Jump to content

C:\WINDOWS\windows.ext (Trojan.Agent)


Recommended Posts

Hi There,

My first post so excuse me if I break any rules of etiquette!

I have been trying to save a friend's computer infected with multiple Trojans, using a combination of NOD32 and MalwareBytes. I have had partial success, one Trojan Agent keeps coming back despite being cleaned multiple times by MalwareBytes.

I have posted the first, middle (after update to latest MalwareBytes and database) and last logs from MalwareBytes. The issue that keeps coming back is in the last log, it can't seem to get rid of the Trojan.Agent in windows.ext. I realise that the full list of Trojans below are pretty serious along with Backdoor.bot, but she doesnt have any system discs or option to reformat/reinstall.

My friend has Turkish Windows. System restore is turned off. The Wireless network connection no longer works, cannot repair itself. I can connect using the Ethernet cable connection to the internet.

Please help!

thanks,

Dylan

Malwarebytes' Anti-Malware 1.30

Database version: 1306

Windows 5.1.2600 Service Pack 3

10.03.2009 14:55:03

mbam-log-2009-03-10 (14-55-03).txt

Scan type: Quick Scan

Objects scanned: 47914

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 49

Memory Processes Infected:

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c1d8b78 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application layer gateway service (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hfwudpnr.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svsccs.exe (Trojan.FakeAlert.H) -> Delete on reboot.

C:\WINDOWS\winlogon.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\SysFile.brk (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN30.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN3A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN83.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNAE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNBC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNE4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eemaq.exe (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\Isass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcYrSMD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wvUlIaxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msrstart.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN25.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN49.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN4A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN72.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN98.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.30

Database version: 1306

Windows 5.1.2600 Service Pack 3

10.03.2009 14:55:03

mbam-log-2009-03-10 (14-55-03).txt

Scan type: Quick Scan

Objects scanned: 47914

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 49

Memory Processes Infected:

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c1d8b78 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application layer gateway service (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hfwudpnr.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svsccs.exe (Trojan.FakeAlert.H) -> Delete on reboot.

C:\WINDOWS\winlogon.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\SysFile.brk (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN30.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN3A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN83.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNAE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNBC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNE4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eemaq.exe (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\Isass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcYrSMD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wvUlIaxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msrstart.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN25.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN49.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN4A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN72.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN98.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.34

Database version: 1835

Windows 5.1.2600 Service Pack 3

11.03.2009 13:13:26

mbam-log-2009-03-11 (13-13-26).txt

Scan type: Quick Scan

Objects scanned: 60528

Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Ooops sorry posted this in the wrong forum, mods pls delete the original in the General forum! :D

My first post so excuse me if I break any rules of etiquette!

I have been trying to save a friend's computer infected with multiple Trojans, using a combination of NOD32 and MalwareBytes. I have had partial success, one Trojan Agent keeps coming back despite being cleaned multiple times by MalwareBytes.

I have posted the first, middle (after update to latest MalwareBytes and database) and last logs from MalwareBytes. The issue that keeps coming back is in the last log, it can't seem to get rid of the Trojan.Agent in windows.ext. I realise that the full list of Trojans below are pretty serious along with Backdoor.bot, but she doesnt have any system discs or option to reformat/reinstall.

My friend has Turkish Windows. System restore is turned off. The Wireless network connection no longer works, cannot repair itself. I can connect using the Ethernet cable connection to the internet.

Please help!

thanks,

Dylan

Malwarebytes' Anti-Malware 1.30

Database version: 1306

Windows 5.1.2600 Service Pack 3

10.03.2009 14:55:03

mbam-log-2009-03-10 (14-55-03).txt

Scan type: Quick Scan

Objects scanned: 47914

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 49

Memory Processes Infected:

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c1d8b78 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application layer gateway service (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hfwudpnr.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svsccs.exe (Trojan.FakeAlert.H) -> Delete on reboot.

