Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

olnmraew Toolbar Removal


  • Please log in to reply
8 replies to this topic

#1 Darrcyphfeid

Darrcyphfeid

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 09 October 2008 - 03:36 PM

I'm not very good with software, hence the cause of my problem to begin with, so please notify me if I'm doing something wrong or not revealing enough information. Anyway, right-clicking "My Computer" gives me this, which I'm going to assume you need to know to help me:

System:
Microsoft Windows XP
Home Edition
Version 2002
Service Pack 2

Manufactured and supported by: Compaq
Intel® Celeron™ CPU
1300MHz
1.29 GHz, 512 MB of RAM


Tuesday I was infected with a load of things after foolishly opening an application I wasn't familiar with. Nothing happened at first, but after I restarted my computer my time was changed to military and "Virus Alert!" replaced the date. While connected to the internet various links were downloaded to my desktop including "Gay Fetish Porn" and a handful of Spyware and Virus-related stuff. My entire start menu was cleared out (or rather, hidden from me), and I got a number of messages saying "File Copied" along with percentages (the window looked like my AT&T Support Tool's startup window). I don't know if the last bit was real or just another trick; I have nothing stored on my computer, barring insignificant website accounts that haven't been taken (yet), so I'm not overly concerned either way at the moment.

After looking on the internet a bit on my Wii for an answer I was directed towards Malwarebyte's Anti-Malware, which I ran twice in Safe Mode and once in normal mode. It removed about 18 files altogether. I then purchased PC Tools' Spyware Doctor which I ran in normal mode four or five times (including two "full scans"). It removed over 40 files through all of the searches, most of which involved the word "Trojan."

AVG Anti-Spyware 7.5, McAfee SecruityCenter and Ad-Aware 2008 have never found anything, and now Malwarebytes and Spyware Doctor aren't finding anything. However, any time I'm not connected to the internet I get an endless stream of connection notices. I've not found any way to request more data from the notices so I don't know what, exactly, wants internet access. In addition to this I've been getting messages from Windows itself saying that my "Virtual Memory" is "too low." I'm not sure if that's because of Spyware Doctor overwhelming my completely out-dated computer, or if it's something else using all of the "Virtual Memory" up.

I do know, however, that "olnmraew.dll" and "lfstbwvd.dll" are sitting in my WINDOWS folder. I know from searching that they don't belong there, as if their "Date Modified" being 10/7/2008 (the date of infection) hadn't already give them away, but I'm not really sure what to do next. I had Malwarebytes directly scan olnmraew.dll, but it didn't detect a threat. Likewise neither .dll file has been found during my various searches, and olnmraew.dll has stopped hijacking/redirecting Internet Explorer, although the Toolbar itself is very much still there. There's also an application titled "qkeftmxn.exe", 84 KB in size, with the exact same date and time as the two .dll files. But I didn't notice that until I was verfying information for this post, so I haven't searched for what that is; it hasn't appeared in the two program's searches either though.

Is it safe for me to just highlight and delete those two .dll files and the .exe file? Or is there another program I should download to get rid of them and ensure that nothing else is left on the computer?



EDIT: Something's definitely still on this computer. After posting this (in FireFox) Internet Explorer, which I've kept in Offline Mode, requested access to:
http:// mediasportal---2008 .com/phandler.php?sid=0&said=0&pn=&aid=0&pid=2

I inserted spaces so as to keep the forum from making that a clickable url. Anyway, I assume that's at least one of the things throwing those interet access notices. Though now I'm not positive if something else just downloaded that and it activated itself, or if it's been there the entire time.



EDIT 2: Spyware Doctor found and removed two more "Trojan-Downloader.Zlob.GEN" . After restarting my computer, I got the following error:

"pctsSvc.exe - Application Error
The exception unknown software exception (0x0eedfade) occurred in the application at 0x7c812a5b."

"Exception" was written twice in the message, it's not me making a typo or anything.

Edited by Darrcyphfeid, 09 October 2008 - 05:19 PM.


BC AdBot (Login to Remove)

 


m

#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 10 October 2008 - 12:19 PM

Please try running these two scans ; instructrions are on these links
( this one is a repeat of malawarebytes)

http://www.bleepingcomputer.com/forums/ind...st&p=959453

and superantispyware
http://www.bleepingcomputer.com/forums/ind...st&p=959604

it would help the Experts to help you if you post the log reports from those two scans for examination :thumbsup:

#3 Darrcyphfeid

Darrcyphfeid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 10 October 2008 - 12:56 PM

Thanks for the reply, Ruby. I'll look into that SuperAntiSpyware after I finish up with this post. For now, here are the logs from Malwarebytes -- all of them, in order.



Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 2

10/7/2008 7:09:15 PM
mbam-log-2008-10-07 (19-09-15).txt

Scan type: Quick Scan
Objects scanned: 91407
Time elapsed: 20 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 22
Registry Data Items Infected: 16
Folders Infected: 7
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.band.1 (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b27cc68-110c-46a9-80d3-f3107de6eb98} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12da1bc4-5384-42fd-a119-3c99d2d146a2} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.bho.1 (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{dbe49762-874f-41ac-9409-ecdd4b3db4a2} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.band (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{12da1bc4-5384-42fd-a119-3c99d2d146a2} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.bho (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b27cc68-110c-46a9-80d3-f3107de6eb98} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{12b2c1c8-646a-43db-8557-e25edecbc411} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{509d6da2-ecfb-407b-b7b0-9ad03a7c1bf8} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur20.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur20.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\some (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qmafxprs (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0011903-00101) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\RAC\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Program Files\Helper (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC\Start Menu\Programs\VirusHeat 3.9 (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Sotfone (Trojan.Zlob) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.exe (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC\Start Menu\Programs\VirusHeat 3.9\VirusHeat 3.9.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC\Start Menu\Programs\VirusHeat 3.9\Uninstall VirusHeat 3.9.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC\Start Menu\Programs\VirusHeat 3.9\VirusHeat 3.9 Website.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Adobe\Player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Local Settings\Temp\smchk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\eldo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\NetProject\uninst.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\qmafxprs.dll (Trojan.Zlob) -> Quarantined and deleted successfully.



===============================================================================
===============================================================================



Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 2

10/7/2008 9:06:53 PM
mbam-log-2008-10-07 (21-06-53).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 153428
Time elapsed: 1 hour(s), 16 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



===============================================================================
===============================================================================



Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 2

10/8/2008 12:31:08 PM
mbam-log-2008-10-08 (12-31-08).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 153760
Time elapsed: 3 hour(s), 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



===============================================================================
===============================================================================



Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 2

10/8/2008 5:29:05 PM
mbam-log-2008-10-08 (17-29-04).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 23666
Time elapsed: 25 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Like I said, after that first scan Malwarebytes hasn't really been of much help. Spyware Doctor doesn't seem to have a log I can just copy/paste, which is rather annoying, but it did give me an HTML file. I don't have anywhere to upload that so you guys can view it, and it would appear that if I copy/paste the text from that file it'll come to over 5,600 lines of text. ... I'm going to spare us all a headache and provide that information only if it's absolutely necessary.

Aside from that, I took matter into my own hands somewhat (being as careful as possible, of course; I'm here because I can't afford to replace this computer) and used SDFix. Results seem to be mostly positive. I noticed it removed the olnmraew Toolbar for me, as well as that .exe file and the other .dll file. I'm on the (formerly?) infected computer right now, and everything seems to be running smoothly. No notices, no pop-ups, very little lag. Here's the SDFix's scan log.




SDFix: Version 1.234
Run by RAC on Fri 10/10/2008 at 12:30 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\10.TMP - Deleted
C:\11.TMP - Deleted
C:\12.TMP - Deleted
C:\13.TMP - Deleted
C:\8.TMP - Deleted
C:\9.TMP - Deleted
C:\A.TMP - Deleted
C:\B.TMP - Deleted
C:\C.TMP - Deleted
C:\D.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Adobe\crc.dat - Deleted
C:\DOCUME~1\RAC~1.YOU\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted
C:\DOCUME~1\RAC~1.YOU\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\10.tmp - Deleted
C:\11.tmp - Deleted
C:\12.tmp - Deleted
C:\13.tmp - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\lfstbwvd.dll - Deleted
C:\WINDOWS\olnmraew.dll - Deleted
C:\WINDOWS\qkeftmxn.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 00:50:04
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe"="C:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe:*:Enabled:YGO Virtual Desktop Executable"
"C:\\Program Files\\YVD\\n00b-IRC.exe"="C:\\Program Files\\YVD\\n00b-IRC.exe:*:Enabled:n00b-IRC"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\1151648995\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1151648995\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\McAfee.com\\Shared\\mcinfo.exe"="C:\\Program Files\\McAfee.com\\Shared\\mcinfo.exe:*:Enabled:McAfee SecurityCenter Update Info"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 7 May 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 7 May 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Thu 9 Aug 2001 102,467 A..H. --- "C:\Program Files\CompuServe 2000\csphx.exe"
Thu 9 Aug 2001 36,935 A..H. --- "C:\Program Files\CompuServe 2000\cstray.exe"
Thu 9 Aug 2001 64,512 A..H. --- "C:\Program Files\CompuServe 2000\packethsvc.exe"
Thu 9 Aug 2001 40,960 A..H. --- "C:\Program Files\CompuServe 2000\RBM.exe"
Thu 9 Aug 2001 172,095 A..H. --- "C:\Program Files\CompuServe 2000\wcs2000.exe"
Thu 9 Aug 2001 64,512 A..H. --- "C:\WINDOWS\system32\PackethSvc.exe"
Tue 26 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Thu 9 Aug 2001 172,032 A..H. --- "C:\Program Files\CompuServe 2000\COMIT\cswitch.exe"
Thu 2 Oct 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 2 Oct 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 1 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!




Aside from re-running Spyware Doctor, Malwarebytes, and SuperAntiSpyware is there any way to tell if anything is still on the computer? Better safe than sorry, and all that.

#4 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 10 October 2008 - 01:04 PM

Run HiJackThis and copy the log file into
http://www.prevx.com/hijackthis.asp
. It will give you a breif review of wether it is still infected.

HJT:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis


#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 10 October 2008 - 01:22 PM

Run HiJackThis and copy the log file into

http://www.prevx.com/hijackthis.asp
. It will give you a breif review of wether it is still infected.

HJT:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

On -line HJT analysis is a tool you CAN use to give you SOME idea of what is going on on a comp; it will give you an analysis of what it thinks is wrong ; however, it is a guide ONLY and you shoudl NEVER remove a line in a HJT log unless you know EXACTLY what it does as , by removign a wrong entry ,you can render the comp inoperative

is there any way to tell if anything is still on the computer? Better safe than sorry, and all that.

the 'ultimate' would be to post an HJT log in the appropriate section of this forum for the comps log to be checked out line by line for bugs ; if you wish to do that please follow the instructions here .....

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

however, your present scans appear to be running clear and you may wish to fully update the suggested programs, reboot and rerun each to continue the cleaning process and the confirmation that you ARE getting clean?

#6 Darrcyphfeid

Darrcyphfeid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 10 October 2008 - 04:27 PM

I've been pretty cautious about using this computer online too much, so I'm pretty familiar with the risks involved with HJT through browsing the forums through the Wii. That being said, I downloaded HJT and ran the log through that website; I got a message that stated that nothing showed in the log, but that malware could still be hidden on the computer.

I also downloaded SuperAntiSpyware, which located exactly 100 adware tracking cookies. Here's the log:




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/10/2008 at 04:49 PM

Application Version : 4.21.1004

Core Rules Database Version : 3594
Trace Rules Database Version: 1581

Scan type : Complete Scan
Total Scan Time : 02:13:11

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 4535
Registry threats detected : 0
File items scanned : 88539
File threats detected : 100

Adware.Tracking Cookie
C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Cookies\rac@atdmt[1].txt
.adinterax.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
www.findwhatneed.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
stats.gamestop.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
mediamgr.ugo.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.toplist.cz [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.krazysexy.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.krazysexy.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
www8.addfreestats.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
www.ticketsnow2.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
oa.clickinter.com [ C:\Documents and Settings\RAC\Application Data\Mozilla\Firefox\Profiles\tma47qer.default\cookies.txt ]
C:\Documents and Settings\RAC\Cookies\rac@247realmedia[2].txt
C:\Documents and Settings\RAC\Cookies\rac@ad.ifrance[2].txt
C:\Documents and Settings\RAC\Cookies\rac@ad.us-ec.adtechus[1].txt
C:\Documents and Settings\RAC\Cookies\rac@ad.yieldmanager[2].txt
C:\Documents and Settings\RAC\Cookies\rac@adopt.specificclick[1].txt
C:\Documents and Settings\RAC\Cookies\rac@adrevolver[1].txt
C:\Documents and Settings\RAC\Cookies\rac@ads.magnify[1].txt
C:\Documents and Settings\RAC\Cookies\rac@ads.mediamayhemcorp[2].txt
C:\Documents and Settings\RAC\Cookies\rac@ads.revsci[1].txt
C:\Documents and Settings\RAC\Cookies\rac@ads.streetfire[1].txt
C:\Documents and Settings\RAC\Cookies\rac@ads.today[2].txt
C:\Documents and Settings\RAC\Cookies\rac@adserver.fusacapital[2].txt
C:\Documents and Settings\RAC\Cookies\rac@apmebf[2].txt
C:\Documents and Settings\RAC\Cookies\rac@ar.atwola[1].txt
C:\Documents and Settings\RAC\Cookies\rac@atwola[2].txt
C:\Documents and Settings\RAC\Cookies\rac@casalemedia[1].txt
C:\Documents and Settings\RAC\Cookies\rac@casalemedia[3].txt
C:\Documents and Settings\RAC\Cookies\rac@clickaider[1].txt
C:\Documents and Settings\RAC\Cookies\rac@clicksor[1].txt
C:\Documents and Settings\RAC\Cookies\rac@clickwatchplay[1].txt
C:\Documents and Settings\RAC\Cookies\rac@collective-media[1].txt
C:\Documents and Settings\RAC\Cookies\rac@bleep[2].txt
C:\Documents and Settings\RAC\Cookies\rac@insightexpressai[1].txt
C:\Documents and Settings\RAC\Cookies\rac@media.adrevolver[1].txt
C:\Documents and Settings\RAC\Cookies\rac@media.adrevolver[2].txt
C:\Documents and Settings\RAC\Cookies\rac@media6degrees[2].txt
C:\Documents and Settings\RAC\Cookies\rac@mediaservices.myspace[1].txt
C:\Documents and Settings\RAC\Cookies\rac@porn[1].txt
C:\Documents and Settings\RAC\Cookies\rac@server.iad.liveperson[3].txt
C:\Documents and Settings\RAC\Cookies\rac@serving-sys[2].txt
C:\Documents and Settings\RAC\Cookies\rac@sex-superstore[1].txt
C:\Documents and Settings\RAC\Cookies\rac@sexylingerie-2.magnify[2].txt
C:\Documents and Settings\RAC\Cookies\rac@sexywebcamgirls.blogspot[1].txt
C:\Documents and Settings\RAC\Cookies\rac@statcounter[1].txt
C:\Documents and Settings\RAC\Cookies\rac@stats.gamestop[1].txt
C:\Documents and Settings\RAC\Cookies\rac@www.googleadservices[1].txt
C:\Documents and Settings\RAC\Cookies\rac@www.googleadservices[2].txt
C:\Documents and Settings\RAC\Cookies\rac@www.googleadservices[3].txt
C:\Documents and Settings\RAC\Cookies\rac@www.googleadservices[7].txt
C:\Documents and Settings\RAC\Cookies\rac@www.xxxblackbook[1].txt
C:\Documents and Settings\RAC\Cookies\rac@www8.addfreestats[1].txt
C:\Documents and Settings\RAC\Cookies\rac@xxxblackbook[2].txt
.revsci.net [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\RAC.YOUR-MDZJN0AZ1G\Application Data\Mozilla\Firefox\Profiles\wgeeja9h.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\TEMP.YOUR-MDZJN0AZ1G.000\Application Data\Mozilla\Firefox\Profiles\2bfrtbwr.default\cookies.txt ]



I'm rather surprised that AdAware and AVG didn't find any of those earlier, to be honest. But at any rate while uninstalling HJT was quick and painless, I've not been able to find an actual uninstaller for SDFix. Do I just delete its folder, or should I allow Spyware Doctor to delete it along with anything else it might find?

#7 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 11 October 2008 - 04:00 AM

Different programs have differing functions ; I suggest you update the superantispyware and malawarebytes; reboot and run full computer scans with each; see if you now run 'clear'

I personally have a program that deletes tracking cookies ; I do NOT like them nor need 'em :thumbsup:

#8 Darrcyphfeid

Darrcyphfeid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 12 October 2008 - 02:06 AM

After updating the definition files SuperAntiSpyware found 26 more tracking cookies on the full scan, while Malwarebytes, Spyware Doctor and ThreatFire found nothing. Seems like my problem's solved, thanks to yourself and the wonderful tools available here.

Though I still need an answer about SDFix. Do I delete the folder, run a certain command or just let the Spyware Doctor dismantle it?

#9 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 12 October 2008 - 09:15 AM

After updating the definition files SuperAntiSpyware found 26 more tracking cookies on the full scan, while Malwarebytes, Spyware Doctor and ThreatFire found nothing. Seems like my problem's solved, thanks to yourself and the wonderful tools available here.

Though I still need an answer about SDFix. Do I delete the folder, run a certain command or just let the Spyware Doctor dismantle it?

I admit I have never seen it used outside the HJT forums and theSDFix instructions on here do not tell you how to remove the program either ; a google search is not of much help

I beleive you may need to remove/delete the SDFix icon from your Desktop and go to Add or Remove Programs in your Control Panel and delete the program from there too BUT to be on the safe side you may wish to post a separate thread and link THIS one to it to get 'better and more informed' guidance on that point? unless of course a passing HJT expert drops in and gives you the appropraite instuctions :flowers:


Once that is done you may wish to create a new clean Restore Point; if you do not know how to do that and wish to ,this method is one way of so doing


On the Desktop, right-click My Computer > click Properties > click the System Restore tab.
Check Turn off System Restore.
Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.
Please wait a few moments to let it clear.
Now please remove the check from Turn off System Restore.
Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

However, I suggest you wait to do that until your question about SDFix has been answered :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users