Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected computer


  • Please log in to reply
22 replies to this topic

#1 marcelena80

marcelena80

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 22 November 2008 - 12:24 AM

I am experiencing very slow internet and many many pop-ups mostly with heading of Internet Speed Monitor. I did searches for Internet Speed Monitor and found resolutions including that of ComboFix. I followed the guide and tutorial page of bleepingcomputer.com and ran the program and got the log report. I just need to know what to do next because on the tutorial it said to post to the person working with or to choose from one of the sites listed at the bottom of the tutorial page to post the log so I chose this thread. I have the log information just need to know who can look at it and what to do next????

Edited by marcelena80, 22 November 2008 - 12:25 AM.


BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 22 November 2008 - 05:47 AM

Since you've already run Combofix and have the log, it would help if you post the contents of the combofix log here.


please note

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.


maybe insread post the scan report from the Superantispyware program :thumbsup:

#3 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 22 November 2008 - 09:56 AM

ruby1 here is the log. i see the quote that if i post a log it will be ignored. will you be able to help me?

Edited by marcelena80, 22 November 2008 - 10:42 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:44 AM

Posted 22 November 2008 - 11:29 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 22 November 2008 - 12:35 PM

ruby1 here is the log. i see the quote that if i post a log it will be ignored. will you be able to help me?

mu utter appologies :flowers: I was attempting to get back here to reply but I think the forum went into 'flood restriction' mode and even with my speedy computer and internet connection I was unable to navigate this forum and had to log off

You have rightly removed the ComboFix log .good;


Boopme has given you ONE program and I would like to give you the other I HAD got lined up

so here goes


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".

    (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method.

To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

please try both of those and post their results for examination ; and again my appologies for seemingly leaving you in the lurch :thumbsup:

#6 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 22 November 2008 - 10:36 PM

thank you both. i just got home and i will try running both of these now, i will get back to you when done.

#7 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 23 November 2008 - 02:07 AM

ruby1,

here is my spyware log. boopme, i am going to run your program in the morning. it is really late and it took between two and three hours to get the first scan done. i will be in touch tomorrow in the early day.

thanks again and here is the spyware log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/22/2008 at 11:48 PM

Application Version : 4.22.1014

Core Rules Database Version : 3640
Trace Rules Database Version: 1631

Scan type : Complete Scan
Total Scan Time : 02:42:46

Memory items scanned : 147
Memory threats detected : 0
Registry items scanned : 5453
Registry threats detected : 87
File items scanned : 56276
File threats detected : 47

Adware.ThinkAdz
[ExploreUpdSched] C:\WINDOWS\SYSTEM32\KCNTLTDL.EXE
C:\WINDOWS\SYSTEM32\KCNTLTDL.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KCNTLTDM.EXE.VIR
C:\WINDOWS\Prefetch\KCNTLTDL.EXE-14476BAD.pf

Adware.Vundo/Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89D814F4-856B-998B-12AD-9A9A8991DE11}
HKCR\CLSID\{89D814F4-856B-998B-12AD-9A9A8991DE11}
HKCR\CLSID\{89D814F4-856B-998B-12AD-9A9A8991DE11}
HKCR\CLSID\{89D814F4-856B-998B-12AD-9A9A8991DE11}\InProcServer32
HKCR\CLSID\{89D814F4-856B-998B-12AD-9A9A8991DE11}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDURETLRBCDJT.DLL
HKU\S-1-5-21-507921405-484763869-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{89D814F4-856B-998B-12AD-9A9A8991DE11}
HKU\S-1-5-21-507921405-484763869-1060284298-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}\Implemented Categories
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}\InProcServer32
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}\InProcServer32#ThreadingModel
HKCR\CLSID\{0DFC125E-BF34-74F6-E01F-D4AB53920CE9}\Programmable

Adware.Zango/ShoppingReport
HKU\S-1-5-21-507921405-484763869-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}#Default Visible
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}#ButtonText
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}#HotIcon
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}#Icon
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}#CLSID
HKLM\Software\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B3}#ClsidExtension

