can't get rid of iamfamous.dll

Computing.Net > Forums > Security and Virus > can't get rid of iamfamous.dll

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

can't get rid of iamfamous.dll

Name: jake100
Date: December 29, 2008 at 13:28:58 Pacific
OS: Windows XP sp2
CPU/Ram: 3.0/512
Product: Ibm / THINKCENTRE

Comment:

Hi,
The problem started with unable to browse internet via firefox (address not found) or IE(page not found). First move was to do system restore which does nothing after clicking next on last page. I can ping my router and the other local computers and websites via their IP address but not their www.*.com address
SO I did the following:
-Full scan Spybot S&D found only few tracking cookies
-full scan adaware -- nothing
-avg 8.0 scan - nothing
-Malwarebytes scan (found iamfamous.dll log below)
Now system restore seemed to work but on reboot it said restore was unsuccesful and still no internet.
-repeated malwarebytes scan came all clean
-system restore back to square one
-uninstalled avg 8.0
-Followed with ComboFix scan attached below.
-and Hijack this scan.
Still no system restore or internet
By the way I did multiple repairs on the local area connection to no avail. All other computers connects well via router to the internet. All the above mentioned logs are below. Any help would be appreciated.
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2
12/29/2008 11:14:30 AM
mbam-log-2008-12-29 (11-14-30).txt
Scan type: Quick Scan
Objects scanned: 55535
Time elapsed: 4 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Tasleema\Local Settings\Temp\tmp2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tasleema\Local Settings\Temp\tmp4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tasleema\Local Settings\Temp\tmp45.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tasleema\Local Settings\Temp\tmp6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tasleema\Local Settings\Temp\tmp8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tasleema\Local Settings\Temp\tmpA.tmp (Trojan.FakeAlert) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-0A5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-609.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-68F.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-C13.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-C7D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-E45.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
==========================================
ComboFix 08-12-28.04 - Tasleema 2008-12-29 14:50:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.302 [GMT -5:00]
Running from: c:\documents and settings\Tasleema\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Tasleema\LOCALS~1\Temp\tmp1.tmp
c:\windows\system32\Cache
c:\windows\Temp\tmp3.tmp
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.
2008-12-29 13:09 . 2008-12-29 13:29 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-29 11:09 . 2008-12-29 11:09 <DIR> d-------- c:\documents and settings\Tasleema\Application Data\Malwarebytes
2008-12-29 11:08 . 2008-12-29 11:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 11:08 . 2008-12-29 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-29 11:08 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 11:08 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 10:02 . 2008-12-29 10:02 <DIR> d-------- c:\documents and settings\Jibu
2008-12-29 09:47 . 2008-12-29 09:47 <DIR> d-------- C:\Tipstir
2008-12-27 18:35 . 2008-12-27 18:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-27 16:58 . 2008-12-27 16:58 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-27 13:51 . 2008-12-27 13:51 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-27 13:51 . 2008-12-27 13:51 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-27 13:51 . 2008-12-27 13:51 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-27 13:51 . 2008-12-27 13:51 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-27 13:44 . 2008-12-27 13:51 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 12:18 . 2008-12-27 12:18 <DIR> d-------- c:\program files\Lavasoft
2008-12-27 12:18 . 2008-12-27 12:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 11:37 . 2008-12-27 11:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-27 09:08 . 2006-06-22 13:44 2,201,224 --a------ c:\windows\system32\Flash.ocx
2008-12-27 09:08 . 1998-06-24 00:00 203,576 --a------ c:\windows\system32\Richtx32.ocx
2008-12-27 09:08 . 2001-02-18 21:17 140,288 --a------ c:\windows\system32\Comdlg32.ocx
2008-12-12 16:59 . 2008-12-12 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2008-12-12 16:58 . 2008-12-12 16:58 <DIR> d-------- c:\program files\Vuze
2008-12-12 16:58 . 2008-12-15 10:12 <DIR> d-------- c:\documents and settings\Tasleema\Application Data\Azureus
2008-12-12 11:13 . 2008-12-29 14:08 <DIR> d-------- C:\C SHARP
2008-12-08 18:55 . 2004-08-04 00:56 2,134,528 --a--c--- c:\windows\system32\dllcache\smtpsnap.dll
