Jump to content

antivirus.lnk and other malware not being removed by malwarebytes


spicers

Recommended Posts

So, I'm home for the holidays and of course my family wants me to help them with their computer. After figuring out what the deal is, and reading up on Malwarebytes I decided to come to the forums for help because the software doesn't seem to be working as expected. I'll give a brief run-down of the situation.

Inside the All Users\Desktop\ folder there are 61 files that Malwarebytes finds as viruses. This is using the quick-scan. I selected "Remove" and then rebooted the computer when prompted to do so. However, upon reboot the same 61 files were found again. I'm sure this issue has been resolved before, but I couldn't find the relevant topic after about an hour of searching these forums. If someone could please direct me to the relevant thread I would be very grateful.

Here's the list of files Malwarebytes found:

Files Infected:
C:\Documents and Settings\All Users\Desktop\Antivirus.lnk (Rogue.Antivirus) -> No action taken.
C:\Documents and Settings\All Users\Desktop\AMS_FreeSetup.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Adobe PDF Money Guide.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Crack Money Maker Checker.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Money Maker Checker Help Guide.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Money Maker Checker.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Quick Money Guide.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\metro.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\UPS_letter.doc.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\VRM_Free.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Remove Spyware.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's BufferThis Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's FunFunPages Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's Funnies Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's GoodCleanVideos Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's NewFunPages Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's PositiveThoughts Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's ThisSiteRocks Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\XPProtectorInstaller.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Uncensored porn.url (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\BDSM galleries.url (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\fwebd.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\updatedd.pif (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\codec.lnk (Dialer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\iexplor.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WinSock.exe (Backdoor.IRCBot) -> No action taken.
C:\Documents and Settings\All Users\Desktop\ieupdr2.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SMS TRAP.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\FullBSCodecz.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\AV2010Installer.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\TotalSecure2009.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\VideoTube.com.avi.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\AdobeFlashPlayerHD.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\c-setup.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\VideoAccessCodecInstall.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SpywareSoftStop.lnk (Rogue.SpywareSoftStop) -> No action taken.
C:\Documents and Settings\All Users\Desktop\ignoredomainsbase.bin (Rogue.DioCleaner) -> No action taken.
C:\Documents and Settings\All Users\Desktop\urlbase.bin (Rogue.DioCleaner) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Instant Access.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\NoCreditCard.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Join The Orgy.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\GoRecord.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\InternetGameBox.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SudoPlanet.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WebMediaPlayer.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\msdos.pif (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Lhoroscope.com (Rogue.App) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Optimize Internet (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\PC SpeedScan Pro (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Performance Center (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Spam Blocking Update (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SudoPlanet (Rogue.SudoPlanet) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WebMediaPlayer (Rogue.WebMediaPlayer) -> No action taken.

Link to post
Share on other sites

Please post the FULL log of that scan so that we can review it in order to provide further information.

Thank you.

This is the log from the quick-scan performed after rebooting from the first scan. I didn't bother to try and remove them a second time since my family confirmed the exact same situation has happened to them multiple times.

Malwarebytes' Anti-Malware 1.31
Database version: 1506
Windows 5.1.2600 Service Pack 2

12/24/2009 3:48:21 PM
mbam-log-2009-12-24 (15-48-08).txt

Scan type: Quick Scan
Objects scanned: 86510
Time elapsed: 1 hour(s), 22 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 61

