Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

And Again.....need Help.


  • Please log in to reply
16 replies to this topic

#1 xtinctss

xtinctss

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 03 April 2008 - 04:48 PM

Asking for help Again. Son got into something and now I'm back.

SYSTEM:
Acer L100 OEM config with added RAM
OP SYS:
Vista Ultimate Upgrade

General info:

System has worked flawlessly for over a year. Never a crash or other unknown compatability issues. I am running Kapersky Anit-virus and Adware Plus. Both have found and removed several trojans. Run in both standard and safe mode.

Symptoms:

Everytime a window is opened in IE the task bar dissapears for a second then reappears. I can not open a window for "Computer" "Windows Update" or anything else except IE and Programs. Before running a safe mode Kapersky, I would get tab after tab opening up. I also get an Icon and warning screen about an infection. If clicked, an IE window open and tooks me to some spyware software sight. Some key strokes seem to get mixed up too. I know its not my typing even though I am not that good! (This may well be a HW problem)

I could use a little help cleaning this up and don't know where to begin in Vista.

So, where do I start?

BC AdBot (Login to Remove)

 


m

#2 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 03 April 2008 - 06:55 PM

Okay, via superantispyware I have:

Adware Vundo Variant/Resident
Adware Vundo-Variant/Small-A
Troja.Downloader_NewJuan/VM
Trojan.Unclassified/Multi-Droper (Packed)
Adware.Tracking Cookie
Trojan.Downloader-Gen/Installer

3 in memory, 1 Regisrty Item, the rest in the Files items. Just incase you need to keep score!

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:14 AM

Posted 03 April 2008 - 07:14 PM

You have run it from safe mode(no networking) F8 only?

Another thing to remember is often real time protection will interfer with another program trying to fix your computer

If you have any doubts at all that it's clean, it's best to have an expert fix it in the hijackthis forums


C:\Documents and Settings\XXXXXX\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs


Edited by DaChew, 03 April 2008 - 07:17 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#4 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 03 April 2008 - 08:14 PM

Will do. THX

#5 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 03 April 2008 - 08:20 PM

via superantispyware I have:

Adware Vundo Variant/Resident
Adware Vundo-Variant/Small-A
Troja.Downloader_NewJuan/VM
Trojan.Unclassified/Multi-Droper (Packed)
Adware.Tracking Cookie
Trojan.Downloader-Gen/Installer

3 in memory, 1 Regisrty Item, the rest in the Files items.

Against what I should have done, I had SAS "fix" these. I got a few missing dll warnings upon reboot. I am running Vista Ultimate on a stock Acer L100. I have running: Kaspersky AV, Adwatch/AdAware plus, SAS and windows firewall. I have no idea how to post any logs out of Vista or with Vista or even what PGMs to use to do this. It was suggested I come to this forum for help. Please advise.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:14 AM

Posted 03 April 2008 - 08:34 PM

Hello xtinctss,

I merged your topic that was in the HJT forum with this one because there was no HJT log. Let's hold off on posting there and see what else can be done here. The HJT team is EXTREMELY busy. If we determine that you need to post there, we will provide detailed instructions on what to do.

For now, please post the entire SUPERAntiSpyware log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:14 AM

Posted 03 April 2008 - 09:03 PM

here's a rather detailed double scan guide for super and vista

like orange blossom said don't post a hijackthis log

vista is a lot more bulletproof than xp and your infection will probably not be that bad or hard to clean

SUPERAntispyware Scan

Download and install SUPERAntiSypwareusing the default settings


Roght-click the SUPERAntiSpyware desktop icon and choose "Run as Administrator" to launch the program.
When you are asked to update the program definitions, click Yes.
Only if you are not prompted to update the definitions or already have SAS, select Check for Updates before scanning.


Program Setup


Select Preferences | Scanning Control

Check the following Scanner Options:
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the Close button to leave the control center screen.