2008-12-08 18:54 . 2008-12-08 19:23 <DIR> d-------- c:\windows\system32\Logfiles
2008-12-08 18:54 . 2008-12-08 18:56 <DIR> d-------- C:\Inetpub
2008-12-08 18:43 . 2008-12-08 18:43 <DIR> d-------- c:\windows\system32\js
2008-12-08 18:43 . 2008-12-08 18:43 <DIR> d-------- c:\windows\system32\images
2008-12-08 18:43 . 2008-12-08 18:43 <DIR> d-------- c:\windows\system32\html
2008-12-08 18:43 . 2008-12-08 18:43 <DIR> d-------- c:\windows\system32\css
2008-12-08 18:43 . 2008-12-08 18:43 <DIR> d-------- c:\program files\Business Objects
2008-12-08 18:37 . 2008-12-08 18:42 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-12-08 18:37 . 2008-12-08 18:37 <DIR> d-------- c:\program files\Microsoft Device Emulator
2008-12-08 18:36 . 2008-12-08 18:36 <DIR> d-------- c:\program files\Windows Mobile 5.0 SDK R2
2008-12-08 18:35 . 2008-12-08 18:35 <DIR> d-------- c:\program files\Microsoft Synchronization Services
2008-12-08 18:35 . 2008-12-08 18:35 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-12-08 18:29 . 2008-12-08 18:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2008-12-08 18:25 . 2008-12-08 18:25 <DIR> d-------- c:\windows\symbols
2008-12-08 18:23 . 2008-12-08 18:40 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-08 18:23 . 2008-12-08 18:43 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2008-12-08 18:23 . 2008-12-08 18:23 <DIR> d-------- c:\program files\Microsoft SDKs
2008-12-08 18:23 . 2008-12-08 18:26 <DIR> d-------- c:\program files\HTML Help Workshop
2008-12-08 18:23 . 2008-12-08 18:29 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-12-08 18:23 . 2008-12-08 18:23 <DIR> d-------- c:\program files\CE Remote Tools
2008-12-08 18:22 . 2008-12-08 18:22 <DIR> d-------- c:\program files\Microsoft Web Designer Tools
2008-12-08 18:21 . 2008-12-08 18:21 <DIR> dr-h----- C:\MSOCache
2008-12-08 18:20 . 2008-12-08 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-08 18:19 . 2008-12-08 18:19 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-08 18:19 . 2008-12-08 18:19 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-08 18:19 . 2008-12-08 18:25 <DIR> d-------- c:\program files\MSBuild
2008-12-08 18:18 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-08 18:16 . 2008-12-08 18:16 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-08 18:16 . 2006-10-16 16:10 23,856 --a------ c:\windows\system32\spupdsvc.exe
2008-12-08 15:31 . 2008-12-08 15:31 <DIR> d-------- c:\program files\XP Codec Pack
2008-12-08 15:31 . 2008-12-08 15:31 <DIR> d-------- c:\documents and settings\Tasleema\Application Data\Media Player Classic
2008-12-08 15:31 . 2008-07-09 04:05 421,888 --a------ c:\windows\system32\ac3filter.acm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-15 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 20:58 --------- d-----w c:\program files\Java
2008-11-27 01:47 --------- d-----w c:\program files\Yahoo!
2008-11-21 14:30 --------- d-----w c:\documents and settings\Tasleema\Application Data\Yahoo!
2008-11-17 16:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 16:54 --------- d-----w c:\program files\AVG
2008-11-17 15:09 --------- d-----w c:\program files\NOS
2008-11-17 15:09 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-17 12:50 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-17 12:49 --------- d-----w c:\program files\Common Files\Adobe
2008-11-15 14:12 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-12 22:06 --------- d-----w c:\program files\Motherboard Monitor 5
2008-11-11 18:10 --------- d-----w c:\program files\DiskInternals
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-08 14:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-08 14:06 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-08 14:06 --------- d-----w c:\program files\Analog Devices
2008-11-06 02:14 --------- d-----w c:\program files\Alwil Software
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-27 1234712]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-27 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-27 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-27 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-27 231704]
S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-17 33752]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
\Shell\Open\command - c:\resycled\boot.com c:
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tasleema\Application Data\Mozilla\Firefox\Profiles\rp4i4pot.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\Tasleema\Application Data\Mozilla\Firefox\Profiles\rp4i4pot.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npDocX.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 14:51:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxdoyovkjk.sys"
.
Completion time: 2008-12-29 14:52:20
ComboFix-quarantined-files.txt 2008-12-29 19:52:18
Pre-Run: 7,439,757,312 bytes free
Post-Run: 7,569,362,944 bytes free
154
=========================================
Thanks

