Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Blocked Winlogon.exe


  • Please log in to reply
36 replies to this topic

#16 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 06 June 2008 - 09:24 AM

It's important that you do not even try to connect to the internet

This disinfection will involve several steps if I am not mistaken and may well be beyond this subforum

It looks like you have made some progress tho.


If you want to continue working on it here then I would suggest downloading one more program

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

but before running it i would try

running ATF cleaner and SAS from safe mode

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

you need the updates for SAS

I am sorry if all this seems complicated, you have an uphill battle on your hands with this infection
Chewy

No. Try not. Do... or do not. There is no try.

BC AdBot (Login to Remove)

 


#17 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 06 June 2008 - 09:30 AM

Thanks for that. How can I get the updates for the SAS if I can't connect to the internet? If I update the one on the computer I am using now, and then transfer the folder, the updates won't transfer as well, will they?

Should I take this to another part of this website?

As for progress, the computer starts much faster than it used to. The 10 minute loads are taking just 2-3, so that's a plus.

I am running MBAM in safe mode now. I'll run the other two when this is finished.

#18 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 06 June 2008 - 09:49 AM

If you look at my link for SAS it shows the location of those extra files once SAS is installed, you simply copy them over the installed ones

Most of the stuff we do here is less complicated than what you run into in the HJT forum
Chewy

No. Try not. Do... or do not. There is no try.

#19 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 06 June 2008 - 09:02 PM

Excellent. Sorry - I read those initial posts quickly, having full intention of coming back to them when I was able to download the programs. I didn't read the part about the updates.

I was up late last night waiting for the MBAM scan to finish (it took about 2.5 hours) and it hadn't found anything. Then it very quickly found three threats, gave me some script error message and shut down. Annoyed.

I've run the ATF scan in safe mode (deleted 500Mbs of crap). I'm now running SAS using the settings in that link you sent me. It's found 84 threats already in 38 minutes. Do you want me to post the log file when it's done?

Which program do I run after this one?

#20 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 06 June 2008 - 11:03 PM

post the sas log and please run another mbam quick scan from normal mode

these infections are like layers of an onion

Edited by DaChew, 06 June 2008 - 11:03 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#21 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 06 June 2008 - 11:43 PM

This SAS scan is still going.....3 hours and 20 minutes.

It's found 161 threats; 26 registry & 1 file item.

#22 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 June 2008 - 01:14 AM

It finished not long after that previous post.

Here is the Safe Mode log for SAS.

SUPERAntiSpyware Scan Log

http://www.superantispyware.com



Generated 06/07/2008 at 12:59 PM



Application Version : 4.15.1000



Core Rules Database Version : 3476

Trace Rules Database Version: 1467



Scan type : Complete Scan

Total Scan Time : 03:36:25



Memory items scanned : 135

Memory threats detected : 0

Registry items scanned : 5135

Registry threats detected : 26

File items scanned : 102415

File threats detected : 7



Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{A93A4625-6216-499C-B360-BBD0A7C0D479}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A93A4625-6216-499C-B360-BBD0A7C0D479}

HKCR\CLSID\{A93A4625-6216-499C-B360-BBD0A7C0D479}

HKCR\CLSID\{A93A4625-6216-499C-B360-BBD0A7C0D479}\InProcServer32

HKCR\CLSID\{A93A4625-6216-499C-B360-BBD0A7C0D479}\InProcServer32#ThreadingModel



Rootkit.Protect/WinNT32

HKLM\System\ControlSet001\Services\Din40

C:\WINDOWS\SYSTEM32\DRIVERS\DIN40.SYS

HKLM\System\ControlSet001\Enum\Root\LEGACY_Din40

HKLM\System\ControlSet002\Services\Din40

HKLM\System\ControlSet002\Enum\Root\LEGACY_Din40

HKLM\System\ControlSet003\Services\Din40

HKLM\System\ControlSet003\Enum\Root\LEGACY_Din40

HKLM\System\CurrentControlSet\Services\Din40

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Din40



Spyware.WebSearch (WinTools/Huntbar)

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc



Adware.ClickSpring/Yazzle

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#.Owner

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#{74CD40EA-EF77-4BAD-808A-B5982DA73F20}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx [  ]



Trojan.Homepage/Puper

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#wininet.dll



Adware.Tracking Cookie

.zedo.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.imrworldwide.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.imrworldwide.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

www.sexstoriespost.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

www.sexstoriespost.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.sexstoriespost.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.sexstoriespost.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

www.sexstoriespost.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

www.bdsmlibrary.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.premiumtv.122.2o7.net [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adtech.de [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

www.web-stat.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.list.ru [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.webstats4u.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.trafficgods.ws [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

media.adrevolver.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.statcounter.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.usenext.de [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.usenext.de [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.usenext.de [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.toplist.cz [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adultadworld.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adultadworld.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.adultadworld.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.specificclick.net [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.specificclick.net [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.specificclick.net [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.specificclick.net [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.socialmedia.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.socialmedia.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.bs.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

