Trojan or Malware problem

Dell / DIMENSION 3000
July 28, 2009 at 04:43:43
Specs: Microsoft Windows XP Home Edition, 2.394 GHz / 1277 MB
Computer sometimes shuts down due to virus- plus I've had my home page reset and porn links added to the desktop. Please help!

See More: Trojan or Malware problem

Report •

July 28, 2009 at 06:53:54
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 29, 2009 at 03:36:37
Tried to post response - but Ie closed when I hit preview?
Coudln't download these programs from my IE - had to go through my work account - then zip and send to my hotmail account. Couldn't access the web sites either for an update (error).
I have tried these two programs and ATF cleaner last week with no success.
here are my logs:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

28/07/2009 10:14:55 PM
mbam-log-2009-07-28 (22-14-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150007
Time elapsed: 1 hour(s), 8 minute(s), 10 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 21

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Family\reader_s.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pridl (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken.
C:\Documents and Settings\Family\Application Data\pridl (Trojan.Downloader) -> No action taken.

Files Infected:
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> No action taken.
C:\Documents and Settings\Family\Application Data\pridl\pridl.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP3\A0002105.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP3\A0002124.sys (Rootkit.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\DRIVERS\protect.sys (Rootkit.Agent) -> No action taken.
c:\WINDOWS\Temp\VRT3.tmp (Malware.Tool) -> No action taken.
C:\WINDOWS\SYSTEM32\reader_s.exe (Malware.Trace) -> No action taken.
c:\WINDOWS\SYSTEM32\4.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\5.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\6.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\7.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\9.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\A.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\B.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\C.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\D.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\E.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\F.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Family\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Family\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> No action taken.

SUPERAntiSpyware Scan Log

Generated 07/29/2009 at 00:21 AM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 02:03:24

Memory items scanned : 404
Memory threats detected : 1
Registry items scanned : 6488
Registry threats detected : 0
File items scanned : 70846
File threats detected : 9


C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\fbk.sts


Adware.Tracking Cookie

Report •

July 29, 2009 at 04:45:23
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connected to internet. If avz.exe doesn't start, then try to rename the file avz.exe to game.pif and try to run it again. Pause/Stop your antivirus, firewall software (if any), close games, text editors and all other programs; leave Internet Explorer/Firefox running, before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility.

--> Please navigate to "File" => "Custom Scripts". Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script.

--> Choose from the menu "File" => "Standard scripts" and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as Upload to and paste the link here.
* It is necessary now to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to HijackThis: Here

In your next reply, please include download links to the following:
[*] HijackThis log

Report •

Related Solutions

July 29, 2009 at 18:16:04
Couldn't access site via IE - had to go through my work account again then hotmail to get it.

Will run scans again and try to upload to rapidshare (never done this before).
Sorry Eric

Report •

July 29, 2009 at 18:19:56
Edit and delete your last post. Please read Response Number 3 carefully.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 30, 2009 at 04:23:33

Report •

July 30, 2009 at 06:30:50
Seems like you alraedy ran combofix... Who told you run it?

Download and run Kaspersky AVP tool in safe mode:
Once you download and start the tool in safe mode:

# Check below options:

    * Select all the objects/places to be scanned. 

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to Post download link in your next message.

Illustrated tutorial:

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 30, 2009 at 14:10:47
I tried to do a number of "fixes" before posting here....

I can't open the site to download file. Do I have to be in safe mode in order to download?

Report •

July 30, 2009 at 14:20:06
Just a advice don't perform fixes without knowing the problem manual removal tools are specialized tools it can complicate the problem more if its not used in proper way.

Try this link for download:

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Ask Question