Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Superantispyware, Adzgalore, Cpmsky,


  • This topic is locked This topic is locked
8 replies to this topic

#1 leicrissea

leicrissea

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:41 AM

Posted 21 July 2008 - 10:52 AM

I'm not sure how I got them, But I'm thinking limewire.
I am a newbie, first of all.
Anyway, I only had adzgalore and cpmsky before. I already have a malwarebytes' anti-malware because I used it on the WindowsXPAntivirus2008 and it did took the hated thing off.
So when I ran malwarebytes'.. It found a couple of things , so I removed them.
It seems like adzgalore stopped popping up, but then the next day, there's a warning sign that popped up saying something about installing SUPERAntispyware now! It looks really suspicious so I just hit x.

I also have norton antivirus. but it's almost expired. I ran a scan using that but it only scanned 5000 plus items when it used to scan like a whole lot that that. It did find a cookie, but that's about it. Then I noticed the Norton button on my taskbar disappear.

So i decided to download Ad-Aware2008 and started a scan. I also started up malwarebytes to scan.

In the middle of the scans, a window popped up saying 'unable to open this norton product, please restart your computer, then some numbers at the bottom 8500, 108. But I just dragged it down to the bottom of my screen. I kinda have a hunch that the norton is infected though..

When the ad-aware finished scanning it didn't find anything. but malwarebytes found 17!!!




I've also used ewido internet scanner, it only found cookies. :\

I really wish I could use this Hijackthis... but to use that, I have to boot on safe mode.... Which, I don't know why, but when I hit F8, and then Safe Mode, it just returns to the page before the advanced options and doesn't do anything. If I hit enter again, random things flood the screen, then freezes. So I have to pull the electricity off just so it will turn off.

BTW, I'm using Windows XP.

I also have a question about malwarebytes'.. About the Quarantine, I see all of the trojan agents and stuff, should I Delete them or do something about them?

So bottom line is, how do I get rid of these things?
_______________________________________________________
EDIT:
After the malwarebytes scan, my computer had to restart so I retarted it.. so far so good, no pop ups..

but now I'm just afraid that my computer is not fully clean.

Edited by leicrissea, 21 July 2008 - 11:12 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 21 July 2008 - 12:06 PM

Can you post the results of your last scan?

Launch MBAM.
Click the Logs Tab at the top.
mbam-log-7-18-2008(09-52-04).txt should show in the list. <- your dates will be different from this exampe
Click on the log name to highlight it.
Go to the bottom and click on Open.
The log should automatically open in notepad as a text file.
Go to Edit and choose Select all.
Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
Come back to this thread, click Add Reply, then right-click and choose Paste.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 leicrissea

leicrissea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:41 AM

Posted 21 July 2008 - 12:14 PM

Thank you for replying !

Malwarebytes' Anti-Malware 1.22
Database version: 974
Windows 5.1.2600 Service Pack 2

12:01:42 PM 7/21/2008
mbam-log-7-21-2008 (12-01-42).txt

Scan type: Quick Scan
Objects scanned: 64071
Time elapsed: 24 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcefmj0e90p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcefmj0e90p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ee8716d-6447-7123-1c12-83f5f9dbdeb9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ee8716d-6447-7123-1c12-83f5f9dbdeb9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0ee2786-3ae4-2a51-2ca6-acd0d23bbe52} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b0ee2786-3ae4-2a51-2ca6-acd0d23bbe52} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dce447c3-f42d-4fa8-9d45-b4f4e9d3a610} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dce447c3-f42d-4fa8-9d45-b4f4e9d3a610} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{841ca1a5-9ab0-e0dd-5cb0-7f17c220112d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kzwyjuaxvvzgsk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\cauemwispxwf.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\system32\nsj129.dll (Adware.BHO) -> Delete on reboot.


_________________________________________________
Btw, I also ran a Spybot search and destroy scan after restarting..

a window popped up saying there's a problem with C:\Program Files\Spybot-Search-Destroy\Includes\Trojans.sbi

What does that mean?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 21 July 2008 - 12:29 PM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, the rescan again anyway and post a new log.

Trojans.sbi is a data file installed and used by Spybot to detect Trojan infections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 leicrissea

leicrissea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:41 AM

Posted 21 July 2008 - 12:58 PM

yes, i've restarted it and performed a quickscan..

here's the log

Malwarebytes' Anti-Malware 1.22
Database version: 974
Windows 5.1.2600 Service Pack 2

1:56:50 PM 7/21/2008
mbam-log-7-21-2008 (13-56-50).txt

Scan type: Quick Scan
Objects scanned: 64197
Time elapsed: 30 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


but after this, it didn't ask me to reboot. Well, should I?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 21 July 2008 - 01:10 PM

Yes, reboot normally, do another Quick Scan and post back with the results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 leicrissea

leicrissea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:41 AM

Posted 21 July 2008 - 02:00 PM

Malwarebytes' Anti-Malware 1.22
Database version: 974
Windows 5.1.2600 Service Pack 2

2:57:04 PM 7/21/2008
mbam-log-7-21-2008 (14-57-04).txt

Scan type: Quick Scan
Objects scanned: 63289
Time elapsed: 34 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



here's the new log..

so what does this mean? my computer's still infected?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 21 July 2008 - 02:13 PM

It means MBAM has not been able to remove those few remnants of registry entries. The physical files that were detected have been successfully removed. However, the fact that those entries are returning is an indication something else may still be on your system that is regenerating them. I recommend further investigation to be sure. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:41 AM

Posted 21 July 2008 - 03:04 PM

Hello leicrissea

I see that you now have your HJT log posted here: http://www.bleepingcomputer.com/forums/t/158903/superantispyware-adzgalore-cpmsky-stubborn-leftovers/ I quote a question you have from that topic:

Do I select all the boxes and hit FIX SELECTED on the HJT?


Absolutely not. Many of those entries are essential to proper functioning of the computer. Please wait for an HJT Team member to guide you through the disinfection process. You should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users