Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] antispywareupdates.net Infection.

Started by inf-pc , Apr 03 2008 12:08 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 inf-pc

inf-pc

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 03 April 2008 - 12:08 PM

Hi,
my pc is infected. Here is the hijackthis log :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:30, on 03.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winlast.exe
C:\WINDOWS\system32\wnslogan.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\Администратор\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Администратор\Local Settings\Application Data\cftmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: NETWORK SERVICE - {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A} - C:\WINDOWS\system32\msupdate.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: C:\WINDOWS\system32\H4dj24g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\H4dj24g.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\Kf9467g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf9467g.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {F2F2A4CB-DAAD-4D0C-BDFC-E945647202C2} - c:\autoex.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [advap32] "C:\WINDOWS\system32\bskl387.exe"/r
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Администратор\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [windll] windll.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\wind32.exe
O4 - HKLM\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Администратор\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{41E9DEB3-F8ED-4564-900F-2E5895CEC111}: NameServer = 139.7.30.125,139.7.30.126
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Документы\Settings\partnership.dll
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\H4dj24g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf9467g.dll (file missing)
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Google Online Search Service - 2nd - Unknown owner - C:\WINDOWS\system32\winlast.exe
O23 - Service: Googles Onlines Search Services - Unknown owner - C:\WINDOWS\system32\wnslogan.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Планировщик заданий (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7106 bytes


For more info here is the log from McAfee( AccessProtectionLog ) :

03.04.2008 18:49:07 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:08 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:09 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:10 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:11 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:12 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:14 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:15 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:15 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:16 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:17 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:18 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:19 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:20 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:21 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:22 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:33 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:34 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:35 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:36 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:37 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:38 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:39 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:40 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:41 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:42 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:43 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:43 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:43 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:43 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:44 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:44 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:44 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:44 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:44 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:45 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:45 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:45 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:45 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:45 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:46 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}\@ Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions Action blocked : Create
03.04.2008 18:49:46 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create
03.04.2008 18:49:46 Blocked by Access Protection rule GGGPC\Администратор C:\WINDOWS\system32\mgmrwmrv.exe \REGISTRY\USER\S-1-5-21-57989841-484763869-854245398-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Anti-virus Standard Protection:Prevent registry editor and Task Manager from being disabled Action blocked : Create


I have copied the log files from the infected PC using a USB disk. After inserting the USB disk to the infected PC, i noticed that the *Trojan* has created two new files on the
USB disk :

First file autorun.inf , it contains the following:

Ycwvmpwl_

QjgnnGzgawvg?cwvmpwl,gzg


Second file autorun.exe , its size : 77,1 KB (79.039 Bytes)

Can you help me please to disinfect the PC?

Thanks in advance.

    Advertisements

Register to Remove

#2 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 04 April 2008 - 07:47 AM

Hello

Please don't put the logs in quotes


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 08 April 2008 - 06:47 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·