Adware.Tracking Cookie
C:\Documents and Settings\Window User\Cookies\window user@media6degrees[2].txt
C:\Documents and Settings\Window User\Cookies\window user@adrevolver[1].txt
C:\Documents and Settings\Window User\Cookies\window user@www.burstbeacon[1].txt
C:\Documents and Settings\Window User\Cookies\window user@adbrite[2].txt
C:\Documents and Settings\Window User\Cookies\window user@adecn[1].txt
C:\Documents and Settings\Window User\Cookies\window user@media.adrevolver[2].txt
C:\Documents and Settings\Window User\Cookies\window user@zedo[1].txt
C:\Documents and Settings\Window User\Cookies\window user@ad.yieldmanager[3].txt
C:\Documents and Settings\Window User\Cookies\window user@adserver.adtechus[1].txt
C:\Documents and Settings\Window User\Cookies\window user@doubleclick[2].txt
C:\Documents and Settings\Window User\Cookies\window user@specificclick[2].txt
C:\Documents and Settings\Window User\Cookies\window user@adrevolver[2].txt
C:\Documents and Settings\Window User\Cookies\window user@friendlytrack[2].txt
C:\Documents and Settings\Window User\Cookies\window user@adserver.easyad[1].txt
C:\Documents and Settings\Window User\Cookies\window user@specificmedia[1].txt
C:\Documents and Settings\Window User\Cookies\window user@revsci[2].txt
C:\Documents and Settings\Window User\Cookies\window user@realmedia[2].txt
C:\Documents and Settings\Window User\Cookies\window user@insightexpressai[1].txt
C:\Documents and Settings\Window User\Cookies\window user@rotator.its.adjuggler[1].txt
C:\Documents and Settings\Window User\Cookies\window user@ad[1].txt
C:\Documents and Settings\Window User\Cookies\window user@chitika[2].txt
C:\Documents and Settings\Window User\Cookies\window user@trafficmp[2].txt
C:\Documents and Settings\Window User\Cookies\window user@serving-sys[2].txt
C:\Documents and Settings\Window User\Cookies\window user@ads.pointroll[1].txt
C:\Documents and Settings\Window User\Cookies\window user@tribalfusion[1].txt
C:\Documents and Settings\Window User\Cookies\window user@ads.think-adz[1].txt
C:\Documents and Settings\Window User\Cookies\window user@advertising[2].txt
C:\Documents and Settings\Window User\Cookies\window user@ads.redorbit[1].txt
C:\Documents and Settings\Window User\Cookies\window user@www.burstnet[1].txt
C:\Documents and Settings\Window User\Cookies\window user@tacoda[1].txt
C:\Documents and Settings\Window User\Cookies\window user@questionmarket[1].txt
C:\Documents and Settings\Window User\Cookies\window user@media.ntsserve[2].txt
C:\Documents and Settings\Window User\Cookies\window user@yieldmanager[1].txt
C:\Documents and Settings\Window User\Cookies\window user@adopt.specificclick[1].txt
C:\Documents and Settings\Window User\Cookies\window user@atdmt[2].txt
C:\Documents and Settings\Window User\Cookies\window user@bs.serving-sys[2].txt
C:\Documents and Settings\Window User\Cookies\window user@ad.yieldmanager[1].txt
C:\Documents and Settings\Window User\Cookies\window user@AdDisplayTrackerServlet[2].txt

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-507921405-484763869-1060284298-1003\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
HKLM\SOFTWARE\Fun Web Products#CacheDir
HKLM\SOFTWARE\Fun Web Products\MSNMessenger
HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLFile
HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLDir
HKLM\SOFTWARE\Fun Web Products\ScreenSaver
HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
HKLM\SOFTWARE\Fun Web Products\Settings
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\Promos
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive2
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.1
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.2
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.3
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.4
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.5
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.6
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.7
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.8
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\WebfettiBtn
HKLM\SOFTWARE\Fun Web Products\Settings\WebfettiBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\WebfettiBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\WebfettiBtn#ETag
HKU\S-1-5-21-507921405-484763869-1060284298-1003\SOFTWARE\MyWebSearch
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

Trojan.Downloader-Gen/Win
C:\QOOBOX\QUARANTINE\C\WINDOWS\MONDRV411.EXE.VIR

Adware.SysMon
C:\QOOBOX\QUARANTINE\C\WINDOWS\NC605007.EXE.VIR

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\WINPFZ33.SYS

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

#8 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 23 November 2008 - 02:40 AM

boopme and ruby1,

i decided to run the MBAM that boopme suggested after all before calling it a night because pop ups are still happening. i do not know what to do next. here is the log from the mbam scan. i look forward to seeing what my next steps are to stop these pop ups. thanks