Sponsored Link

Ads by Google

Response Number 1

Name: amvinfe
Date: December 29, 2008 at 14:10:07 Pacific

Reply:

Start> Run, type cmd.exe and the OK

write (attention to space between the two names) and the OK
ipconfig /renew
restart your PC (very important)
reference ;)
http://forum.html.it/forum/showthre...

Response Number 2

Name: jake100
Date: December 29, 2008 at 14:42:07 Pacific

Reply:

I did that just now.
Still no internet. Local area connection is connected @ 100 Mbps and I can ping to ip addresses. Looks like a DNS problem associated with iamfamous.dll. Any other thoughts??

Response Number 3

Name: amvinfe
Date: December 29, 2008 at 14:46:28 Pacific

Reply:

hi,
download to your desktop
http://www.suspectfile.com/systemscan
open it and make sure that all options are checked, click on "Scan Now" at the end of the scan will be released (always on your desktop inside the folder suspectfile) two files.
Go to office http://www.freefilehosting.net the zip file and write in your next reply URL where I can get it.
Remember the scan with no connection with the antivirus disabled unless then resume scanning finished.
NB
the duration of the scan may be long, it might even seem that the program is not working, do not worry is not so;)
SystemScan is recognized, mistake, by some antivirus as infected.
--
Ciao,
Marco

Response Number 4

Name: jake100
Date: December 29, 2008 at 15:23:39 Pacific

Reply:

Hi,
Did the scan File @
http://freefilehosting.net/download...
Thanks for the help

Response Number 5

Name: amvinfe
Date: December 29, 2008 at 16:02:36 Pacific

Reply:

I'm checking the report, now put the procedure:)

richtx32.ocx getplus r ocx c:\resycled\boot.com	an attempt was made to write to read only memory can't get rid of message error loading C:\PROGRA~1\MYWEBS~1\bar\1.bin/MWSBA i have a virus i can't get rid of
See More

Response Number 6

Name: jake100
Date: December 29, 2008 at 16:14:04 Pacific

Reply:

Hi Marco,
I don't get it ..."now put the procedure".
DO I need to do anything or just wait for your response.
Thanks

Response Number 7

Name: amvinfe
Date: December 29, 2008 at 16:44:06 Pacific

Reply:

Open SystemScan> Click on "Removal Script".
Within the white box copy and paste the values listed below
Files to delete:
C:\WINDOWS\system32\drivers\msqpdxdoyovkjk.sys
C:\windows\system32\dll.dll
c:\Program Files\Mozilla Firefox\components\iamfamous.dll
C:\DOCUME~1\Tasleema\LOCALS~1\Temp\ FR243532.tmp
C:\DOCUME~1\Tasleema\LOCALS~1\Temp\FR14357.tmp
registry keys to delete:
HKLM\system\currentcontrolset\services\msqpdxserv.sys

click on "Proceed with removal" and then click OK.
The PC should reboot itself, then start it manually otherwise
Brought in C:\ put the contents of the log generated by Avenger (avenger.txt)
If still unable to connect proceed as follows:
1) Click start - Control Panel - Network Connections
click the right mouse button on your connection - select property - double click on "Internet Protocol (TCP / IP)" - go to "get DNS server address automatically" - from the ok - restart your PC
2) Click on Start - Run - type "cmd" - from the ok
at the command promt type ipconfig /flushdns and sending
Restart your computer

Ciao

Response Number 8

Name: amvinfe
Date: December 29, 2008 at 16:45:18 Pacific

Reply:

forgot that the problem is due to a pen drive or an external drive that has infected PC
PS
sorry for my English, is not correct: (

Response Number 9

Name: jake100
Date: December 29, 2008 at 17:31:04 Pacific

Reply:

I ran the removal script. PC rebooted and gave error window " There is no disk in the drive please insert drive into drive a:" . Iput in a floppy and pressed retry it went through.
In the meantime an empty avenger.txt opened and window with cannot find avenger.txt create one. I said yes. Anyways an avenger.txt was written to floppy which is:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gegjpegi
*******************
Script file located at: \??\C:\ywpbdjff.txt
Script file opened successfully.
Script file read successfully
Could not create backup directory! Status: 0xc000007f Abort!
======================================
I also tried the other two methods you mentioned above. No luck. No internet . I cam still ping only by IP

Response Number 10

Name: jake100
Date: December 29, 2008 at 17:33:03 Pacific

Reply:

I did not plug in any pen drive or external drive. I got it through internet I believe

Response Number 11

Name: amvinfe
Date: December 29, 2008 at 17:44:24 Pacific

Reply:

when you're
start> run> cmd.exe
ipconfig /flushdns
OK, came out some mistakes?

