# My system was attacked

Dell / Dell dv051...
July 7, 2009 at 21:37:03
Specs: Microsoft Windows XP Professional, 2.793 GHz / 2038 MB
 Hi, My wife recently went to forward an email to me and my computer was attacked by a virus with a fake antivirus program called antivurus system pro. I found a forum which had me download malwarebytes, superantispyware, and norman malware cleaner. I ran each of these in safe mode and followed all instructions and "I believe" got rid of the virus. Now I am still getting tons of tracking cookies, and back-door trojans that are being caught each time I run my AVG scan. I also have a system error every time I start my computer saying that C:\WINDOWS\system32\msbjow.exe cannot be found and then another error right after saying that it could not load that same file name. I am by far no computer genius but have some technical computer knowledge. PLEASE HELP!!Thanks.

See More: My system was attacked

#1
July 8, 2009 at 04:51:50
 -----------------

Report •

#2
July 8, 2009 at 08:09:30
 This was the first one I ran while I still had the virus and the 2nd one was last night. This is from mbamMalwarebytes' Anti-Malware 1.38Database version: 2297Windows 5.1.2600 Service Pack 37/4/2009 1:09:59 PMmbam-log-2009-07-04 (13-09-59).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 143413Time elapsed: 38 minute(s), 12 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 7Registry Values Infected: 6Registry Data Items Infected: 4Folders Infected: 0Files Infected: 13Memory Processes Infected:C:\WINDOWS\Fonts\services.exe (Worm.Archive) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (csfile) Good: (exefile) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.c:\documents and settings\Jason\local settings\Temp\installb[2].exe (Trojan.Agent) -> Quarantined and deleted successfully.c:\documents and settings\Jason\local settings\Temp\jdethtt22jysty234rjwg34g4346.exe (Trojan.Downloader) -> Quarantined and deleted successfully.c:\WINDOWS\freddy49.exe (Worm.KoobFace) -> Quarantined and deleted successfully.C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\ld12.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\system32\tpsaxyd.exe (Backdoor.Bot) -> Quarantined and deleted successfully.c:\WINDOWS\Fonts\services.exe (Worm.Archive) -> Quarantined and deleted successfully.C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.c:\WINDOWS\strt_1246713565.exe (Worm.KoobFace) -> Quarantined and deleted successfully.C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.This was last night...Malwarebytes' Anti-Malware 1.38Database version: 2374Windows 5.1.2600 Service Pack 37/7/2009 9:50:49 PMmbam-log-2009-07-07 (21-50-49).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 147097Time elapsed: 38 minute(s), 16 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)

Report •

#3
July 8, 2009 at 08:12:50
 Update your malwarebytes and scan again.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Related Solutions

#4
July 8, 2009 at 08:14:24

Report •

#5
July 8, 2009 at 08:17:22
 I just updated my mbam. Should I run the complete scan or the quick scan? Thanks again for all your help!!

Report •

#6
July 8, 2009 at 08:21:55
 Leave MBAM for now. Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:1) Can you please post your AVZ log:Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.begin ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','',''); ExecuteStdScr(3); RebootWindows(true); end. Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.Image Tutorial2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs 1. DDS.txt 2. Attach.txt Upload the logs to rapidshare.com and paste download link in your next reply.Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#7
July 8, 2009 at 08:42:53
 I have 1 suggestion find the Version of Avast Pro antivirus and another software name is Glary Utilities from internet. First uninstall Avg and all other malware or spyware protecting software. Install Galary Utilities and open it clikck on Maintanance and Press Scan for ISSUe there are many great Features. Also Install AVAST Antivirus after Uninstaling present one update Avast select option Schedule at Boot time Scan and Select allthe drives for Scan and Restart system. It will clear your PC and remove Virus.Glary Utility will help you to repair Registry.

Report •

#8
July 8, 2009 at 08:57:43
 Here are the three links to rapidshare like you asked.http://rapidshare.com/files/2534449...http://rapidshare.com/files/2534484...http://rapidshare.com/files/2534492...Now I am going to uninstall all my protecting software and download the others you recommended. Thanks again!! You have no idea how much I appreciate this!!

Report •

#9
July 8, 2009 at 09:03:01
 I recommended? I didn't recommend anything unless i get to see what you have :). It was someone else.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#10
July 8, 2009 at 09:09:14
 net ankit recommended??? who is this? should I not listen to him? Thanks for catching that because I was getting ready to uninstall my protection software!

Report •

#11
July 8, 2009 at 09:16:13
 Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:1) Run this script in AVZ like before, your computer will reboot:begin SetAVZGuardStatus(True); SearchRootkit(true, true); QuarantineFile('C:\WINDOWS\system32\msrduam.exe',''); QuarantineFile('C:\WINDOWS\system32\msbjow.exe',''); DeleteFile('C:\WINDOWS\system32\msbjow.exe'); DeleteFile('C:\WINDOWS\system32\msrduam.exe'); ExecuteRepair(13); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; SetAVZPMStatus(true); RebootWindows(true); end. 2) After reboot execute following script in AVZ:begin CreateQurantineArchive('C:\quarantine1.zip'); end. A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.3) Download install and run ccleaner.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#12
July 8, 2009 at 10:18:31
 I have tried three times to upload this file to rapidshare. It uploads but doesn't give me a link like before. It will only give me the option to send the link via email. I try to send it to myself but it says there is no file...?

Report •

#13
July 8, 2009 at 10:49:58
 What is size of the file? Continue with next steps.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#14
July 8, 2009 at 10:56:43
 I am currently running the ccleaner. The file size says 1kb. when I click on the properties it says size on disk is 4kb.

Report •

#15
July 8, 2009 at 10:57:53
 no need to send it continue with step 2 and 3.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#16
July 8, 2009 at 11:00:20
 The ccleaner is done. Anything next?

Report •

#17
July 8, 2009 at 11:05:06
 original problem fixed? Just to be sure scan with:Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...Once you download and start the tool:# Check below options: * Select all the objects/places to be scanned. * Settings > Customize > Heuristic analyzer > Enable deep rootkit search # Click Scan # Fix what it detects # Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message. Illustrated tutorial: http://img32.imageshack.us/img32/76...If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#18
July 8, 2009 at 14:32:12
 The scan with kaspersky is at 99% and has detected: Trojan program Exploit.JS.Pdfka.mq File: C:\Documents and Settings\Jason\Local Settings\Temp\plugtmp-23\plugin-pfqe.phpIt is saying file cannot be disinfected. It is asking me to click delete or skip. Not sure what to do.

Report •

#19
July 8, 2009 at 14:39:52
 Delete it. Original problem fixed?If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

#20
July 8, 2009 at 14:56:04
 http://rapidshare.com/files/2535672...here is the link to the report from kaspersky. I am going to restart my computer now and see if the error is gone. If it is gone can I assume that it is safe to use my computer again as far as like bank info and stuff? Also, what would you recommend over avg free as far as free virus, spyware, malware, and adware and whatever else kind of protection for my computer?

Report •

#21
July 8, 2009 at 15:06:18
 Did you clean registry with ccleaner? For free try: avira antispyware: malwarebytes/superantispyware.If I'm helping you and I don't reply within 24 hours send me a PM.

Report •