Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009


  • Please log in to reply
16 replies to this topic

#1 jiswar

jiswar

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 28 October 2008 - 01:01 PM

This thing is nasty. Must be learning as it goes. In less than 48 hrs. it had taken over search function redirecting to other sites, disabled access to any web site that might be of help to eradicate it, disabled restore function and blocked any attempt to update Windows or any other protection program installed on my computer. Now what, can't search for help, can't download programs, can't download updates, can't restore.

This is what I've done so far. First I ran AVG and Spybot.

AVG 8.0 Scan results

Scan "Scan whole computer" was finished.
Infections found:;"10"
Infected objects removed or healed:;"10"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"7"
Information count:;"0"
Scan started:;"Sunday, October 26, 2008, 11:16:10 PM"
Scan finished:;"Monday, October 27, 2008, 12:02:00 AM (45 minute(s) 49 second(s))"
Total object scanned:;"1046965"
User who launched the scan:;"RH"

Infections
File;"Infection";"Result"
C:\Program Files\Applications\iebu.exe;"Trojan horse Downloader.Zlob.AFUB";"Moved to Virus Vault"
C:\WINDOWS\brastk.exe;"Trojan horse SHeur.CQCN";"Moved to Virus Vault"
C:\WINDOWS\karna.dat;"Trojan horse Agent.AHRN";"Moved to Virus Vault"
C:\WINDOWS\system32\av.dat;"Trojan horse BackDoor.Generic10.TNB";"Moved to Virus Vault"
C:\WINDOWS\system32\brastk.exe;"Trojan horse SHeur.CQCN";"Moved to Virus Vault"
C:\WINDOWS\system32\brastk.exe;"Trojan horse SHeur.CQCN";"Moved to Virus Vault"
C:\WINDOWS\system32\dllcache\beep.sys;"Trojan horse Agent.3.R";"Moved to Virus Vault"
C:\WINDOWS\system32\drivers\beep.sys;"Trojan horse Agent.3.R";"Moved to Virus Vault"
C:\WINDOWS\system32\karna.dat;"Trojan horse Agent.AHRN";"Moved to Virus Vault"
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\brastk;"Found registry key with reference to infected file C:\WINDOWS\system32\brastk.exe";"Moved to Virus Vault"

Warnings
File;"Infection";"Result"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt:\adopt.euroclick.com.17044b51;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt:\adopt.euroclick.com.6d7740f7;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt:\adopt.euroclick.com.8b1bd7bc;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt:\adopt.euroclick.com.891542da;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt:\adopt.euroclick.com.fb764ef7;"Found Tracking cookie.Euroclick";"Potentially dangerous object"
C:\Documents and Settings\RH\Cookies\rh@adopt.euroclick[2].txt:\adopt.euroclick.com.ffe11db7;"Found Tracking cookie.Euroclick";"Potentially dangerous object"


Spybot 1.6 found some items but doesn't have a scan log that I can post.

Neither AVG nor Spybot had positive effect on this problem.

Then I used Malwarebytes and followed up with a manual procedure. Every thing seems to be working good now. Had to download the Malwarebytes program to a USB drive using my wifes computer. Part of Malwarebytes install is to update after loading Couldn't do any updates so ran it with whatever came with the install. After that, it fixed things enough to get the latest update. Ran second scan that caught four more items. Appears to have done a good job but I also went though the manual procedure just to be sure everything was gone. No additional traces were found.

Used the manual procedure listed at following URL. http://www.spywareremove.com/removeAntivirus2009.html

Lastly, I accomplished a Panda Activescan 2.0 and came up with the following

Medium level threats 1
Low level threats 10
Suspicious files 3

The question now is, need I be concerned about the Activescan findings and did I do a comprehensive enough job to be secure?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 28 October 2008 - 01:14 PM

Medium level threats 1
Low level threats 10
Suspicious files 3

The question now is, need I be concerned about the Activescan findings

Can you provide the actual findings as to what was found?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 28 October 2008 - 01:27 PM

Hello Quietman, thanks for the fast response.

With the free scan, details aren't given. They do fix the one medium threat without buying the program. To fix the low level threats and suspicious files I would have to purchase the registered version.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 28 October 2008 - 01:32 PM

Then do another scan to see if we find anything else that MBAM may have missed.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 28 October 2008 - 01:52 PM

Will Ccleaner do the same as ATF cleaner?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 28 October 2008 - 01:57 PM

Use ATF Cleaner; it is safer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 28 October 2008 - 03:38 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/28/2008 at 03:01 PM

Application Version : 4.21.1004

Core Rules Database Version : 3612
Trace Rules Database Version: 1598

Scan type : Complete Scan
Total Scan Time : 00:42:16

Memory items scanned : 157
Memory threats detected : 0
Registry items scanned : 7064
Registry threats detected : 0
File items scanned : 65876
File threats detected : 0



Also, thought I would send the logs for MBAM. The first one is before update and the second is after.


Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

10/27/2008 2:14:27 PM
mbam-log-2008-10-27 (14-14-27).txt

Scan type: Quick Scan
Objects scanned: 55298
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
C:\Program Files\Antivirus 2009\av2009.exe (Rogue.Antivirus2008) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06535797575008380891650533689935 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\Start Menu\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\scui.cpl (Rogue.XPantivirus) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2009\av2009.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\Start Menu\Antivirus 2009\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\Desktop\Antivirus 2009.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\RH\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSahtp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSjont.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSmcfp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSmrhq.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSqubv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSuxrr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSvcce.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSypaa.sys (Rootkit.Agent) -> Delete on reboot.





Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 5.1.2600 Service Pack 3

10/27/2008 2:26:56 PM
mbam-log-2008-10-27 (14-26-56).txt

Scan type: Quick Scan
Objects scanned: 55766
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53e0b6e8-a51d-448b-b692-40b67b285543} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 28 October 2008 - 09:01 PM

IMPORTANT NOTE: One or more of the identified infections (TDSSmaxt.sys) was related to a nasty variant of the TDSSSERV rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

Edited by garmanma, 30 October 2008 - 06:22 PM.
copied text

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 29 October 2008 - 08:05 PM

Now that I've had time to digest your last post and become completely paranoid, I thought OK lets get going on password changes. About that time when I was getting ready to use my wifes computer for this job, she called me in to look at what was going on with her machine. Antivirus 2009 had invaded her laptop. I immediately switched off her wireless card and installed and ran MBAM as I did for my computer. It seemed to have removed every thing so I reconnected to the Internet and downloaded the most recent update for MBAM and ran a second scan. Would you mind looking at her scan reports and see if she has as been exposed to as much risk as I have with my machine? All subsequent scans have come up clean.


FIRST SCAN

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

10/29/2008 12:21:57 AM
mbam-log-2008-10-29 (00-21-57).txt

Scan type: Quick Scan
Objects scanned: 51104
Time elapsed: 9 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\iehlprobj.iehlprobj.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/piratepoppers.1.0.0.39.dll (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{38d97cce-7243-4b6e-b6a8-dd872ad3eb33} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6868afe5-f258-47dc-bc37-0821f96dc1d2} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.dll (Adware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.inf (Adware.Agent) -> Quarantined and deleted successfully.


SECOND SCAN AFTER UPDATE

Malwarebytes' Anti-Malware 1.30
Database version: 1335
Windows 5.1.2600 Service Pack 3

10/29/2008 12:39:27 AM
mbam-log-2008-10-29 (00-39-27).txt

Scan type: Quick Scan
Objects scanned: 51736
Time elapsed: 8 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31a59636-0fa3-4a56-954d-db7ad02840d8} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ed8525ea-2bfc-4440-bd8a-20efb9d5e541} (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 30 October 2008 - 06:22 AM

Her machine does not appear to have caught the full infection. I would still recommend you follow the instructions from Post #4 to see if SAS finds anything missed by MBAM.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 30 October 2008 - 08:27 AM

See first log report in post #7, the SAS scan appears to be clean on my computer. Or did you mean to run SAS on the wifes machine?

Edited by jiswar, 30 October 2008 - 08:32 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 30 October 2008 - 08:35 AM

That's good.

Now I recommend that you perform an Online Virus Scan like BitDefender or Kaspersky Webscan.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 30 October 2008 - 09:29 AM

I think I have created some confusion by including my wifes laptop into this discussion. Can I assume my wifes machine is OK and we are back working on my computer?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 30 October 2008 - 10:54 AM

Yes, trying to work on two different systems can create some confusion. I was referring as an extra precaution for you to perform an online scan using your wife's computer. You have not advised how you wish to proceed with your machine as I asked in Post #8.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 jiswar

jiswar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 30 October 2008 - 10:19 PM

Will run online scan tomorrow AM on the wifes machine. Reference to my computer, within the next few days we will be heading south for the winter so I think I will tackle that problem next spring. Will change all my passwords from the wifes laptop after I verify its security with the on line scan. By the way, does a program like AL Pass provide any security for passwords and user names? Also, my daughter said I can eliminate some vulnerability by switching away from IE7 and using Firefox. Any truth in that?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users