Jump to content

Change Mode

Fake System Defragmenter

Recommended Posts

Okay I've got a virus problem that AVG and MABM wont remove, they find it they say they remove it i restart the computer and its back!

System Defragmenter seems to be the main thing but there is a windows secruity aleart icon in taskbar that I know is fake.

AVG and maleware are both uptodate in their viruses. I read a few guides online on how to delete the regkeys and what not apparently the creator has worked around that by this point. System Defragmenter 2.0? Sigh I need some help dunno what to try from here. I had kaspersky trial ran out for that.



Link to post
Share on other sites

I tried that at the very beginning when i realized the computer was infected i cut off the wifi went into safemode and ran maleware, same thing it said it removed it but after the restart it poped back up.


I see why it wont be deleted, part of it is in c:\System Volume Information\Restore blah blah blah

I guess thats why it wont delete =/


Occasional avg will pop up a message and ask me to ignore, move to vault. I click move to vault it seems the virus shuts avg down. but avg starts itself back up a few minutes later. The struggle for the computer

Edited by micha3l87
Link to post
Share on other sites

Sure, I'm not sure how to post AVG, I click history, view scan results and click command line scan and it just shows the 11 files in the avg window not a notepad. No way to copy them but it seems to be the same as the ones below.


Malwarebytes' Anti-Malware 1.46



Database version: 4944


Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702


10/25/2010 3:47:43 PM

mbam-log-2010-10-25 (15-47-43).txt


Scan type: Full scan (C:\|)

Objects scanned: 264511

Time elapsed: 1 hour(s), 41 minute(s), 48 second(s)


Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11


Memory Processes Infected:

(No malicious items detected)


Memory Modules Infected:

(No malicious items detected)


Registry Keys Infected:

(No malicious items detected)


Registry Values Infected:

(No malicious items detected)


Registry Data Items Infected:

(No malicious items detected)


Folders Infected:

(No malicious items detected)


Files Infected:

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059851.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059848.exe (Email.Flooder) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059849.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059850.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059852.exe (Worm.Palevo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059853.exe (Worm.Palevo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059854.exe (Worm.Palevo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059855.exe (Worm.Palevo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059856.exe (Worm.Palevo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059857.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP167\A0059858.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Disable System Restore then re-enable it the run another full scan. That should take care of it.


If you have the time and are willing to see it there's anything else "hiding", I'd run this scanner. All it does is detect, not clean, but it will give us some idea if further work is needed in our HJT Forum.


The below scan can take up to an hour or longer, please be patient.



It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here



Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.

Animated tutorial



(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin



In your next reply post:

  • Kaspersky log
Link to post
Share on other sites

No, here's how.

Click Start>Right Click My Computer>Left Click Properties>Left Click System Restore>then place a check in the box(click the box) for Turn Off System Restore>Left Click Apply>Left Click Yes.


To turn it back on, uncheck the box>click apply>click OK.

Link to post
Share on other sites



D/l and run Revo Uninstaller so it can get rid of any files, folders and registry entries left behind after the uninstall. Use the "Hunter Mode" and move the croshairs over the desktop icon the run it.


http://techdows.com/2010/08/uses-of-hunter-mode-in-revo-uninstaller.html <---how to use Hunter Mode

Edited by Tx Redneck
Link to post
Share on other sites

Still trying to run kaspersky. 4 hours and it only had 20% done. I left it on all night so maybe it would be done and apparently windows decided it was going to do some downloading of its own and restart my computer >.>

It did find 1 infection last i seen - starting the scan over now just wanted to let you know where i was.

Link to post
Share on other sites

Look for this file Anti_Bsod_Installer.exeand delete it in safe mode .... empty the recycle bin.


Since you are infected with a Backdoor.Bot, please see this:


hese are the most dangerous, and most widespread, type of Trojan.


Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.


If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.

You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.


Banking and credit card institutions should be notified of the possible security breech.


More info can be found below:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?



When should I re-format? How should I reinstall?



If you choose to format and reinstall see this link for instructions:



Now, flush your DNS Cache

Open a command prompt....from the Start menu, select Run > In the box/"open field", enter cmd.exe


copy/paste ipconfig /flushdns press 'enter'


Next, restore MS's Hosts file:

Download the HostsXpert 4.3 - Hosts File Manager.

  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Reboot your computer.


I'd like you to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Link to post
Share on other sites
  • 1 year later...

You should be able to eliminate the pest by starting in Safe mode and deleting the contents of the TEMP folders. Open Search and browse to the Documents and Settings folder (for XP) or the Users folder (Vista and 7). In the filename box type "TEMP" (including the quotes). Enable searching for hidden files and folders, then start the search.


The TEMP folders of interest are all located in Local Settings folders (XP) or Local folders (Vista and 7). Ignore any that do not have a user name in the path, i.e., don't touch NetworkService, Public,Default, etc. For the TEMP folders that are associated with user accounts (that includes Administrator), open each one in turn and delete all the file and folders within. When done, restart the computer.


You may see one or more warnings about files not found; note the filenames, which will be used to find and remove the startup entries.

Edited by TomGL2
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...