Scan Setup


Select Check for Updates to verify that you are working with the most up-to-date definition database.
On the main SAS screen, under Scan for Harmful Software select Scan your Computer.
On the left, make sure your primary drive (normally C:\Fixed Drive) is selected, plus any other hard drives that are connected to your system.
Now, close SUPERAntispyware because you will be running the scan in safe mode

Boot into safe mode


Restart your computer
Right after the PC manufacturer's splash screen appears, immediately tap the F8 function key
When the Advanced Options menu appears, select the safe mode option
You will see a list of drivers scroll by, after which a low resolution version of the Windows desktop appears


Scan with SUPERAntispyware


Relaunch SUPERAntispyware by right-clicking its desktop short-cut and choosing "Run as Administrator".
On the main SAS screen, under Scan for Harmful Software select Scan your Computer.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan.
After the scan is complete, a Scan Summary box will appear listing potential threats that were detected. Click OK.
Check all detected threats, then click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click OK and then click the Finish to return to the main menu.
Reboot your computer


Retrieving the scan report

Relaunch SUPERAntispyware
Click Preferences | Statistics/Logs
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, select the most recent and press View log. The SAS scan log will be displayed in your default text editor.
If you are posting a HJT log, and any threats (excuding cookies) were found - copy and paste the SAS Scan Log results in your HJT topic - along with your HJT log.
Click Close to exit the program.


Edited by DaChew, 03 April 2008 - 09:03 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 04 April 2008 - 02:53 PM

This one was run yesterday:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2008 at 08:06 PM

Application Version : 4.0.1154

Core Rules Database Version : 3430
Trace Rules Database Version: 1422

Scan type : Complete Scan
Total Scan Time : 00:31:11

Memory items scanned : 779
Memory threats detected : 3
Registry items scanned : 7562
Registry threats detected : 1
File items scanned : 25886
File threats detected : 72

Adware.Vundo Variant/Resident
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\MLJCCDTS.DLL
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\MLJCCDTS.DLL

Adware.Vundo-Variant/Small-A
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\IWLRJUEC.DLL
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\IWLRJUEC.DLL
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\MJUMDMWA.DLL

Trojan.Downloader-NewJuan/VM
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\QRXUAHWN.DLL
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\QRXUAHWN.DLL

Trojan.Unclassified/Multi-Dropper (Packed)
[LTMJ0wj2na] C:\PROGRAMDATA\WBOPQVEP\WRUVSJUD.EXE
C:\PROGRAMDATA\WBOPQVEP\WRUVSJUD.EXE

Adware.Tracking Cookie
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\murray@msnportal.112.2o7[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\murray@doubleclick[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\abby@ar.atwola[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\abby@atwola[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@tribalfusion[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@ads.addynamix[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@apmebf[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@atwola[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@ads.pointroll[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@advertising[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@doubleclick[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@media.mtvnservices[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@ehg-oreilly.hitbox[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@2o7[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@2o7[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@adlegend[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@bizrate[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@atdmt[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@atdmt[3].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@casalemedia[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@e-2dj6wfmyeidpglo.stats.esomniture[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@e-2dj6wjkygiajkep.stats.esomniture[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@gamefinder.disney.go[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@imrworldwide[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@overture[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@partner2profit[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@perf.overture[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@primedia.us.intellitxt[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@questionmarket[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@questionmarket[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@serving-sys[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@sales.liveperson[1].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@www.googleadservices[2].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@www.googleadservices[3].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@www.googleadservices[5].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@www.googleadservices[8].txt
C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\Low\abby@zedo[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\Low\murray@ad.m5prod[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\Low\murray@2o7[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\Low\murray@ads.techguy[1].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@ads.pointroll[1].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@atdmt[1].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@bs.serving-sys[1].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@doubleclick[1].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@ehg-dig.hitbox[2].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@hitbox[2].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@msnportal.112.2o7[1].txt
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\Low\ryan@serving-sys[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@zedo[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@ads.as4x.tmcs[2].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@ads.as4x.tmcs[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@imrworldwide[2].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@trafficmp[2].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@www.googleadservices[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@partner2profit[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@media.hotels[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@hitbox[2].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@adopt.euroclick[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@footballfanatics.112.2o7[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@sales.liveperson[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@sales.liveperson[3].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@tribalfusion[2].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@ulta.122.2o7[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@specificclick[2].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@atwola[1].txt
C:\Users\Teresa\AppData\Roaming\Microsoft\Windows\Cookies\Low\teresa@ad.m5prod[1].txt