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 2

11/23/2008 12:33:08 AM
mbam-log-2008-11-23 (00-33-08).txt

Scan type: Quick Scan
Objects scanned: 46357
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\agadoo (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2d77222-ff91-92a0-002e-7cf9daee8c73} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b2d77222-ff91-92a0-002e-7cf9daee8c73} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jitkokenbjyvtcyie (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update service (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\windows update service (Backdoor.Bot) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.Search) -> Bad: (http://www.iesearch.com/) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system\DRIVER (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\DAP (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\DAP\LOG (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\DAP\NTLOG (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Window User\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system\DRIVER\csrss.exe (Backdoor.ServU) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\cygcrypt-0.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\h.exe (Spyware.Suspect) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\ntsrv.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\Copy (2) of 2.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\cygwin1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\Driver32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\New Text Document (5).txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\ntauth.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\servicelogon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\servicesmgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\setup.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\svchostlogon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\winlogon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Window User\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Window User\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Window User\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efpyjwkibtzfoxb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\gside.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nod64.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Window User\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.

#9 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 23 November 2008 - 07:50 AM

It seems you did not reboot the computer after running the malawarebytes scan?

Can you run malawarebytes again , do the reboot ,,rerun it and post those reports please; it is the reboot that helps the 'fix' TO fix' :flowers: we need to hopefully see a load of zeros in the report :thumbsup:

#10 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 23 November 2008 - 09:27 AM

it did reboot automatically. do i need to do a manually reboot again after the automatic reboot???? i can definitely run it again. anything to get it cleared off.

#11 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 23 November 2008 - 09:43 AM

ruby1

i ran the malware again and this is the report it gave me. i left my computer on all night and there were no pop ups this morning which is a good sign so far.

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 2

11/23/2008 7:33:37 AM
mbam-log-2008-11-23 (07-33-37).txt

Scan type: Quick Scan
Objects scanned: 46071
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


i do have a few more questions, i am hoping i didn't mess something up running combofix but with my internet i clean the history everytime i get off the computer and it removes that history. it seems now it is keeping some old history on there even though i still hit remove history. can you help me with resetting this? also, i had a friend tell me not to use internet explorer anymore that there was another internet provided something like firefox or fire something, do you know about it and if it is something i should change to?

thanks!!!!!!!!!!!!!!

#12 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 23 November 2008 - 10:04 AM

Please run this to clean out the Temporary Internet files folder

ATF cleaner

Please download ATF Cleaner by Atribune & save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



then please fully update, reboot and rerun the superantispyware program and make sure you do this bit to get it to delete all it finds

After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".




.........................................................................................................................



i am hoping i didn't mess something up running combofix

one of the problems with running the ComboFix 'unsupervised' is that it can ( and in some cases has ) thoroughly messed up a computer;

it was never intended for use 'unsupervised' and still is not ,but folks just ignore the warning.. and suffer the consequences ; it is one reason why the warning is given ( but which many people choose to ignore , or think it cannot happen to them )

Once we get clean scans we can then set a clean System Restore point too

#13 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 23 November 2008 - 10:29 PM

Ruby1, thanks. I will run that afterclean and i will be in touch again.

#14 marcelena80

marcelena80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 24 November 2008 - 12:20 AM

ruby1,

i ran it again after i did the after clean. it found 8 more threats so i followed your instructionts to delete those. the only thing i don't remember if everything was checked, i hope it was. here is the report. if you think i should run it again because i am not sure if everything was checked, let me know. otherwise, here is the report:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/23/2008 at 10:11 PM

Application Version : 4.22.1014

Core Rules Database Version : 3640
Trace Rules Database Version: 1631

Scan type : Complete Scan
Total Scan Time : 01:21:19

Memory items scanned : 315
Memory threats detected : 0
Registry items scanned : 5451
Registry threats detected : 0
File items scanned : 55397
File threats detected : 8

Trojan.Downloader-Gen/Win
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP2\A0000014.EXE

Adware.SysMon
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP2\A0000015.EXE

Adware.ThinkAdz
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP2\A0000031.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP3\A0001146.EXE

Adware.SideSearch/SideBar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP2\A0000117.DLL

Adware.AdRotate/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP2\A0000118.DLL

Adware.Vundo/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP3\A0001147.DLL

Adware.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B0D9C29F-663C-4ABF-A473-9119556A91BF}\RP3\A0001150.CFG

#15 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 24 November 2008 - 03:28 AM

please fully update the Malawarebytes program and the Superantispyware program ,reboot into Normal mode to rerun malawarebytes then reboot into safe mode to rerun superantispyware again and delete all it finds ;we may need to turn System Restore OFF for a mo to get this sorted but see how a new scan runs :flowers:

let us see those two reports please :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users