Bck/Tdss.BC Help!

Gigabyte ?
July 13, 2009 at 22:49:31
Specs: XP Professional, AMD Athlon 1.53 GHz/ 1 GB
Hi everyone!

I got hit by a serious virus just yesterday.
Performed multiple scans w/ AVG which found
a host of viruses and it stated that it
successfully cleaned them. But, my
Malwarebytes won't run and every once in
awhile...get this...Michael Jackson's "Heal the
World" comes on out of nowhere!!! What
kinda sicko would create such a thing?!

And, every once in awhile, a Google installer
error message would pop-up telling me that it
encountered a problem and needs to close.

I ran Panda's online scan and found
out that I still have the "Bck/Tdss.BC" virus,
"trj/qhost.gen" and "application/altnet" on
my system and it was deemed as "Not
disinfectable".

Any ideas? I'd really appreciate it! Thank you!


See More: Bck/Tdss.BC Help!

Report •


#1
July 14, 2009 at 04:47:32
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
July 15, 2009 at 17:03:48
Hi, JDK!

Thanks for your assistance. It found about 8 infected objects
and successfully cleaned them all. But, the scanner hit a
snag the first run, so I had to re-install and do it over again.
The scan log summary only shows this:

Scan
----
Scanned: 1085931
Detected: 8
Untreated: 0
Start time: 7/14/2009 11:53:13 PM
Duration: 18:04:20
Finish time: 7/15/2009 5:57:33 PM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Java.ClassLoader.as File:
C:\Documents and Settings\Andy Nguyen\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-
dhncgts.jar-47f127e-3c0e9a18.zip/BnnnnBaa.class
deleted: Trojan program Trojan.Java.ClassLoader.as File:
C:\Documents and Settings\Andy Nguyen\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-
dhncgts.jar-47f127e-3c0e9a18.zip/VaannnaaBaa.class
deleted: Trojan program Trojan.Java.ClassLoader.as File:
C:\Documents and Settings\Andy Nguyen\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-
dhncgts.jar-47f127e-3c0e9a18.zip/Bnnnnn.class
disinfected: Trojan program Trojan.Java.ClassLoader.as File:
C:\Documents and Settings\Andy Nguyen\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-
dhncgts.jar-52764dc0-683e4e07.zip
deleted: virus Net-Worm.Win32.Koobface.aqm File:
C:\Documents and Settings\Andy Nguyen\Local
Settings\Temp\2.tmp
deleted: Trojan program Trojan.Win32.Agent2.kwl File:
C:\Documents and Settings\Andy Nguyen\Local
Settings\Temp\~TM7.tmp
deleted: Trojan program Trojan-
Downloader.Win32.FraudLoad.eyw File:
C:\WINDOWS\system32\wisdstr.exe
deleted: Trojan program Trojan.Win32.Agent2.kwl File:
C:\WINDOWS\system32\wbem\proquota.exe


Events
------
Time Name Status Reason
---- ---- ------ ------
7/14/2009 11:54:07 PM Running module:
smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved
to Quarantine Archives Packed files Password
protected Corrupted
------ ------- -------- --------- ------- ------------------- --------
------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Custom
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search Yes
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----


Is that good enough? Or, do you need me to do it over again?
Let me know. Thank you!!!


Report •

#3
July 15, 2009 at 17:08:01
Good enough. Follow:

Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

3) Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 15, 2009 at 22:09:10
Hi, jdk!

I think I may have screwed up! I followed your directions and
everything worked as planned until I got to GMER. It would
scan for a bit, then would kick me to a blue screen stating "A
problem has been detected and windows has been shut
down, etc...", "DRIVER_IRQL_NOT_LESS_OR_EQUAL",
"Technical Info: Stop: 0X000000D1", etc...

So, I thought that kapersky might be interferering and against
your wishes, I unwisely uninstalled it. Stupid, I know...I'm
very sorry.

I rebooted and tried scanning GMER again, but, got the same
thing. Then, I guess the a virus reloaded itself, I heard a voice
congratulating me for something (spooky!), my computer
stalled, rebooted on its own and now I have a red circle with
an "X" in my taskbar.

I also forgot to mention that I have some type of icon on my
desktop named "delself".

I'm gonna click submit before it happens again...and, I have to
type all this over again.


Report •

#5
July 15, 2009 at 22:12:01
AVZ:
(downloaded file: avz4)
http://rapidshare.com/files/2563393...
ml

DDS:
http://rapidshare.com/files/2563395...

Attach:
http://rapidshare.com/files/2563396...

Note: These were all performed before the virus reinstalled itself (Congratulations! and Red circle w/ "X")


Report •

#6
July 16, 2009 at 06:45:31
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('-{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}');
 DelBHO('-{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}');
 QuarantineFile('C:\WINDOWS\winstart.bat','');
 QuarantineFile('C:\WINDOWS\System32\browseui.dll','');
 QuarantineFile('C:\DOCUME~1\ANDYNG~1\LOCALS~1\Temp\b.exe','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACclrpifmlwfiktrnoa.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\UACclrpifmlwfiktrnoa.dll');
 DeleteFile('C:\DOCUME~1\ANDYNG~1\LOCALS~1\Temp\b.exe');
 DeleteFile('C:\windows\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

3) Redo Response Number 3 step 3 (GMER) if it doesn't work redo in safe mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#7
July 16, 2009 at 16:47:51
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
July 16, 2009 at 16:53:01
Also: Please download MBR.exe from here ->
http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here, please.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
July 16, 2009 at 18:05:33
MBR text:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer,
http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Report •

#10
July 16, 2009 at 18:09:45
----------------------------

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
July 16, 2009 at 18:44:01
Follow:
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#12
July 16, 2009 at 20:31:57
Per Response #10 -

Please confirm: You want me to do the entire "Response #7" all
over again?