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Desktop\Antivirus.lnk (Rogue.Antivirus) -> No action taken.
C:\Documents and Settings\All Users\Desktop\AMS_FreeSetup.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Adobe PDF Money Guide.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Crack Money Maker Checker.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Money Maker Checker Help Guide.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Money Maker Checker.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Quick Money Guide.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\metro.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\UPS_letter.doc.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\VRM_Free.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Remove Spyware.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's BufferThis Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's FunFunPages Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's Funnies Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's GoodCleanVideos Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's NewFunPages Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's PositiveThoughts Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Today's ThisSiteRocks Newsletter.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\XPProtectorInstaller.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Uncensored porn.url (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\BDSM galleries.url (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\fwebd.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\All Users\Desktop\updatedd.pif (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\codec.lnk (Dialer) -> No action taken.
C:\Documents and Settings\All Users\Desktop\iexplor.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WinSock.exe (Backdoor.IRCBot) -> No action taken.
C:\Documents and Settings\All Users\Desktop\ieupdr2.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SMS TRAP.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\FullBSCodecz.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\AV2010Installer.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\TotalSecure2009.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\VideoTube.com.avi.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\AdobeFlashPlayerHD.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\c-setup.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\VideoAccessCodecInstall.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SpywareSoftStop.lnk (Rogue.SpywareSoftStop) -> No action taken.
C:\Documents and Settings\All Users\Desktop\ignoredomainsbase.bin (Rogue.DioCleaner) -> No action taken.
C:\Documents and Settings\All Users\Desktop\urlbase.bin (Rogue.DioCleaner) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Instant Access.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\NoCreditCard.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Join The Orgy.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\GoRecord.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\InternetGameBox.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SudoPlanet.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WebMediaPlayer.lnk (Adware.EGDAccess) -> No action taken.
C:\Documents and Settings\All Users\Desktop\msdos.pif (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Lhoroscope.com (Rogue.App) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Optimize Internet (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\PC SpeedScan Pro (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Performance Center (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Spam Blocking Update (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Desktop\SudoPlanet (Rogue.SudoPlanet) -> No action taken.
C:\Documents and Settings\All Users\Desktop\WebMediaPlayer (Rogue.WebMediaPlayer) -> No action taken.

Link to post
Share on other sites

Your copy of Malwarebytes is eleven versions and over 1900 database updates behind. The latest Malwarebytes version is 1.42 and, at the time of writing, the latest database is 3425.

Details of how to update Malwarebytes can be found at the beginning of the instructions here.

That instructions page also tells you how to proceed if you need expert help to remove the malware.

Also, your Windows XP installation has only been updated to Service Pack 2. After all malware has been removed from your computer you should consider upgrading to Service Pack 3 in order to minimise security vulnerabilities on your system.

Link to post
Share on other sites

Your copy of Malwarebytes is eleven versions and over 1900 database updates behind. The latest Malwarebytes version is 1.42 and, at the time of writing, the latest database is 3425.

Details of how to update Malwarebytes can be found at the beginning of the instructions here.

Heh, yeah I can figure out how to upgrade my software. Thanks for noticing!

Link to post
Share on other sites

  • Root Admin

Your Version:

Malwarebytes' Anti-Malware 1.31

Database version: 1506

Current Version:

Malwarebytes' Anti-Malware 1.42

Database version: 3425

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Link to post
Share on other sites

So, after updating to the latest version, and running an new quick-scan, the initial 61 infected files weren't found, just a single one. Here's the log:

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/24/2009 11:25:19 PM
mbam-log-2009-12-24 (23-25-19).txt

Scan type: Quick Scan
Objects scanned: 157314
Time elapsed: 2 hour(s), 22 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Link to post
Share on other sites

So now that I've ran the third quick-scan (with the most recent version/database), my question is what happened to the initial 61 infected files that were found on the first 2 quick-scans? I don't think the first removal attempt was successful because they were found with the second quick-scan.

Another piece of information and quirk, when I attempt to open the folder (C:\Documents and Settings\All Users\Desktop) it pops up a window wanting me to format drive C. I'm not computer illiterate so I know how odd it is that trying to open that folder leads to a format yes/no window. This seems suspicious, especially since the original 61 infected files were found in that folder.

Thanks for all of your help so far and for the quick responses. It is much appreciated (the family says thanks too!) Happy Holidays btw.

Link to post
Share on other sites

  • Root Admin

Due to the age and version of the one you were running I would guess they were false positives..

In order to verify that your system is really clean you should follow the directions below. Please be aware though that it will probably take a few days as the site is very busy and it is also the Holiday Season.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.