Can this post be deleted? I re-posted it in the appropriate topic...

View previous topic View next topic Go down

Can this post be deleted? I re-posted it in the appropriate topic...

Post by roseytaos on Mon 25 Oct 2010, 1:28 am

Hi - Hoping you can help. My Del Vostro was very infected -- I removed a bunch of threats with Mic Sec Essentials and Malwarebytes scans - over 20 threats were identified and removed or disinfected - I will post the logs below. Since then I've run malwarebytes twice and a full mse scan once that have come up clean. But the computer is still acting weird.
For example, I've gotten a "generic host process for win32 has encountered a problem and needs to close" notice, I get pop-up ads on firefox, and other times, the whole system seems to just freeze.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4914

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/22/2010 11:45:45 AM
mbam-log-2010-10-22 (11-45-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 174128
Time elapsed: 1 hour(s), 37 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\Documents and Settings\Andy\Application Data\B28FEADB06C1B8984E847A259FEB2960\badoversion707001000lux.exe (Rogue.AntimalwareDoctor) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\badoversion707001000lux.exe (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gmorphcl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*upd_debug.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Andy\Start Menu\Programs\Antimalware Doctor (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Andy\Application Data\B28FEADB06C1B8984E847A259FEB2960\badoversion707001000lux.exe (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\PXSYF9Y1\badoversion707001000lux[3].exe (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taskcgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Application Data\B28FEADB06C1B8984E847A259FEB2960\upd_debug.exe (Trojan.FakeAlert) -> Delete on reboot.



Windows Sec Essen

Trojan win32/jpgiframe.a
Exploit:java/CVE-2008-5353.LR
also that same prefix plus .JH, .GG, .EQ, .MW, .CG
Exploit:java/CVE2009-3867.DN
same with .CA, .EQ, .EH
Rogue:win32/fake yak
Trojan:Win32/Bamital
Virus:Win32/Bamital.G

and on previous scan:
Trojan:Win32/Adclicker.BB (two of these)
Virus:Win32/Bamital.G (two of these)
Another Virus:Win32/Bamital.G






Last edited by roseytaos on Mon 25 Oct 2010, 5:05 am; edited 1 time in total

roseytaos

Rookie Surfer
Rookie Surfer

Posts : 120
Joined : 2009-12-12
Operating System : xp

View user profile

Back to top Go down

Re: Can this post be deleted? I re-posted it in the appropriate topic...

Post by roseytaos on Mon 25 Oct 2010, 4:50 am

Definitely still infected --- just got that "generic host problem for win32" notice again. Soon after that, my firefox tabs closed and were replaced with a scary virus alert window - at which point the bar on the bottom of the screen changed to a graphic style that I associate with safe mode. I had to shut the machine down manually. Yikes!

roseytaos

Rookie Surfer
Rookie Surfer

Posts : 120
Joined : 2009-12-12
Operating System : xp

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum