Jump to content

Recommended Posts

Hello,

i have repeatedly searched the forums for this specific bug and have not found anything specific about it, so I am posting my problem here. I don't know how to do the log thing, but I have read a lot about how to eradicate this bug from my system on the internet, but no one seems to really have a concise way to kill it. I can not open MBAM on my sytem, nor can i copy over the setup file to my infected machine. I can not kill it in safe mode, and renaming mbam doesn't work. i can not find it with process explorer. i can not find any of the files on my HD that are supposed to identify it. Please, oh please... help. :)

Joey

Link to post
Share on other sites

OK,

Before getting your reply, I tried running MBAM using the "run as admin" with a right-click. That allowed me to run MBAM and it found the offending malware :

Malwarebytes' Anti-Malware 1.39

Database version: 2519

Windows 6.0.6001 Service Pack 1

7/28/2009 7:55:29 PM

mbam-log-2009-07-28 (19-55-29).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)

Objects scanned: 206260

Time elapsed: 17 minute(s), 28 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 8

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 6

Memory Processes Infected:

C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.

Memory Modules Infected:

C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{014c4232-6904-47b9-9144-7e0fb7277444} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{0ab02d6c-f605-425f-b7cb-b9e96c9faf1e} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{32864a05-9d09-472c-abd0-081818ec713b} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:

c:\program files\gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.

c:\program files\gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.

c:\program files\gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

c:\program files\gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

c:\program files\gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.

c:\program files\gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.

I then ran rkill :

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 03/27/2011 at 21:20:30.

Operating System: Windows Vista Ultimate

Processes terminated by Rkill or while it was running:

Rkill completed on 03/27/2011 at 21:20:32.

This is where I currently stand. Let me know what more I should do. Thanks.

Joey

Link to post
Share on other sites

I beg your pardon. I just posted the wrong MBAM log. Sheesh, sorry man. Here is the correct log :

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6182

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.6001.19019

3/27/2011 9:04:36 PM

mbam-log-2011-03-27 (21-04-36).txt

Scan type: Quick scan

Objects scanned: 194649

Time elapsed: 6 minute(s), 39 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

c:\Users\sid\AppData\Local\sun.exe (Trojan.FakeAlert) -> 1076 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\sid\AppData\Local\sun.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\sid\AppData\Local\sun.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\sid\local settings\sun.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\sid\local settings\application data\sun.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

That's Good News, lets see if you got it all:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

It's late....be back tomorrow AM, MrC

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.