Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Superantispyware Scan Log


  • Please log in to reply
8 replies to this topic

#1 Msvasquez62

Msvasquez62

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:13 AM

Posted 13 February 2008 - 10:08 PM

Hello, I am running windows xp and my computer is running a bit slow. Everytime i attempt to google something i am redirected to webcry. I downloaded superantispyware and here is the log. Thank you.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/13/2008 at 08:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3401
Trace Rules Database Version: 1393

Scan type : Complete Scan
Total Scan Time : 01:10:07

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 7008
Registry threats detected : 44
File items scanned : 39250
File threats detected : 32

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{747e1fbe-b70f-441d-bbca-6e536c04924a}
HKCR\CLSID\{747E1FBE-B70F-441D-BBCA-6E536C04924A}
HKCR\CLSID\{747E1FBE-B70F-441D-BBCA-6E536C04924A}\InProcServer32
HKCR\CLSID\{747E1FBE-B70F-441D-BBCA-6E536C04924A}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\WUUAWKZ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{747e1fbe-b70f-441d-bbca-6e536c04924a}

Adware.E404 Helper/Variant-A
HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\InprocServer32
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\InprocServer32#ThreadingModel
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\ProgID
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\Programmable
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\TypeLib
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\VersionIndependentProgID
C:\PROGRAM FILES\HELPER\1202712139.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}

Adware.E404 Helper/Tracker
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C52A42-DB8B-4ade-AA4A-CED6A8282B67}
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}\InprocServer32
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}\InprocServer32#ThreadingModel
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}\ProgID
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}\Programmable
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}\TypeLib
HKCR\CLSID\{10C52A42-DB8B-4ADE-AA4A-CED6A8282B67}\VersionIndependentProgID
C:\PROGRAM FILES\SOTFONE\1202712142.DLL
HKCR\Tracker.TrackerObj
HKCR\Tracker.TrackerObj\CLSID
HKCR\Tracker.TrackerObj\CurVer
HKCR\Tracker.TrackerObj.1
HKCR\Tracker.TrackerObj.1\CLSID
HKCR\CLSID\Tracker.TrackerObj
HKCR\CLSID\Tracker.TrackerObj#UserId
HKCR\TypeLib\{499B8A53-5949-4625-A8BF-A4D934AFC9DA}
HKCR\TypeLib\{499B8A53-5949-4625-A8BF-A4D934AFC9DA}\1.0
HKCR\TypeLib\{499B8A53-5949-4625-A8BF-A4D934AFC9DA}\1.0\0
HKCR\TypeLib\{499B8A53-5949-4625-A8BF-A4D934AFC9DA}\1.0\0\win32
HKCR\TypeLib\{499B8A53-5949-4625-A8BF-A4D934AFC9DA}\1.0\FLAGS
HKCR\TypeLib\{499B8A53-5949-4625-A8BF-A4D934AFC9DA}\1.0\HELPDIR
HKCR\Interface\{E85F6AA5-7A0C-49A5-9E5E-936FED62347D}
HKCR\Interface\{E85F6AA5-7A0C-49A5-9E5E-936FED62347D}\ProxyStubClsid
HKCR\Interface\{E85F6AA5-7A0C-49A5-9E5E-936FED62347D}\ProxyStubClsid32
HKCR\Interface\{E85F6AA5-7A0C-49A5-9E5E-936FED62347D}\TypeLib
HKCR\Interface\{E85F6AA5-7A0C-49A5-9E5E-936FED62347D}\TypeLib#Version

Adware.Tracking Cookie
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@msnservices.112.2o7[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@ads.pointroll[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@anad.tacoda[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@adinterax[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@revsci[3].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle campbell@xiti[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@clickaider[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@tacoda[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@2o7[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@collective-media[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@antispykit[3].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@msnportal.112.2o7[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@secure.advancedcleaner[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle campbell@cgi-bin[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@questionmarket[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@ads.cnn[3].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@adbrite[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@ads.adbrite[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@bs.serving-sys[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@partner2profit[1].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@revsci[2].txt
C:\Documents and Settings\Michelle Campbell\Cookies\michelle_campbell@tribalfusion[2].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url
C:\Documents and Settings\All Users\Desktop\Online Security Guide.url

Trojan.DNSChanger-Codec
HKCR\CLSID\E404.e404mgr
HKCR\CLSID\E404.e404mgr#UserId

Adware.E404 Helper
C:\Program Files\SOTFONE

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\MICHELLE CAMPBELL\FAVORITES\ONLINE SECURITY TEST.URL

I've been afraid to check my bank account, pay bills or even check my e-mail. Please help!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:13 AM

Posted 13 February 2008 - 10:23 PM

Hello my first question is are the symptoms gone now? Still slow and redirected?

Edited by boopme, 13 February 2008 - 10:24 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Msvasquez62

Msvasquez62
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:13 AM

Posted 13 February 2008 - 10:36 PM

Wow, that was quick. Sorry, i didn't know you would get back so soon. Symptoms seem to be gone. How can i tell for sure if i'm "safe". I've been so scared to really try to access my bank account and such. I read something about hidden files that reappear after start up. I'm a newbie and easily spooked. :thumbsup:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:13 AM

Posted 13 February 2008 - 10:53 PM

That's because I have been busy in this forum for a while now . There is a lot of nasty going on.
You ran the SAS scan from safe mode? You can run it again. Update it first of course.
Run these too
Download Attribune's ATF Cleaner . Save to desktop ..
Now reboot into Safe Mode:
Safe Mode Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or the Opera browser click on that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.

Click Exit on the Main menu to close the program.

Next (you may want to print the instructions first) Run Steps 1 & 2
SmitFraudFix

You can paste back this report in your next reply.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Edited by boopme, 13 February 2008 - 11:06 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Msvasquez62

Msvasquez62
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:13 AM

Posted 13 February 2008 - 11:02 PM

I'll do it. Thanks!

#6 Msvasquez62

Msvasquez62
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:13 AM

Posted 14 February 2008 - 04:48 PM

I ran the SASW again and there were no problems. I ran the ATF cleaner and it freed 1,680,676 MBS. I will now post the SmitFraud Fix log.

SmitFraudFix v2.288

Scan done at 15:12:23.35, Thu 02/14/2008
Run from C:\Documents and Settings\Michelle Campbell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com

I had to cut out the majority of the report because it was too long. I included the 1st and last entry.

127.0.0.1 zyban-zocor-levitra.com

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Program Files\Helper\ Deleted
C:\Program Files\NetProject\ Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EC859E5D-F625-44D1-B097-A65E49222B48}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EC859E5D-F625-44D1-B097-A65E49222B48}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EC859E5D-F625-44D1-B097-A65E49222B48}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:13 AM

Posted 14 February 2008 - 05:01 PM

You look very clean to me. I would like to know only if you have Sun Java installed is it up to date as an old version can be exploited. In the Smit-log in the early section it usually posts your Java version.. Or Control Panel add/Remove Programs,,has the Java Runtime environment entry and the version after that.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Msvasquez62

Msvasquez62
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:13 AM

Posted 14 February 2008 - 05:15 PM

Thank you so much for helping me get rid of those nasty viruses. I couldn't have done it alone!
I am running Java 2 Runtime Environmnet, SE v1.4.2_05. There were 3 other entries. J2SE Runtime Environment 5.0 Update 3, Java ™ 6 Update 2, and Java ™ 6 Update 3. What is this program used?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:13 AM

Posted 14 February 2008 - 09:48 PM

Excellent 2 more steps. Here's the first. Clean up and install the latest Java.

Java SE Runtime Environment (JRE)
Version Number: 6.0 Update 4
internal version: 1.6.0_04-b12
Supported System Configurations: Windows 2000/XP/2003/Vista (Java SE 6 does not provide support for Windows 98 or Windows ME)
Vendor's site can be found HERE.
Windows Online Installation and Java Update FAQ
Troubleshooting the Installation


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

What is this program used?

Simply put it makes many applications you use on the PC and web work well.

Why Software Developers Choose Java Technology

The Java programming language has been thoroughly refined, extended, tested, and proven by an active community of over five million software developers.

Mature, extremely robust, and surprisingly versatile Java technology has become invaluable in allowing developers to:
Write software on one platform and run it on practically any other platform
Create programs to run within a web browser and web services
Develop server-side applications for online forums, stores, polls, HTML forms processing, and more
Combine Java technology-based applications or services to create highly customized applications or services
Write powerful and efficient applications for mobile phones, remote processors, low-cost consumer products, and practically any device with a digital heartbeat
http://java.com/en/about/

Edited by boopme, 14 February 2008 - 09:54 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users