Trojan.Downloader-Gen/Installer
C:\USERS\MURRAY\APPDATA\LOCAL\TEMP\BX18DXV.DAT



This was today:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/04/2008 at 09:49 AM

Application Version : 4.0.1154

Core Rules Database Version : 3431
Trace Rules Database Version: 1423

Scan type : Complete Scan
Total Scan Time : 00:26:29

Memory items scanned : 236
Memory threats detected : 0
Registry items scanned : 7579
Registry threats detected : 0
File items scanned : 25924
File threats detected : 4

Adware.Tracking Cookie
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\murray@msnportal.112.2o7[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\murray@doubleclick[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\Low\murray@ad.m5prod[1].txt
C:\Users\Murray\AppData\Roaming\Microsoft\Windows\Cookies\Low\murray@doubleclick[1].txt




I am still getting a "Spyware alert" pop up and when clicked it opens IE and goes to a website.

I also found a few files named *trojan.*.* . One was a desktop item, one was in a temp foler (I moved the whole folder) and 4 were in a folder named "Desktopvirii" (It too is in the bin). What do I do next?

Edited by xtinctss, 04 April 2008 - 02:55 PM.


#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:14 AM

Posted 04 April 2008 - 03:52 PM

  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
    • Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
with vista you might have to rightclick/run as administrator

looking better

I like MBAM also, seems to go well with SAS
Chewy

No. Try not. Do... or do not. There is no try.

#10 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 04 April 2008 - 07:42 PM

Malwarebytes' Anti-Malware 1.10
Database version: 592

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 223563
Time elapsed: 40 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
c:\program files\the weather channel fw\desktop weather\desktopweather.exe (Adware.Hotbar) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\the weather channel fw\framework\wxfw.dll (Adware.Hotbar) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DW4 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Juan (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\the weather channel fw\desktop weather\desktopweather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\program files\the weather channel fw\framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-2766986024-4046203671-2649777712-1000\$RPILHBS\alenqnuf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Users\Murray\AppData\Local\Temp\28220ea1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Murray\AppData\Local\Temp\39dce4bc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Murray\AppData\Local\Temp\c03a2a7a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#11 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 04 April 2008 - 08:02 PM

FWIW, I like that PGM. It works well with vista, and has a good interface. It seems to have picked up a lot of stuff the others didn't.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:14 AM

Posted 04 April 2008 - 08:05 PM

MBAM seemed overly aggressive with the weather channel, but leave it in quarantine for now, is your son still surfing, installing programs from another administrative login?

Is your login password protected?
Chewy

No. Try not. Do... or do not. There is no try.

#13 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 04 April 2008 - 08:23 PM

The Admin was not PW protected. It is now. I really would like to know what he got into that caused this. He is still surfing but is being more closely monitored. He got 1 hour on this thing today. If he is lucky, he might get another hour tomorrow. He claims he was trying to look a video on youtube. He is also only allowed to us HIS login not mine or anyone elses. (He was on mine apperantly.) I know I could PW protect them, but it is a hassle. Come to think of it, this is too! I'll have to think on that one.

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:14 AM

Posted 04 April 2008 - 08:32 PM

Hello xtinctss,

From the SUPERAntiSpyware log, it looks as though there are additional infections that need to be dealt with. Among these are Vundo.

Please go through the steps in this guide: Vundo Removal, but do not do anything with HiJack This. Instead, post the VundoFix log as a reply when you have completed the steps. You will find it here: C:\VundoFix.txt If you have any questions while you go through the guide, please post them as a reply to this thread.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 xtinctss

xtinctss
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 05 April 2008 - 07:55 PM

Well, I ran the removal tool. It did a scan and found nothing. There is no log to post. (I don't think) It showed no ifections or anything. Now what?

I have the following in the recycle bin however:

DescktopTrojan.win32.blackbird (File)
Desktopvirii (Folder)
gywgduvs (folder)

Does that mean anything to you? Should I empty the recycle bin now?

Edited by xtinctss, 05 April 2008 - 07:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users