.serving-sys.com [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\zfitf9vn.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.zedo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.clicksor.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.systemerrorfixer.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.adnetserver.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

servedby.adxpower.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

servedby.adxpower.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.media6degrees.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.antispywaremaster.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.imrworldwide.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.imrworldwide.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

d0012.77tracking.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.mediaonenetwork.net [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.burstnet.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.burstnet.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.mediacollege.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.mediacollege.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.richmedia.yahoo.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.adinterax.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.adinterax.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.specificclick.net [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.tracking.foxnews.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.tracking.foxnews.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.a2zwordfinder.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.a2zwordfinder.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.trafficgods.ws [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.azjmp.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

ad1.clickhype.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.sensismediasmart.com.au [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

media.sensis.com.au [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

media.sensis.com.au [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

stats.manticoretechnology.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.yadro.ru [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

.yadro.ru [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

media.theage.com.au [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

stats.sphere.com [ C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\kn1x49vl.default\cookies.txt ]

C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@partner2profit[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@specificclick[2].txt



Adware.Vundo Variant/Rel

C:\WINDOWS\SYSTEM32\MCRH.TMP


Below is the log file for the MBAM Quick Scan in normal mode. I think this scan used the updates.

Malwarebytes' Anti-Malware 1.15

Database version: 836



1:51:12 PM 7/06/2008

mbam-log-6-7-2008 (13-50-42).txt



Scan type: Quick Scan

Objects scanned: 52966

Time elapsed: 7 minute(s), 14 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> No action taken.



Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> No action taken.



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.


In case you were expecting something, there hasn't been any noticeable changes to my system after these scans.

#23 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 07 June 2008 - 03:13 AM

That's good progress, I see you applied the core and trace definitions updates, I can't stress how inportant something like that it. All these antimalware programs are being constantly updated as is the malware in a cat and mouse game. You snooze you lose.

I would suggest sdfix next

Be very thorough with ATF cleaner, I don't think anyone really understands how all this malware works, it's best to give the antimalware programs an easier job and let ATF do some precleaning

Edited by DaChew, 07 June 2008 - 03:27 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#24 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 June 2008 - 06:09 AM

I followed the details from the bleeping computer SDFix instruction guide. I installed it in normal mode, ran it in safe mode. But then it told me that I was missinf the file c:/SDFix/apps/locate.com. I've tried searching for this file, but all I find is locate.com in other peoples log files.


Is this a common problem - If so, is there a fix? I'll keep trying.

EDIT: I've just run a search on my computer and the locate.com file is there - in the apps folder. It's in a hidden folder, which I have now allowed to be shown. I ran the program again, but I am still getting the "cannot find" message.

Edited by Waygook, 07 June 2008 - 06:26 AM.


#25 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 07 June 2008 - 08:25 AM

Goto Start Menu > Run > then copy and paste the following line:


%systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe


Click OK, then type Y and press Enter when prompted, Reboot and start SDFix again


it's best when carrying all this over to save the web page instructions as a text file so you copy and paste commands if needed
Chewy

No. Try not. Do... or do not. There is no try.

#26 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 07 June 2008 - 08:34 AM

In Quietman7's guide for MBAM there's a section

MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
and just double-click on mbam-rules.exe to install.


I hope you are using a usb jump drive for all this
Chewy

No. Try not. Do... or do not. There is no try.

#27 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 June 2008 - 09:19 AM

Righto - I did as you said above, though I wasn't clear whether I should do it in normal or safe mode. I did it in normal mode because when I installed the program, it said to do it in normal mode.

Unfortunately, I am still getting the same error message when I try to run SDFix (c:/SDFix/runthis.bat). It says it cannot find c:\sdfix\apps\locate.com.

This is the message that I get when I run the command you told me above in normal mode. Makes no sense to me! Posted Image

Any leads?

In Quietman7's guide for MBAM there's a section

I hope you are using a usb jump drive for all this


I'm using my iPod. Good or bad?

#28 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 07 June 2008 - 09:30 AM

I'm using my iPod. Good or bad?


as long as it's immunized I hope it's ok

Let's see if we can get a real expert to look at the sdfix issue

you might try that command in safe mode logged onto your normal login
Chewy

No. Try not. Do... or do not. There is no try.

#29 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 07 June 2008 - 04:15 PM

Well when I said real expert I didn't expect to see the sdfix author posting in this forum later, I asked him to look at and review this thread, he suspects that remnants of McAfee may still be interfering with fixes?

http://www.majorgeeks.com/McAfee_Consumer_...Tool_d5420.html

I would encourage you to run this tool

He also reccomended tools that we don't use in this subforum

You could run a scan with DSS and post a log and brief history in the HJT subforum
Chewy

No. Try not. Do... or do not. There is no try.

#30 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 June 2008 - 08:00 PM

Thanks again. I was hoping to do this last night, but just as I was about to post, the website lost connection. I thought it was a problem with bleepingcomputer servers, but I ran it through a proxy this morning and it works fine. Weird.

I've run the McAfee Removal Program in both normal and safe mode. It seemed to do something (took about 3 minutes). I did get this error message though; ERROR OBTAINING FULL PERMISSIONS FOR CLEAN-UP. SOME PRODUCTS MAY NOT BE FULLY REMOVED.

I tried to sun Sdfix again, but am still getting the same error message as last night. I tried the FixPath.exe solution. Didn't help.

I've now run the DSS as suggested. I'll post the log here, as well as in the HTJ forum.

Edited by quietman7, 08 June 2008 - 06:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users