C:\WINDOWS\winlogon.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\SysFile.brk (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN30.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN3A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN83.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNAE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNBC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNE4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eemaq.exe (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\Isass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcYrSMD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wvUlIaxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msrstart.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN25.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN49.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN4A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN72.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN98.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.30

Database version: 1306

Windows 5.1.2600 Service Pack 3

10.03.2009 14:55:03

mbam-log-2009-03-10 (14-55-03).txt

Scan type: Quick Scan

Objects scanned: 47914

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 49

Memory Processes Infected:

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nl2plwrk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c1d8b78 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application layer gateway service (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hfwudpnr.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svsccs.exe (Trojan.FakeAlert.H) -> Delete on reboot.

C:\WINDOWS\winlogon.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\SysFile.brk (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN30.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN3A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN5E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BN83.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNAE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNBC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\BNE4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eemaq.exe (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\Isass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcYrSMD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wvUlIaxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msrstart.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\algs.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN25.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN49.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN4A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN72.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN98.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.34

Database version: 1835

Windows 5.1.2600 Service Pack 3

11.03.2009 13:13:26

mbam-log-2009-03-11 (13-13-26).txt

Scan type: Quick Scan

Objects scanned: 60528

Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hijack This file for good measure . . .

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:34:27, on 11.03.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20772)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PERFECT XP SP3

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba

Link to post
Share on other sites

  • Root Admin

STEP 01

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup217.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Thanks for the reply AdvancedSetup. Great handle! :P

I ran both the tools (had previously run CCleaner but not with those particular options unchecked). Forgot to disconnect from the internet when running DDS hopefully this makes no difference - I also didn't get any prompt for an Optional Scan from DDS, it just produced the two files you mentioned without any extra scanning. Please find below the copies of the two logs, I assume you meant to post the Attach.txt log here in my reply, excuse me if not. What's next?

thanks and regards,

Dylan

DDS (Ver_09-02-01.01) - NTFSx86

Run by Administrator at 12:57:56,37 on 12.03.2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Professional 5.1.2600.3.1254.90.1055.18.1023.612 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = PERFECT XP SP3

uInternet Settings,ProxyOverride = *.local

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Windows Live Oturum A

Link to post
Share on other sites

  • Root Admin

Please uninstall LimeWire 4.18.8 if you would like us to continue to help you. These Peer2Peer programs can infect you faster than we can clean you so it's a waste of our time to do so unless you remove it.

Then you need to update MBAM and run again.

YOUR VERSION

Malwarebytes' Anti-Malware 1.30

Database version: 1306

CURRENT VERSION

Malwarebytes' Anti-Malware 1.34

Database version: 1842

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Hi again A-S,

I have uninstalled LimeWire and told my friend to keep away from P2P in the future!

Sorry must be a bit of confusion here, I had an older version of MBAM that I STARTED using, but once I got her computer connected to the internet downloaded the latest version, and have been using 1.34 to scan and clean. I had done multiple scans with this version, and only posted the last one from 1.34 as you can see at the BOTTOM of my original post:

<snip>

Malwarebytes' Anti-Malware 1.34

Database version: 1835

Windows 5.1.2600 Service Pack 3

11.03.2009 13:13:26

mbam-log-2009-03-11 (13-13-26).txt

Anyway, I have updated the database now to version 1844, and run the Quick Scan again.

As before, it found the same one infection at the end of the scan. As per instructions I have Removed Selected with MBAM.

However, as I have done this now a total of four times I am pretty sure it will come back as soon as I reboot. I don't think just uninstalling LimeWire will have done the trick, it will help to avoid future infections sure. Anyway here is the latest log from today, as you can see it looks pretty much the same as the third and last log I pasted into my original post at the bottom (28 seconds faster though, MBAM is getting quicker on this machine!):

Malwarebytes' Anti-Malware 1.34

Database version: 1844

Windows 5.1.2600 Service Pack 3

13.03.2009 10:21:52

mbam-log-2009-03-13 (10-21-52).txt

Scan type: Quick Scan

Objects scanned: 60656

Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Root Admin

Sorry, my fault. I thought I saw it, but then looked back and missed it.

