Jump to content

Rogue (fake) malware

hilary
 Share

Recommended Posts

hilary

hilary

Posted
Posted

FIRST LOG

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

5/8/2010 8:32:26 AM

mbam-log-2010-05-08 (08-32-26).txt

Scan type: Full scan (C:\|)

Objects scanned: 187146

Time elapsed: 26 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 3

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ce72eac4-b826-0dd2-a0a0-b919b62dd763} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ce72eac4-b826-0dd2-a0a0-b919b62dd763} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce72eac4-b826-0dd2-a0a0-b919b62dd763} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xjfpkocc (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xjfpkocc (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.164,93.188.161.250 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{006e102f-14f3-4c4c-9d19-baa11cd693eb}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.164,93.188.161.250 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a68c3e3d-8ad0-49cc-a3aa-412d5a4b4643}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.164,93.188.161.250 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d8b3e128-008e-44e9-8b91-6bff9b8773f7}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.164,93.188.161.250 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\pdijhtecbxbqu.dll (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\b0000183e.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\b00005c3a.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\ajlondo\Local Settings\Temp\Ftg.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\Documents and Settings\ajlondo\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\ajlondo\Local Settings\Application Data\bbbfhpfph\vaipqiptssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\ajlondo\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\ajlondo\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

SECOND LOG

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

5/8/2010 11:52:01 AM

mbam-log-2010-05-08 (11-52-01).txt

Scan type: Full scan (C:\|)

Objects scanned: 187127

Time elapsed: 27 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Hilary,

Disable the options "Automatically detect settings" and "Use automatic configuration script."

To do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Apply the changes.

Step 2

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 3

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 4

Please print out, read and follow the directions here, skipping any steps you are unable to complete.

Please reply here with the DDS logs

the GMER log

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.