.db-journal... file could not be scanned!
C:\Documents and Settings\Administrator\Application Data\Skype\myles.brewer\main.db-journal... file could not be scanned!
C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_bgMwdycJRxpWO7raO0v5... file could not be scanned!
C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_ijPApoaMpx4LgT99fUET... file could not be scanned!
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.tmp... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\edb.log... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb... file could not be scanned!
No virus body found.
Files scanning finished (193816 files, 0 infected, 3315.3s).
Drives scanned: C: D:
----------
Thanks very much
regards
Myles
-
If you follow this guide from Essexboy and post the OTL log HERE
he is the malware expert and can then see if there is moore that needs to be done
http://forum.avast.com/index.php?topic=53253.0
-
Hi Pondus,
OK did that & have attached files as requested.
Thanks
-
i usually see him in here after 20:00 norwegian time so be patient, he works in several forums
-
Hi I have a day off ;D That does not look to bad now - what other problems do you have ?
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O33 - MountPoints2\{9fa89f00-8950-11dd-8614-001d920d4861}\Shell\AutoRun\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\stcvhost.exe -- File not found
O33 - MountPoints2\{9fa89f00-8950-11dd-8614-001d920d4861}\Shell\open\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\stcvhost.exe -- File not found
:Files
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.tmp
:Commands
[purity]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
OK Essexboy,
Here's the log now after scan:
-
That was corrupted - you probably had notepad set to unicode as opposed to ansi
How is the computer now are you experiencing any problems ?
-
Your spot on, try this now, let me know if it looks ok.
Computer seems (I'm not saying this really) fine ssshhhh!!! :)
Thanks everyone for your help on this, very much appreciated.
-
OK that looked good. At some stage you had connected an infected USB drive to your system, I would recommend that you always scan USB's before running them
You have several out of date Java versions on your system
Please download JavaRa (http://www.softpedia.com/get/System/System-Miscellaneous/JavaRa.shtml) to your desktop and unzip it to its own folder
- Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
- Accept any prompts.
- Open JavaRa.exe again and select Search For Updates.
- Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
.
.
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
SPRING CLEAN
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
.
THEN
Download Flush Flash from Here (http://www.xs4all.nl/~fstaal01/flushflash-us.html) and follow the easy to use instructions on the same page
NEXT
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
-
Thanks Essexboy,
Think that must be about it now, Just one final question, I have an external hard drive which I unplugged when I realised I was under attack!!
Haven't plugged it back in since, so it's had none of the scans etc, is it sufficient to just plug it in now & scan with SAS MBAM & avast before accessing it?
Thanks
-
Yep - although this one does not appear to migrate to other partitions - so far
-
Also incidentally, one issue I have been having for a while now & that still seems to be occuring is with my mouse,
it seems to go through phases of working ok, then double clicking when I only click once, & other times I have to click on buttons twice to make it work.
It's a Microsoft Standard wireless optical mouse, batteries are good etc any ideas?
Thanks
-
Could be a sticky switch under one of the buttons. I have no idea how to cure that though
-
time to newegg up another mouse. Or, you could take it apart and clean it if you were mechanically inclined enough.
-
Think ur right Scythe. Might give it a shot at cleaning it first. They're basic enough & if it doesn't work, it's about time I upgraded anyway as I've had it a couple of years now.
Thanks for your help also
regards
myles
-
Sure no problem.
If it helps you in any way, I've taken apart keyboards that have the same issue and placed them in the top rack of the dishwasher. Let it go through a cycle and dry out. Usually, they come out as good as new!
A mouse might work the same way, but I haven't tried yet. Just make sure you don't put the actual control board in there, only the plastic parts! ;D