Okay. Let's run the following and we'll see if we can get it cleaned up.

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 02

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

STEP 03

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

STEP 04

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

Thanks for your latest reply! OK, I've run ComboFix now as per your instructions, disabling NOD and the Windows Firewall first. However I never got any prompt to install the Windows Recovery Console, is this important? I will run the other things you have suggested, in the meantime I thought I'd quickly post this due the Recovery Console issue. Below are the logs from ComboFix and HijackThis (ComboFix also deleted the same C:\WINDOWS\windows.ext (Trojan.Agent) as MBAM, along with other related things):

ComboFix 09-03-12.01 - Administrator 2009-03-13 12:33:44.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1254.1.1055.18.1023.645 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Install.txt

c:\windows\system32\bdNTCccf.ini

c:\windows\system32\bdNTCccf.ini2

c:\windows\system32\fybrsglv.ini

c:\windows\system32\m.txt

c:\windows\system32\pdauasef.ini

c:\windows\system32\WFLTuvut.ini

c:\windows\system32\WFLTuvut.ini2

c:\windows\system32\windows.txt

c:\windows\system32\ylkmomxs.ini

c:\windows\system32\yybhwrxg.ini

c:\windows\Windows.ext

d:\recycler\Desktop_.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AFISICX

-------\Legacy_CRYPTSVCMNMSRVC

-------\Legacy_HELPSVCNETDDE

-------\Legacy_HKMSVCRPCSS

-------\Legacy_MABIDWE

-------\Legacy_SECLOGONCRYPTSVC

-------\Legacy_SOPIDKC

-------\Legacy_WMDMPMSNDHCP

-------\Legacy_WUAUSERVIMAPISERVICE

-------\Service_CryptSvcmnmsrvc

-------\Service_helpsvcNetDDE

-------\Service_hkmsvcRpcSs

-------\Service_seclogonCryptSvc

-------\Service_WmdmPmSNDhcp

-------\Service_wuauservImapiService

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))

.

2009-03-13 12:35 . 2009-03-13 12:35 <DIR> d-------- c:\windows\system32\xircom

2009-03-13 12:35 . 2009-03-13 12:35 <DIR> d-------- c:\program files\microsoft frontpage

2009-03-11 15:23 . 2009-03-11 15:23 <DIR> d-------- c:\program files\Trend Micro

2009-03-11 11:42 . 2009-03-11 11:42 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-10 18:20 . 2009-03-10 18:20 5,632 --ahs---- c:\windows\system32\Thumbs.db

2009-03-10 18:18 . 2009-03-11 11:42 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-10 17:19 . 2009-03-10 17:18 228 -ra------ c:\windows\w

Link to post
Share on other sites

Thanks for the latest instructions Advanced Setup. Do you mind if I call you Bob?

I ran all of the tweaks and programs, a few challenges in Turkish with the Microsoft update in particular but I got it done. And I'm happy to report that MBAM didnt find anything after the last scan, so it appears that the laptop is finally clean. Thanks again for your help! Hopefully you can confirm that after inspecting these three logs:

ComboFix 09-03-15.01 - Administrator 2009-03-16 15:50:53.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1254.1.1055.18.1023.646 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\docume~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys

C:\p8.exe

c:\windows\inf\syssbck.dll

c:\windows\system32\2946904642.dat

c:\windows\system32\adptifu.sys

c:\windows\system32\adsntw.dll

c:\windows\system32\advpackr.exe

c:\windows\system32\ALSndMgrv.sys

c:\windows\system32\drivers\ati64si.sys

c:\windows\system32\drivers\ksi32sk.sys

c:\windows\system32\drivers\netsik.sys

c:\windows\system32\drivers\nicsk32.sys

c:\windows\system32\drivers\port135sik.sys

c:\windows\system32\drivers\securentm.sys

c:\windows\system32\drivers\ws2_32sik.sys

c:\windows\system32\new20090226new.exe

c:\windows\WLXPGSS.SCR

C:\wip.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\p8.exe

c:\windows\inf\syssbck.dll

c:\windows\system32\2946904642.dat

c:\windows\system32\adptifu.sys

c:\windows\system32\adsntw.dll

c:\windows\system32\ALSndMgrv.sys

c:\windows\system32\new20090226new.exe

c:\windows\VistaDrive

c:\windows\VistaDrive\0.ico

c:\windows\VistaDrive\100.ico

c:\windows\VistaDrive\16.ico

c:\windows\VistaDrive\17.ico

c:\windows\VistaDrive\25.ico

c:\windows\VistaDrive\33.ico

c:\windows\VistaDrive\41.ico

c:\windows\VistaDrive\42.ico

c:\windows\VistaDrive\50.ico

c:\windows\VistaDrive\58.ico

c:\windows\VistaDrive\67.ico

c:\windows\VistaDrive\75.ico

c:\windows\VistaDrive\8.ico

c:\windows\VistaDrive\83.ico

c:\windows\VistaDrive\92.ico

c:\windows\VistaDrive\99.ico

c:\windows\VistaDrive\s100.ico

c:\windows\VistaDrive\s16.ico

c:\windows\VistaDrive\s17.ico

c:\windows\VistaDrive\s25.ico

c:\windows\VistaDrive\s33.ico

c:\windows\VistaDrive\s41.ico

c:\windows\VistaDrive\s42.ico

c:\windows\VistaDrive\s50.ico

c:\windows\VistaDrive\s58.ico

c:\windows\VistaDrive\s67.ico

c:\windows\VistaDrive\s75.ico

c:\windows\VistaDrive\s8.ico

c:\windows\VistaDrive\s83.ico

c:\windows\VistaDrive\s92.ico

c:\windows\VistaDrive\s99.ico

c:\windows\VistaDrive\Thumbs.db

c:\windows\VistaDrive\VistaDrive.exe

c:\windows\Windows.ext

c:\windows\WLXPGSS.SCR

C:\wip.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSDTCEVENTLOG

-------\Service_ati64si

-------\Service_ksi32sk

-------\Service_MSDTCEventlog

-------\Service_netsik

-------\Service_nicsk32

-------\Service_port135sik

-------\Service_securentm

-------\Service_ws2_32sik

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))

.

2009-03-16 15:04 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe

2009-03-16 15:04 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf

2009-03-16 14:54 . 2009-03-16 14:54 <DIR> d--h----- c:\windows\$hf_mig$

2009-03-16 14:54 . 2008-06-17 20:01 8,466,944 --------- c:\windows\system32\dllcache\shell32.dll

2009-03-13 16:26 . 2009-03-13 16:32 <DIR> d-------- C:\RootRepeal

2009-03-13 16:21 . 2009-03-13 16:21 <DIR> d-------- c:\program files\DIFX

2009-03-13 16:20 . 2007-06-01 10:33 2,772,992 --a------ c:\windows\system32\NETw4r32.dll

2009-03-13 16:20 . 2007-06-21 04:43 2,208,512 --a------ c:\windows\system32\drivers\NETw4x32.sys

2009-03-13 16:20 . 2007-06-01 10:33 684,032 --a------ c:\windows\system32\NETw4c32.dll

2009-03-13 16:09 . 2009-03-13 16:09 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Intel

2009-03-13 16:09 . 2009-03-13 16:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Intel

2009-03-13 16:09 . 2009-03-13 16:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel

2009-03-13 16:08 . 2009-03-13 16:08 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Intel

2009-03-13 16:08 . 2009-03-13 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intel

2009-03-13 14:35 . 2009-03-13 14:35 417 --a------ c:\windows\msconfig.lnk

2009-03-13 12:35 . 2009-03-13 12:35 <DIR> d-------- c:\windows\system32\xircom

2009-03-13 12:35 . 2009-03-13 12:35 <DIR> d-------- c:\program files\microsoft frontpage