Thank you!


Report •

#13
July 16, 2009 at 20:36:14
No need too. Continue with Response Number 11. Is your original problem fixed?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#14
July 16, 2009 at 20:46:07
Well, Michael Jackson isn't coming on anymore and it seems
to acting a bit less squirrelly. The red circle with the white "X"
is gone from my tray.

Although, I still get a spywareguard warning that something is
still trying to change my homepage and whether I want to
change it back to the original.

Also, that "delself" thing is still on my desktop.

Shall I continue to #11? If so, shall I do it in "safemode"? Please advise. Thank you!


Report •

#15
July 16, 2009 at 21:25:33
In normal mode continue #11. What delself? Post a screenshot of it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
July 17, 2009 at 00:04:18
Per your request:

Malwarebytes log:

Malwarebytes' Anti-Malware 1.39
Database version: 2447
Windows 5.1.2600 Service Pack 3

7/17/2009 12:43:07 AM
mbam-log-2009-07-17 (00-43-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 218441
Time elapsed: 1 hour(s), 1 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-
ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted
successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security
Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\andy nguyen\local
settings\application data\Google\Chrome\user
data\Default\Cache\f_00a588 (Trojan.DNSChanger) ->
Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACclrpifmlwfi
ktrnoa.dll.vir (Trojan.TDSS) -> Quarantined and deleted
successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACohrtqttlxg
wyhobeg.dll.vir (Trojan.TDSS) -> Quarantined and deleted
successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACrbfppjqws
qilqdulq.dll.vir (Trojan.TDSS) -> Quarantined and deleted
successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACturrwablhr
qutqfqd.dll.vir (Trojan.TDSS) -> Quarantined and deleted
successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACvkkixnant
okvkootp.dll.vir (Trojan.TDSS) -> Quarantined and deleted
successfully.
c:\system volume information\_restore{aa9a5ba1-9577-4c32-
aa8e-7c3969a983ef}\RP0\A0000002.dll (Trojan.TDSS) ->
Quarantined and deleted successfully.
C:\benfuse.exe (Trojan.Downloader) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys)
-> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) ->
Quarantined and deleted successfully.

SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2009 at 01:52 AM

Application Version : 4.26.1006

Core Rules Database Version : 4001
Trace Rules Database Version: 1941

Scan type : Complete Scan
Total Scan Time : 00:54:09

Memory items scanned : 437
Memory threats detected : 0
Registry items scanned : 6309
Registry threats detected : 1
File items scanned : 22979
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@trafficmp[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@adsrevenue[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@www.toseeka[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@go[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@adprotraffic[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@zedo[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@mediaplex[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ads.vidsense[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@serw.clicksor[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@cdn4.specificclick[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@advertising[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ads.teleint[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@fastclick[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@hypertracker[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@tracking.realtor[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@doubleclick[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@enhance[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@adultadworld[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ads.clicksor[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@cgi-bin[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@c5.zedo[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@myroitracking[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@specificmedia[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@questionmarket[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@tns-counter[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@network.realmedia[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ad.zanox[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ads.pointroll[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@toseeka[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@247realmedia[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@homestore.122.2o7[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@revsci[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@houston_640_450k_30sec[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@admarketplace[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@banner_js[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@optimize.indieclick[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@apmebf[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ads.mail[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@specificclick[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@media6degrees[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@banner_js[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@shopica[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@autophoto.oddcast[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@statcounter[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@adserver.adtechus[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@casalemedia[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@bs.serving-sys[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@clicksor[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@rotator.adjuggler[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@serving-sys[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@ad.yieldmanager[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@atdmt[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@iacas.adbureau[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@pro-market[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@bridge2.admarketplace[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@collective-media[1].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@adbrite[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@dc.tremormedia[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@media[2].txt
C:\Documents and Settings\Andy Nguyen\Cookies\andy
nguyen@realmedia[2].txt
C:\Documents and
Settings\Visitor\Cookies\visitor@server.cpmstar[2].txt
C:\Documents and
Settings\Visitor\Cookies\visitor@accounts[2].txt

Rogue.XP AntiSpyware2009-Trace
C:\Documents and Settings\Andy
Nguyen\Desktop\delself.bat

Rogue.Component/Trace
HKU\S-1-5-21-1078081533-764733703-725345543-
1004\Software\Microsoft\FIAS4057

Trojan.Agent/Gen
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{AA9A5BA1-9577-4C32-AA8E-
7C3969A983EF}\RP0\A0000004.DLL
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{AA9A5BA1-9577-4C32-AA8E-
7C3969A983EF}\RP0\A0000006.DLL

Trojan.Agent/Gen-Dropper[Multi]
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{AA9A5BA1-9577-4C32-AA8E-
7C3969A983EF}\RP0\A0000144.EXE

Thank you!


Report •

#17
July 17, 2009 at 05:41:49
Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

IS problem solved or still there?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
July 17, 2009 at 19:04:04
Everything looks good, my friend. Thank you!

Should I just delete/uninstall all the programs that I downloaded?
Combofix stated that it was deleted, but, I still see the icon on
my desktop. Can I just trash it?


Report •

#19
July 17, 2009 at 19:19:55
Yes you can delete all the tool. Also download ccleaner and run temp and registry cleaner with it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
July 17, 2009 at 19:33:31
Is the registry part necessary? It's asking me to back up
registry and I get a little gun-shy when anything has to do w/ the
registry. Please advise.

Report •

#21
July 17, 2009 at 19:36:36
Yes its advisable. You can backup your registry with http://www.snapfiles.com/opinions/E... or ccleaner.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
July 17, 2009 at 22:52:48
Done deal, my friend! You're a genius!

Thank you so much for all your help!


Report •


Ask Question