Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects and Suspicious Facebook Activity


  • Please log in to reply
34 replies to this topic

#1 Alucinor

Alucinor

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 18 September 2010 - 07:52 PM

Symptoms:
  • Facebook started to require me using captchas, and it has odd errors
  • Some hotlinks (google search results, hyperlinks, etc.) will redirect me to a random search engine site for commercial purposes
  • Pop-ups occasionally occur
  • This seems to be contained in Firefox, I haven't touched IE
I've ran passive/active avast!, active Advanced SystemCare, active Malwarebyte's Anti-Malware. They've ironed out several viruses and such, but there are many more that seem to be hidden. While typing this, I got a pop-up in a new tab as well. I can provide the link for the pop-up if necessary.

I have the attach file zipped and ready if necessary.

EDIT
[logs no longer relevant, has gotten worse in past day]

Edited by Alucinor, 19 September 2010 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 19 September 2010 - 05:38 PM

I now have Antivirus 2010 on my computer. It's getting worse very, very quickly.

Edited by Budapest, 19 September 2010 - 05:52 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 19 September 2010 - 09:09 PM

Hello let's try it this way....
Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#4 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 September 2010 - 12:00 AM

Nothing happened.

Log for super anti spyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/20/2010 at 00:46 AM

Application Version : 4.43.1000

Core Rules Database Version : 5535
Trace Rules Database Version: 3347

Scan type : Complete Scan
Total Scan Time : 02:23:09

Memory items scanned : 281
Memory threats detected : 0
Registry items scanned : 8443
Registry threats detected : 6
File items scanned : 112026
File threats detected : 133

Adware.ShopAtHomeSelect
HKU\S-1-5-21-351953409-1454491506-409785693-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#{5526B4C6-63D6-41A1-9783-0FABF529859A}
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\mm06y.ini

Adware.Elite Media
C:\WINDOWS\em06y.ini

Trojan.DNSChanger-Codec
HKU\S-1-5-21-351953409-1454491506-409785693-1003\Software\uninstall

Adware.DoubleD
C:\Documents and Settings\Owner\Local Settings\Application Data\HANDYGAMEZ TOOLBAR

Rogue.AntiMalwareDoctor
C:\Documents and Settings\Owner\Application Data\CAFFA322B8C95B84EE0A14DC699E0849

Adware.Tracking Cookie
core.insightexpressai.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\KVBS96VX ]
media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\KVBS96VX ]
media1.break.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\KVBS96VX ]
msnbcmedia.msn.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\KVBS96VX ]
objects.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\KVBS96VX ]
secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\KVBS96VX ]
core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
crackle.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
msnbcmedia.msn.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TPVPZ7PB ]
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
103.memecounter.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
104.memecounter.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
105-bmp.googleadservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
247realmedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
adbureau.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
adknowledge.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
b.ads2.msads.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
bannerfarm.ace.advertising.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
bc.youporn.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
c2.zedo.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
cache.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
cdn.insights.gravity.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
cdn2.themis-media.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
cdn4.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
content.oddcast.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
core.insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
cp.media.cfsm1.cedarfair.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
crackle.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
dcl.wdpromedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
dcl2.wdpromedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
ds.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
ec.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
gstrack.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
hzmedia.heyzap.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
i.adultswim.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
ia.media-imdb.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
interclick.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
m1.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
macromedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media-dev.pictela.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.entertonement.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.hamptonroads.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.ign.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.jambocast.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.kelbymediagroup.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.kgw.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.mgnetwork.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.mtvu.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.nintendo.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.noob.us [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.opinionguru.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.podaddies.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.resulthost.org [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.rofl.to [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.scanscout.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.tattomedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.wvec.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media.xfire.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media01.kyte.tv [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media01.videoplayer.hu [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media02.videoplayer.hu [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media1.break.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media1.gameinformer.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
media1.nfb.ca [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
mediacloud.whirled.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
memecounter.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
msnbcmedia.msn.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
msntest.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
objects.tremormedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
oddcast.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
parksandresorts.wdpromedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
richmedia247.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
s.ncp.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
s0.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
spe.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
stat.radioblogclub.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
static.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
static.themis-media.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
static.youporn.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
udn.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
vhss-a.oddcast.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
video.redorbit.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
videomedia.ign.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
web.adknowledge.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
widgets.cracked.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.5levelmedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.adultswim.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.crackle.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.hentaimedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.insightexpress.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.naiadsystems.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.nakedjuice.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.oddcast.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
www.yourdailymedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
wwwstatic.megaporn.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
yieldmanager.edgesuite.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
yo.static.presidiomedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\4Z6LVZF7 ]
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt

Trojan.Agent/Gen-Dropper
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\JJ5OOSQJ\FIREFOX%20SETUP%203.6.10[1].EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\RDWHZKY7\FIREFOX%20SETUP%203.6.10[1].EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\RSTWA.BAK1

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SYSTEM32\S02WOWNT.DLL
C:\WINDOWS\SYSTEM32\SYSTEM32DLL.DLL

Malware byte cannot update. Error code 732 (0,0). Did not run scan.

I still have the Anti Virus 2010 problem, and my wallpaper is replaced with something telling me to run an anti-spyware. As in, nothing has changed it seems... (I am loving all the weird porn tracking cookies though. Gotta wonder just wtf my brother did on here. That IS one way to get your site noticed, I guess, though I didn't get any pop-ups of that variety...)

(As an added bonus, my internet no longer seems to want to work on my main computer. I am posting this from my laptop. The modem itself doesn't seem to be the problem, as that's whats supplying my laptop now. Very easily could just be a hardware problem.)

(Ended up being a hardware problem. During booting however, something weird happened. Avast auto-protect was flooded with Hubak trojans, and suddenly I couldn't open taskmanager, firefox, etc. because the illegitimate "Windows Security" would stop the process. I used MalwareByte's file assassin in order to kill hotfix.exe so I could connect to the internet.)

Edited by Alucinor, 20 September 2010 - 08:44 AM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 20 September 2010 - 10:42 AM

Try this to update mBAM..
1.Click the 'Start' button.


2.Click on "Control Panel".


3.Double-click on "Internet Options" (you may have to switch the Control Panel to 'Classic' view to find it).


4.Click on the 'Connections' tab (step 1 in the screenshot below).


5.Click on the "LAN settings" button (step 2 in the screenshot below).


6.Put a check mark in the box labeled "Automatically detect settings" (step 3 in the screenshot below).


7.Click OK.


8.Click OK.


9.Try the update again (you may need to close any open Internet Explorer Windows before trying).


After that,or even if it stilll don't work,do an omline scan.
ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#6 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 September 2010 - 10:44 AM

Before I can do that, I will need a bit of help. For some reason, my start button will not work, nor will anything involving the task bar. This is being posted from my laptop. I can still access anything on my computer by going to My Computer, but the start button refuses to work, along with taskmanager. I'll still do what you suggested momentarily.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 20 September 2010 - 10:53 AM

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.

Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#8 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 September 2010 - 10:56 AM

I cannot use command prompt, as the start button is entirely disabled. I did however back up my registry, and run script 275. Rebooting my computer now, and I'll edit this post with an update momentarily.

EDIT:
I ran it and rebooted. It worked for about forty seconds, then the taskbar went back to being unusable. I ran the script and tried to reboot again, but the taskbar no longer works for any period of time.

Edited by Alucinor, 20 September 2010 - 11:06 AM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 20 September 2010 - 11:20 AM

How about from safe mode then also try to run SFC..
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


SFC

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#10 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 September 2010 - 11:29 AM

SFC.exe opens and instantly shuts itself off. Weird. At least the start menu works from safe mode. Can I run the Malwarebyte scans and whatnot from safe mode, or do I have to be in normal mode?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 20 September 2010 - 11:52 AM

Yes select safe mode with networking so you can update MBAM.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#12 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 September 2010 - 11:53 AM

MBAM was unable to update, even after setting the control panel settings. Odd. I'm running and downloading an ESET scan now. I use Mozilla Fire Fox, so I had to download it, etc.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 20 September 2010 - 12:00 PM

OK, run ESET try MBAM again. If still no joy run the version that comes up ... post all logs thanks.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#14 Alucinor

Alucinor
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 September 2010 - 05:21 PM

ESET scan.

C:\Documents and Settings\All Users\Application Data\BrowserZinc\browserzinc133.exe a variant of Win32/Adware.OneStep.J application cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\52667702-3e20f93f a variant of Java/Rowindal.A trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\60\fe8f3c-11b57482 multiple threats deleted - quarantined
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\5\6bb3e8c5-3d83148a multiple threats deleted - quarantined
C:\Documents and Settings\Owner\Local Settings\Temp\ppwkvch.exe a variant of Win32/Kryptik.GVH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temp\yxxa.exe a variant of Win32/Adware.FakeAntiSpy.E application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JJ5OOSQJ\jjdlsnvtov[1].htm a variant of Win32/Kryptik.GVN trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JJ5OOSQJ\lpkez[1].htm a variant of Win32/Kryptik.GVH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JJ5OOSQJ\neipnvqx[1].htm a variant of Win32/Adware.FakeAntiSpy.E application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JJ5OOSQJ\vvqkfy[1].htm Win32/Agent.QNF trojan cleaned by deleting - quarantined
C:\Program Files\Advanced Entry Provider\4.4.0.2380\FF\components\AEPFFAddOn.dll a variant of Win32/Adware.DoubleD.AK application cleaned by deleting - quarantined
C:\Program Files\Common Files\Live Access Operator\4.4.0.5790\laopx.exe a variant of Win32/Adware.DoubleD.AG application cleaned by deleting - quarantined
C:\Program Files\Live Access Operator\4.4.0.5790\FF\components\LAOFFAddOn.dll a variant of Win32/Adware.DoubleD.AK application cleaned by deleting - quarantined
C:\Program Files\Mozilla Firefox 3.1 Beta 1\chrome\m3ffxtbr.jar Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\Real Search Enhancer\4.4.0.2520\FF\components\RSEFFAddOn.dll a variant of Win32/Adware.DoubleD.AK application cleaned by deleting - quarantined
C:\Program Files\Update Today Driver\1.4.0.2080\PixelLogExe.exe a variant of Win32/Adware.DoubleD.AG application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1692\A0377499.exe Win32/Adware.RegGenie application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1692\A0377567.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0380436.exe Win32/Sirefef.BN trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0381446.exe a variant of Win32/Adware.FakeAntiSpy.E application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0391464.exe a variant of Win32/Adware.OneStep.J application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0391465.dll a variant of Win32/Adware.DoubleD.AK application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0391466.exe a variant of Win32/Adware.DoubleD.AG application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0391467.dll a variant of Win32/Adware.DoubleD.AK application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0391468.dll a variant of Win32/Adware.DoubleD.AK application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1693\A0391469.exe a variant of Win32/Adware.DoubleD.AG application cleaned by deleting - quarantined
C:\WINDOWS\enavireb.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\WINDOWS\qtrmsdus.dll a variant of Win32/Kryptik.GVH trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\cefhk.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\cefhk.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\cefhk.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\cefhk.tmp Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\lnqru.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\rbtmsqor.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\rstwa.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\rstwa.tmp Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\rstwa.tmp2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\default[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\default[2] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\default[3] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\script[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\script[2] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\script[3] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\dialog_attack[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\INSTALL[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\uninstall[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined

Edited by Alucinor, 20 September 2010 - 05:22 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 20 September 2010 - 07:40 PM

I take it MBAM will not run? We will have to run a long scanner now then.



Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users