2009-03-11 15:23 . 2009-03-11 15:23 <DIR> d-------- c:\program files\Trend Micro

2009-03-11 11:42 . 2009-03-11 11:42 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-10 18:20 . 2009-03-10 18:20 5,632 --ahs---- c:\windows\system32\Thumbs.db

2009-03-10 18:18 . 2009-03-11 11:42 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-10 17:54 . 2009-03-10 17:55 1,917 --a------ c:\windows\imsins.BAK

2009-03-10 14:45 . 2009-03-10 15:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-10 14:45 . 2009-03-10 14:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-10 14:45 . 2009-03-10 14:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-03-10 14:45 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-10 14:45 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-07 13:09 . 2009-03-07 13:09 131,072 --a------ c:\windows\system32\lohy.exe

2009-03-05 20:58 . 2009-03-08 17:54 <DIR> d--h----- c:\temp\Yeni Klas

Link to post
Share on other sites

  • Staff

Hi,

Since AdvancedSetup is busy with other stuff, I'm taking over this thread :(

I see you didn't install the recovery console though Combofix. This is really important since Combofix won't be able to disinfect files properly if the Recovery console is not installed.

That's why I suggest to run Combofix once again, but allow it to install the recovery console. I cannot stress how important this is.

Then post the new Combofix log in your next reply together with a new log from MBAM (update the program via the update button and perform a scan).

Also let me know in your next reply what problems you're currently still having :)

Link to post
Share on other sites

Hi Miekiemoes,

Thanks a lot for taking over this thread, good to get a reply. :(

Whenever I have run ComboFix, it has never prompted me to install the Recovery Console. I have read through the instructions thoroughly, and understood that this should happen automatically when running ComboFix. The first time I ran ComboFix I pointed this out to Advanced Setup in my reply but that information seemed to have been overlooked:

<snip>

Posted Mar 13 2009, 01:10 PM

Thanks for your latest reply! OK, I've run ComboFix now as per your instructions, disabling NOD and the Windows Firewall first. However I never got any prompt to install the Windows Recovery Console, is this important?

<>

And on the second time running ComboFix, same thing, no prompt for installing the recovery console, only the warning notice appearing in the log that the Recovery Console is not installed. I have since noticed the manual instructions for doing this . . . however my friend has taken her laptop as she needed it as she was travelling to Turkey. She'll be back Monday so I can do this step then. Can you advise me what I will need to do after installing the Recovery Console, do I simply run ComboFix again?

Regarding your question about problems, in fact this Trojan is not actually doing anything at all as far as I can work out. Before MBAM cleaned up the myriad infections the computer couldn't connect to the internet and there were issues with the audio (this may have been user error!), but since then there have been no issues with day to day use of the computer. I am just concerned about the potential for damage from this Trojan.Agent.

In the meantime, after looking like it may have been cleaned after the last advice and steps from Advanced Setup, the Trojan.Agent is back. Here is the latest log from MBAM after a scan on Tuesday with the usual "Quarantined and deleted successfully" message:

Malwarebytes' Anti-Malware 1.34

Database version: 1854

Windows 5.1.2600 Service Pack 3

17.03.2009 10:22:05

mbam-log-2009-03-17 (10-22-05).txt

Scan type: Quick Scan

Objects scanned: 61005

Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\windows.ext (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks for your further assistance with this . . . have a good one! :)

Dylan

Link to post
Share on other sites

  • Staff

Hi,

Can you advise me what I will need to do after installing the Recovery Console, do I simply run ComboFix again?
You can install the recovery console easily with the use of Combofix.

See this link below under the part: "If you use Windows XP and do not have the Windows CD". There it is explained how to install the Recovery console with Combofix.

Once the recovery is installed, just run Combofix again and post the logs.

Also, please update MalwareBytes database (update tab > check for updates), because it's outdated.

Then post the new results in your next reply as well :(

Link to post
Share on other sites

  • Staff

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.