Trojans mdelk.exe & wintems.exe, please need help!

Hello

You should delete this folder

C:\Deckard

The viruses have been removed so you have nothing to worry about that folder


And the programs HijackThis and Erunt, should I unninstall them too?
Click to expand...
Yes it is best if you remove these for your own safety


Any other questions for me ?
 
Hi,

Sorry for the delay, but I had to run SpyBot for 3 times and it showed 5 spywares: :oops:

Win32.Agent.bgy: [SBI $3FF5579E] Configurações (Chave do registo, fixed)
HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.E: [SBI $FC4E0548] Configurações (Chave do registo, fixed)
HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\DateTime4

Win32.Banker.ekn: [SBI $2636392B] Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv

Win32.Banker.ekn: [SBI $899F74E1] Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv

Win32.Banker.ekn: [SBI $D3EF9AE2] Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv

The first two have been fixed, but the other 3 (Win32.Banker.ekn) still remain. I've run AVG and it detected nothing.

First, I was thinking that they were SpywareGuard's entries, so I unnistalled it and run 2 times Spybot, but nothing. Actually, SpywareGuard have made my PC to be much slower, including the boot. Is it normal? Seems to be some incompability with SpyBot or AVG or SpywareBlaster.

Why IceSword did not detected these entries?
Well, these entries make me worry. What should we do?

Thanks again.
 
Hello

I wouldn't worry about them, they are orphaned registry entries. Lets nuke them anyway though

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Code: 
Windows Registry Editor Version 5.00

[-HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\FirstRRRun]

[-HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\DateTime4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv]


Then double click on the fix.reg file, when it prompts to merge click "Yes".




Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Let me know how that goes
 
Hi,

I've done you told me but SpyBot still detects the 3 entries for the 'Win32.Banker.ekn'. :sad:

I've run SUPERAntiSpyware and it detected some threats, but not the 'Win32.Banker.ekn' entries. They are in quarantine. Should I delete them from there?

Then I've run Kaspesky and it detected some others threats too.

The logs follow:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2008 at 10:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 02:48:20

Memory items scanned : 389
Memory threats detected : 0
Registry items scanned : 8642
Registry threats detected : 0
File items scanned : 135508
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\ROBERIO\Cookies\roberio@ads.abril.com[1].txt
C:\Documents and Settings\ROBERIO\Cookies\roberio@ad.adnetwork.com[2].txt

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\STU.DLL

Unclassified.Unknown Origin
D:\MEUS DOCUMENTOS\PROGRAMAS\PESSOAIS\PC\DRIVES\P4P800E-DELUXE\378RAID_100137\378RAID\WINXP\FASTTX2K.SYS



The Kaspesky's log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 22, 2008 9:53:51 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/01/2008
Kaspersky Anti-Virus database records: 526268
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 235839
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 03:22:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\.housecall6.6\Quarantine\mdelk.exe.bac_a01456 Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\MSHist012008012220080123\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP170\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8925.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Meus Documentos C\Programas\Diversos\DAP 5.3.9.8 & Language\dap53lang.exe/WISE0021.BIN/dapiebar.dll Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\Meus Documentos C\Programas\Diversos\DAP 5.3.9.8 & Language\dap53lang.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\Meus Documentos C\Programas\Diversos\DAP 5.3.9.8 & Language\dap53lang.exe WiseSFX: infected - 2 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP89\A0012905.exe Object is locked skipped
E:\System Volume Information\_restore{ED8B2F9C-2807-476C-9B80-AF4C801C46F9}\RP354\A0053864.exe/WISE0021.BIN/dapiebar.dll Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\System Volume Information\_restore{ED8B2F9C-2807-476C-9B80-AF4C801C46F9}\RP354\A0053864.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\System Volume Information\_restore{ED8B2F9C-2807-476C-9B80-AF4C801C46F9}\RP354\A0053864.exe WiseSFX: infected - 2 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
I wouldn't worry about those entries

Run Spybot in Safe Mode and see if that removes them

Kaspersky or SUPERAntiSpyware didn't detect anything so that's good. They are just orphaned registry keys

How is your PC running ? Any problems ?
 
Hi,

Sorry again for the delay. Now I have hardware problems. First, I couldn't enter safe mode in order to run SpyBot as you've said: simply my motherboard uses the F8 key to select between boot devices and I do not know another way to enter safe mode. Second, I've just realized the CPU's fan is not working properly and the chip is becoming a sun inside the box. :sick: Of course my PC is off now and I'm writing this letter from another one.

But I think the software part of it is well as never. If you say that I should not concern myself with that entries, I believe in you.

I should have to say 'THANK YOU' a lot of times, but it would be boring for both of us. Let us say we need more guys like you in the planet. God bless you, man. That's it.

Robério, the Kankiz.
 
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top