Virus Problem

Sony / Vgn-fz290
May 23, 2009 at 23:03:46
Specs: Windows Vista
Hi, yesterday I got a virus on my computer- I think from a sketchy website that I happened to land on by mistake. Anyways, right away I had a bad feeling so I went to go run malwarebytes and it wouldn't open. I realized today that if I renamed the application from mbam.exe to somethingelse.exe then it would open. So I ran malwarebytes and it was able to remove about 30 things.

Here is the log before I removed everything.

Malwarebytes' Anti-Malware 1.36
Database version: 2146
Windows 6.0.6001 Service Pack 1

5/23/2009 2:04:34 PM
mbam-log-2009-05-23 (14-04-15).txt

Scan type: Quick Scan
Objects scanned: 85020
Time elapsed: 12 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 24
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coldware (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22d1d831-cd2c-4eee-97c3-eb171b2abcfc}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22d1d831-cd2c-4eee-97c3-eb171b2abcfc}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{50244b75-b9d9-4346-80b2-babdbda0758c}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e1ec2a0c-3b6d-493c-8eab-9ff4d40a7a3a}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f3190096-33e1-494f-8233-2fe9ece13e18}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fb0c5311-c2b6-4939-9f93-bf0e36ae809b}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fb0c5311-c2b6-4939-9f93-bf0e36ae809b}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22d1d831-cd2c-4eee-97c3-eb171b2abcfc}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22d1d831-cd2c-4eee-97c3-eb171b2abcfc}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{50244b75-b9d9-4346-80b2-babdbda0758c}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e1ec2a0c-3b6d-493c-8eab-9ff4d40a7a3a}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f3190096-33e1-494f-8233-2fe9ece13e18}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fb0c5311-c2b6-4939-9f93-bf0e36ae809b}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fb0c5311-c2b6-4939-9f93-bf0e36ae809b}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{22d1d831-cd2c-4eee-97c3-eb171b2abcfc}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{22d1d831-cd2c-4eee-97c3-eb171b2abcfc}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{50244b75-b9d9-4346-80b2-babdbda0758c}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e1ec2a0c-3b6d-493c-8eab-9ff4d40a7a3a}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f3190096-33e1-494f-8233-2fe9ece13e18}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{fb0c5311-c2b6-4939-9f93-bf0e36ae809b}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{fb0c5311-c2b6-4939-9f93-bf0e36ae809b}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Temp\13653909.tmp.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\ (Trojan.Agent) -> No action taken.
C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.

But, the problem is that I still can only run malwarebytes when I change the .exe file name, I tried running other programs like AVG or trend micro and they will run but when I try to update them, they are somehow being prevented from reaching their hosts to download updates. Also, is blocked for me- surprisingly not only on my computer but on all computers in my home network.

So basically if I run scans by malwarebytes it will show no infections, but my computer is still messed up. Do you guys think that there is still infections on my computer, or are these just lingering effects? What would you recommend that I do?


See More: Virus Problem

Report •

May 24, 2009 at 02:10:15
... well at a glance "Trojan.DNSChanger"

... "DNSChanger" ... says a lot to me!

... why do'nt you try "regedit" from start "run"

... follow all the paths "No action taken"

.. and "zap" them!

... "delete them" !!!

(1) Click on the Vista Start Orb Launch Regedit (Button)

(2) Click in the Start Search Dialog Box

(3)Type regedit

(4) Press enter (or double click Program: regedit)

"...pentathol makes you sing like a canary"
... got brain freeze

Report •

May 24, 2009 at 15:17:10
All of the objects on the malwarebytes log were deleted. I was able to run hijackthis in safe mode. I deleted a few things but I still am being blocked from certain websites and programs like ad-aware aren't being allowed to update via the internet. Any ideas on how to solve this?

Report •

May 24, 2009 at 15:30:45
Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called inside. Upload that file to and paste the link here.

Image Tutorial

PS: Post the names of things you deleted.

To Private Message me Click Here

Report •

Related Solutions

Ask Question