Response Number 12

Name: jake100
Date: December 29, 2008 at 17:51:32 Pacific

Reply:

no mistakes as follows:
c:\ipconfig /flushdns
Windows IP configuration
Successfully flused the DNS Resolver cache
c:\
=============
NO errors. Then I rebooted still the same

Response Number 13

Name: amvinfe
Date: December 29, 2008 at 18:21:27 Pacific

Reply:

Please try directly with Avenger:
download
http://swandog46.geekstogo.com/aven...
do it in the box and white paste this script:
Files to delete:
C:\WINDOWS\system32\drivers\msqpdxdoyovkjk.sys
C:\windows\system32\dll.dll
c:\Program Files\Mozilla Firefox\components\iamfamous.dll
C:\DOCUME~1\Tasleema\LOCALS~1\Temp\ FR243532.tmp
C:\DOCUME~1\Tasleema\LOCALS~1\Temp\FR14357.tmp
registry keys to delete:
HKLM\system\currentcontrolset\services\msqpdxserv.sys
Check "Automatically disable any rootkits found" and click on "execute".
The PC should reboot alone, otherwise you restart.
if this time does the report are in the C:\ (avenger.txt)

Now I'm going to sleep in Italy now is 3 at night you will soon go to dinner I'm going to work :D
I hope you can solve
ciao Marco

Response Number 14

Name: jake100
Date: December 29, 2008 at 18:43:55 Pacific

Reply:

Thanks Marco That worked. USed avenger and I can connect to internet & restore works as well
If it helps others..
C:\avenger.txt as below :
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Mon Dec 29 21:31:44 2008
21:31:28: Error: can't seek on file descriptor 3 (error 131: an attempt was made to move the file pointer before the beginning of the file.)
21:31:39: Warning: Skipping potentially dangerous line:
"HKLM\system\currentcontrolset\services\msqpdxserv.sys" (Registry key deletion mode)
21:31:44: Error: Execution aborted by user!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Mon Dec 29 21:32:08 2008
21:32:08: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
Hidden driver "msqpdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\msqpdxdoyovkjk.sys
Driver disabled successfully.
Rootkit scan completed.
File "C:\WINDOWS\system32\drivers\msqpdxdoyovkjk.sys" deleted successfully.
Error: file "C:\windows\system32\dll.dll" not found!
Deletion of file "C:\windows\system32\dll.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\Program Files\Mozilla Firefox\components\iamfamous.dll" not found!
Deletion of file "c:\Program Files\Mozilla Firefox\components\iamfamous.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\DOCUME~1\Tasleema\LOCALS~1\Temp\ FR243532.tmp" not found!
Deletion of file "C:\DOCUME~1\Tasleema\LOCALS~1\Temp\ FR243532.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\DOCUME~1\Tasleema\LOCALS~1\Temp\FR14357.tmp" not found!
Deletion of file "C:\DOCUME~1\Tasleema\LOCALS~1\Temp\FR14357.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKLM\system\currentcontrolset\services\msqpdxserv.sys" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
=============================
Sleep Tight Marco!!

Response Number 15

Name: amvinfe
Date: December 30, 2008 at 09:09:53 Pacific

Reply:

Wonderful jake100
a good day
Ciao :)
Marco

Response Number 16

Name: amvinfe
Date: December 30, 2008 at 10:09:21 Pacific

Reply:

Please send me the file backup.zip, it's in C:\Avenger
Thank you
amvinfe at suspectfile dot com

Response Number 17

Name: jake100
Date: January 6, 2009 at 07:22:49 Pacific

Reply:

Hi,
Sorry I did not check earlier your response.
I can't find any backup.zip file. There is only the avenger.txt which I posted above.
I did a search too could not find one.

Response Number 18

Name: kwantlen
Date: January 6, 2009 at 10:08:22 Pacific

Reply:

Looked for 2 days to get rid of this naughty rootkit. Followed your script and avenger: it worked! Thank you very much.
The only nuisance I still have not solved is whenever I boot I am getting BuzzingBee.wav and LoopyMusic.wav into my \system32\ folder copied.
Any idea where this could be coming from?
Great work jake100
Wolf

Response Number 19

Name: simple63
Date: February 9, 2009 at 14:02:31 Pacific

Reply:

This really works, however be aware that the virus calls itself something different,in our case it was gpewtosemgjs.sys but the clever avenger software found the hidden driver and destroyed it.
We have Vista and it automatically tried to repair some aspects and asked if we wanted to use System Restore - we said NO.
It worked after the auto repair did its bit.
Great piece of software.
Thanks
Simple63

Sponsored Link

Ads by Google

Can't get rid of winupgro...

annoying virus

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: can't get rid of iamfamous.dll

Can't get rid of RUN entry/Service

Summary

www.computing.net/answers/security/cant-get-rid-of-run-entryservice/17409.html

Can't get rid of cws.searchx

Summary

www.computing.net/answers/security/cant-get-rid-of-cwssearchx/12067.html

Can't get rid of onemoresearch.net

Summary

www.computing.net/answers/security/cant-get-rid-of-onemoresearchnet/14181.html

From the Geek Dictionary
USB - Universal Serial Bus - A port on most modern computers that allows for the ...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Button to place date

reboots during isntallation

I need a driver for use with PowerMac

Clie Peg - TJ37

Issues installing Vista please help

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE