Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot S&d Teatimer Blocking Something


  • Please log in to reply
14 replies to this topic

#1 wthrwthoutyu

wthrwthoutyu

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 02 March 2008 - 02:54 PM

My nephew did a bad thing to my computer (attempted to download what he thought would be an illegal registration key for a program). He also attempted to run it. He did have the sense to deny change when Spybot S&D Resident asked to allow or deny a change.

Now Spybot S&D Resident is giving me a constant string of second-by-second notifications (all the way up the right edge of the screen) that say:

Resident denied the change of pmnligf (category Winlogon Notifiers) based on your black list.

I've also got a couple that say:

Resident denied the change of {DE6916E9-3298-4251-BBEA-6B0656DA0A0C6A} category Browser Helper Object) based on your blacklist.

On the Spybot Blocked registry changes list are these items:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nofity\pmnligf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{223F140E-EF54-4D4B-B154-6B14152795E6}=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE6916E9-3298-4251-BBAE-6B0656DA0C6A}-

I did an virus-scan with Avast, which found no infected files.

ZoneAlarm (firewall) shows a blank entry. There's an icon (the plain sort of icon Windows shows for a '.bat' file), but there is no text identifying the program. I have blocked internet access for this blank entry.

What do I do? When I've had a problem before, I've at least had a program, file or virus name that I could research. This time, I don't even know where to start. Right now, I'd be afraid to turn off the computer or even switch accounts for fear that whatever this is would have a chance to do damage before Spybot Resident got loaded and running.

OS, Windows XP Media SP2
Avast Antivirus
ZoneAlarm Firewall (free version)

Edited by wthrwthoutyu, 02 March 2008 - 03:20 PM.


BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:27 AM

Posted 02 March 2008 - 06:38 PM

Hello and welcome to BC wthrwthoutyu :flowers:

Let's see what what SUPERAntiSpyware will find. I'd like you to run a scan in Safe Mode. You will, of course, install it in Normal Mode. You may wish to print out these directions or paste them to Notepad as you won't have access to the internet during part of this.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 02 March 2008 - 08:18 PM

Thanks for the welcome, Orange Blossom!

And for the guidance on dealing with this. Right now, Spybot S&D is blocking these changes constantly. I have had eight to ten Spybot denial announcement pop-ups flickering on the right edge of my screen all the time since my nephew fessed up. If they didn't stay underneath other program windows, they'd make me dizzy with the flicker. :thumbsup: Still, I'm glad for Spybot.

After making this post, but before your reply, I downloaded SUPERAntiSpyware, but didn't have time to update definitions or scan before real life called. As soon as I have updated SUPER, I'll go to Safe Mode and run the scan.

I did have a chance to run Kaspersky File Scanner on the suspect download (which I found still sitting in the recycle bin where the nephew left it) and that scan identified not-a-virus:AdWare.Win32.Virtumonde.jad. I haven't had a chance to dig up more info on it yet. I'm going to run the SUPER scan before researching, though.

#4 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 02 March 2008 - 11:50 PM

48 threats scanned and quarantined.

Scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/02/2008 at 11:29 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 02:54:00

Memory items scanned : 170
Memory threats detected : 2
Registry items scanned : 5973
Registry threats detected : 11
File items scanned : 197110
File threats detected : 35

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\PMNLIGF.DLL
C:\WINDOWS\SYSTEM32\PMNLIGF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}\InprocServer32
HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnligf

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\MLLJJ.DLL
C:\WINDOWS\SYSTEM32\MLLJJ.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEE1F6D2-CDC4-443B-9A51-C417831AA8C3}
HKCR\CLSID\{AEE1F6D2-CDC4-443B-9A51-C417831AA8C3}
HKCR\CLSID\{AEE1F6D2-CDC4-443B-9A51-C417831AA8C3}\InprocServer32
HKCR\CLSID\{AEE1F6D2-CDC4-443B-9A51-C417831AA8C3}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@nextag[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adopt.euroclick[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@icc.intellisrv[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@media6degrees[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@burstnet[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@advertising[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adknowledge[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ads.addynamix[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ad.yieldx[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@questionmarket[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@doubleclick[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@html[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@belnk[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@trafficmp[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@adopt.specificclick[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@www.burstnet[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@media.adrevolver[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@partner2profit[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@qnsr[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ads.pointroll[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@2o7[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@atwola[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@atdmt[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@specificclick[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ad[2].txt
C:\Documents and Settings\Carol\Cookies\carol@2o7[1].txt
C:\Documents and Settings\Carol\Cookies\carol@ads.addynamix[1].txt
C:\Documents and Settings\Carol\Cookies\carol@advertising[1].txt
C:\Documents and Settings\Carol\Cookies\carol@atdmt[1].txt
C:\Documents and Settings\Carol\Cookies\carol@doubleclick[1].txt
C:\Documents and Settings\MMC\Cookies\mmc@2o7[2].txt

Trojan.Media-Codec
HKU\S-1-5-21-2172494595-1785603034-663165828-1008\Software\Internet Security
C:\Program Files\VIDEO ACTIVEX OBJECT

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\JJLLM.INI

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:27 AM

Posted 03 March 2008 - 12:12 AM

Hello wthrwthoutyu,

Among other things, you have a Vundo infection. Please follow the directions in this guide. If you have any questions as you are going through it, please post them as a reply in this thread. When you have finished the guide, please post the Vundofix log as a reply.

You will find the Vundofix log here: C:\vundofix.txt To get there, go to My Computer. Open it, then open Local Disk. You will find the file listed in there. Open the file. It will open in notepad. Select all --> Copy then paste into the text screen in your reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 03 March 2008 - 01:37 AM

Hi Orange Blossom,

Thanks for all your help (which I may say again and again. I really am glad there are people willing to take the time to help out the pathetically unskilled, like me.)

I ran VundoFix.exe.

Log:

VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 12:47:48 AM 3/3/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Should I try VirtumundoBegone now?

(To save you all that typing, I do know how to follow a file path, open a .txt and select all-copy-paste. You don't have to type those bits out over and over. Just the part about which log you need and where it is... :flowers: :thumbsup: )

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:27 AM

Posted 03 March 2008 - 01:52 AM

Hello wthrwthoutyu,

Based on what you wrote here: that scan identified not-a-virus:AdWare.Win32.Virtumonde.jad

I'd go ahead and run the VirtumondeBegone scan.

Let us know if it finds anything. There are a few other things we will do after you finish with the VirtumondeBegone.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 03 March 2008 - 02:15 AM

Hi again, Orange Blossom,

Ran VirtumundoBegone and it didn't find a target, either.

You didn't ask specifically, but here is the log:

[03/03/2008, 2:00:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Compaq_Administrator\Desktop\VirtumundoBeGone.exe" )
[03/03/2008, 2:00:13] - Detected System Information:
[03/03/2008, 2:00:13] - Windows Version: 5.1.2600, Service Pack 2
[03/03/2008, 2:00:13] - Current Username: Compaq_Administrator (Admin)
[03/03/2008, 2:00:13] - Windows is in SAFE mode.
[03/03/2008, 2:00:13] - Searching for Browser Helper Objects:
[03/03/2008, 2:00:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/03/2008, 2:00:13] - BHO 2: {52706EF7-D7A2-49AD-A615-E903858CF284} (Popup-Blocker Class)
[03/03/2008, 2:00:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/03/2008, 2:00:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2008, 2:00:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/03/2008, 2:00:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/03/2008, 2:00:13] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/03/2008, 2:00:13] - BHO 5: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} ()
[03/03/2008, 2:00:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2008, 2:00:13] - No filename found. Continuing.
[03/03/2008, 2:00:13] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/03/2008, 2:00:13] - BHO 7: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} (hpWebHelper Class)
[03/03/2008, 2:00:13] - Finished Searching Browser Helper Objects
[03/03/2008, 2:00:13] - Finishing up...
[03/03/2008, 2:00:13] - Nothing found! Exiting...

That's it, for what it's worth. 'Course, I'm not sure what it means that it didn't find anything...is that good or bad? *bites lip*

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:27 AM

Posted 03 March 2008 - 02:42 AM

Hello wthrwthoutyu,

There's one entry in that log that I'm not sure about, but I'll have to have someone more experienced than I to take a look see.

