Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning Spyware Detected, Adware.w32.spyshredder Popup


  • Please log in to reply
20 replies to this topic

#1 wormie

wormie

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 05 June 2008 - 04:46 AM

hi,

im facing the same problem as with the others. i tried smitfraud tool and somehow the warning did not reappear again (as for now). however, a popup about a warning for adware.w32.spyshredder came out. ill be posting the contents of my report after running Malwarebytes' Anti-Malware. hope u guys can help me with this problem

SmitFraudFix v2.323

Scan done at 15:14:01.56, Thu 06/05/2008
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\boqnrwdmdev.dll deleted.
C:\WINDOWS\atfxqogp.dll deleted.
C:\WINDOWS\vltdfabw.dll deleted.
C:\WINDOWS\vregfwlx.dll deleted.


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\xmpstean.exe Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8829F99B-A7FB-466C-B8B7-AA2B2AA9AD6C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8829F99B-A7FB-466C-B8B7-AA2B2AA9AD6C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8829F99B-A7FB-466C-B8B7-AA2B2AA9AD6C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Malwarebytes' Anti-Malware 1.14
Database version: 826

5:50:38 PM 6/5/2008
mbam-log-6-5-2008 (17-50-38).txt

Scan type: Quick Scan
Objects scanned: 41366
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\system32\lphccu0j0ejna.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ehcpisbf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ljJCrRHX.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xxyvsTnL.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{10b5e5c2-8901-4e3c-bf61-ac6e11039292} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10b5e5c2-8901-4e3c-bf61-ac6e11039292} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjcrrhx (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{721c00eb-3642-4c25-a597-372b54e87b0f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{721c00eb-3642-4c25-a597-372b54e87b0f} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15691378 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{10b5e5c2-8901-4e3c-bf61-ac6e11039292} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphccu0j0ejna (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyvstnl -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ehcpisbf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ljJCrRHX.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxyvsTnL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lphccu0j0ejna.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\12D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphccu0j0ejna.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\esbq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt5.tmp (Rogue.AdvancedXPDefender) -> Delete on reboot.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SVCHOST.INI (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Edited by wormie, 05 June 2008 - 04:51 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 PM

Posted 05 June 2008 - 11:23 AM

after the reboot update MBAM again and run a quick scan/clean and post a log

make sure MBAM is run from normal mode
Chewy

No. Try not. Do... or do not. There is no try.

#3 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 05 June 2008 - 09:23 PM

this is the recent updated log after updating mbam

__________________________________________

Malwarebytes' Anti-Malware 1.15
Database version: 833

10:21:35 AM 6/6/2008
mbam-log-6-6-2008 (10-21-35).txt

Scan type: Quick Scan
Objects scanned: 41928
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ehcpisbf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fbsipche.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyvsTnL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LnTsvyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LnTsvyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJCrRHX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 PM

Posted 05 June 2008 - 09:36 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

let's use ATF and SAS from safe mode to see if we can catch anything else
Chewy

No. Try not. Do... or do not. There is no try.

#5 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 07 June 2008 - 09:35 PM

sorry for the late response. here is the scanlog for sasw

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2008 at 06:39 AM

Application Version : 4.15.1000

Core Rules Database Version : 3476
Trace Rules Database Version: 1467

Scan type : Complete Scan
Total Scan Time : 01:15:19

Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 6985
Registry threats detected : 0
File items scanned : 25886
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@ar.atwola[1].txt
C:\Documents and Settings\User\Cookies\user@atwola[1].txt
C:\Documents and Settings\User\Cookies\user@revsci[1].txt
C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\User\Cookies\user@advertising[1].txt
.tribalfusion.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.sixapart.adbureau.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.adlegend.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.tradedoubler.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.advertlets.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.gostats.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.gostats.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.gostats.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.fortunecity.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.fortunecity.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.fortunecity.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.swissotel.112.2o7.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ads.adbrite.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
ads.adbrite.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
adserver.animea.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.millenniumhotels.122.2o7.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.perf.overture.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.dbs.112.2o7.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
gtp4.acecounter.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
gtp4.acecounter.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.cnetasiapacific.122.2o7.net [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\l5m26wdf.default\cookies.txt ]

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP532\A0242774.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP532\A0242777.DLL

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 PM

Posted 07 June 2008 - 10:19 PM

take as much time as you need for this process but please don't let the computer be online any more than absolutely necessary

malware doesn't take a break, it loves to update and reinstall

rerun the atf cleaner and clean both IE and firefox

update MBAM and run a quick scan and post another log please
Chewy

No. Try not. Do... or do not. There is no try.

#7 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 08 June 2008 - 07:41 AM

Malwarebytes' Anti-Malware 1.15
Database version: 839

8:39:15 PM 6/8/2008
mbam-log-6-8-2008 (20-39-15).txt

Scan type: Quick Scan
Objects scanned: 42171
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AUTORUN.INF (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#8 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 08 June 2008 - 07:45 AM

do i need to run a full scan on SAS again?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 PM

Posted 08 June 2008 - 08:02 AM

I would rather you reboot and rerun MBAM

What symptoms does the computer still have if any?

Edited by DaChew, 08 June 2008 - 08:02 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 08 June 2008 - 08:17 AM

so far there arent any symptoms. its just that these 2 vundo files kept reappearing.
i didnt get any blue screen stating any warnings or a popup regarding spyshredder.
ill reboot now and do an MBAM scan again. get back to u again :thumbsup: thanks alot!

#11 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 08 June 2008 - 09:32 AM

ok here it is

Malwarebytes' Anti-Malware 1.15
Database version: 839

10:31:01 PM 6/8/2008
mbam-log-6-8-2008 (22-31-01).txt

Scan type: Quick Scan
Objects scanned: 42060
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AUTORUN.INF (Trojan.Agent) -> Quarantined and deleted successfully.

#12 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 08 June 2008 - 09:43 AM

ok i just ran again

Files Infected:
C:\WINDOWS\system32\AUTORUN.INF (Trojan.Agent) -> Quarantined and deleted successfully.

this came out again, just this so far

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 PM

Posted 08 June 2008 - 09:45 AM

http://virusscan.jotti.org/

http://www.virustotal.com/

might be a good idea

I'll see if I can get a reccomendation from higher up also

for finding showing that pesky file

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Chewy

No. Try not. Do... or do not. There is no try.

#14 wormie

wormie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 08 June 2008 - 09:58 AM

hmm, this is tricky. no matter how much i select to show hidden files and clicked apply. it doesnt come out. the settings just returned back to default back to hide hidden files

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 PM

Posted 08 June 2008 - 10:02 AM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

let's see if you can get sdfix to run
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users