In the meantime, I notice that your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 03 March 2008 - 03:05 AM

Hi Orange Blossom,

I was wondering about that myself, and about how to remove the old versions, so that's very helpful.

I'm on dial up, though, so it will take me quite awhile to download the 15 MB Offline Installation and complete the rest of your instructions. Other problem solving will have to wait till tomorrow, so there isn't any rush at all on my end for someone else to look over that log. :thumbsup:

Thanks,
wthrwthoutyu

#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:27 PM

Posted 03 March 2008 - 04:24 AM

It seems that SuperAntiSpyware has managed to clean the Vundo infection.
This entry:

Trojan.Media-Codec
HKU\S-1-5-21-2172494595-1785603034-663165828-1008\Software\Internet Security
C:\Program Files\VIDEO ACTIVEX OBJECT

Is related to Smitfraud.

It would be worth running SmitfraudFix to see if there's any other entries lurking in there.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Warning : running option #2 on a non infected computer will remove your Desktop background.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

BBPP6nz.png


#12 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 03 March 2008 - 05:14 AM

Hi Starbuck,

I have run SmitFraudFix.

File:

SmitFraudFix v2.300

Scan done at 5:00:29.87, Mon 03/03/2008
Run from C:\Documents and Settings\Compaq_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RamBooster 2.0\Rambooster.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Jarte\Jarte.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\IrfanView\i_view32.exe
C:\WINDOWS\system32\cmd.exe

hosts

C:\

C:\WINDOWS

C:\WINDOWS\system

C:\WINDOWS\Web

C:\WINDOWS\system32

C:\Documents and Settings\Compaq_Administrator

C:\Documents and Settings\Compaq_Administrator\Application Data

Start Menu

C:\DOCUME~1\COMPAQ~1\FAVORI~1

Desktop

C:\Program Files

Corrupted keys

Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

Rustock

DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 64.136.52.73
DNS Server Search Order: 64.136.44.73

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DC2C286-6BBE-4FE8-91A0-CBBF5E9E42E5}: NameServer=64.136.52.73 64.136.44.73
HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DC2C286-6BBE-4FE8-91A0-CBBF5E9E42E5}: NameServer=64.136.52.73 64.136.44.73
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243

Scanning for wininet.dll infection

End


Have also finished download of Offline Installer for JRE 6 and will take care of that now.
Thanks.
wthrwthoutyu

Edit: Old versions of JRE removed, 6 update 4 now installed.

Edited by wthrwthoutyu, 03 March 2008 - 05:41 AM.


#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:27 PM

Posted 03 March 2008 - 06:30 AM

Hi wthrwthoutyu
No problems there.
As these tools are constantly being updated, it is recommended that they be removed once you have finished with them.

It might also be a good idea to clean out all the temp files while you are at it.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

BBPP6nz.png


#14 wthrwthoutyu

wthrwthoutyu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 03 March 2008 - 03:52 PM

Hello again,

Cleared caches, cookies and histories in both browsers.

I've set Firefox set to clear cache, cookies and download history when I close Firefox. I never use IE for anything except loading my ISP home page, which my ISP requires. I wish I could get around that or that they'd gear their software to use Firefox, but I don't think either of those it going to happen.

Somehow Firefox was set to store history for 30 days. I've reset that to three days. That's as far back as I've ever referred to in History.

In Disk Cleanup, what is/are WebClient/Publisher Temporary Files? (Disk Cleanup showed Temporary Files and Temporary Internet Files at 0kb this time. WebClient/Publisher Files are at 32kb.)

I'll deal with the Recycle Bin on its own. I always like to take a look in there and make sure of what I'm dumping before it's gone forever.

Is there anything else I should do? Can I have SUPER remove the files it quarantined now?

Thank you for the help,
wthrwthoutyu

#15 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:27 PM

Posted 03 March 2008 - 05:09 PM

what is/are WebClient/Publisher Temporary Files? (Disk Cleanup showed Temporary Files and Temporary Internet Files at 0kb this time. WebClient/Publisher Files are at 32kb.)

This is nothing to worry about... apparently it always shows a size of 32kb.

Can I have SUPER remove the files it quarantined now?

Yes, no problem.
From the SuperantiSpyware main menu... click on Manage Quarantine.
You should be able to delete the files from there.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users