Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Cant get updates and automatic update stays diabled and


  • Please log in to reply
13 replies to this topic

#1 ajennings

ajennings

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 November 2008 - 01:28 PM

i have a few spyware and randon ads popping up on me when I am online or working in a word document, for the past two days.

I tried to also get set automatic updates to be done sutomatically for Windows and I cant because everytime I try to go into services and select automatic updates to be set to automatic it goes right back to disable and it wont let me start the program either.

I think I may have malware and i dont have an antivirus program installed

Can someone help me here????? My laptop is my business and fulltime student so i cant loos my work... ARRRGGG!!

Thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 29 November 2008 - 04:01 PM

Hello and welcome.I dint want to appear like I am yelling at you but with no antivirus (AV) you can lose your whole business on that laptop. Either thru file corruption, inability of the PC to function and the malware just stealing your info and data. So here what we do ..we clean you up and install an AV. deal?? All free !

First run this MBAM scan..

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Next go here download ,install, update and scan with this antivirus Antivir . BC's list of Freeware Replacements For Common Commercial Apps

Edited by boopme, 29 November 2008 - 04:10 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 November 2008 - 04:59 PM

Okay I did exacty what you said and here is the report from MBAM ..

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 1

11/29/2008 2:47:34 PM
mbam-log-2008-11-29 (14-47-34).txt

Scan type: Quick Scan
Objects scanned: 65406
Time elapsed: 20 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\amnwasub.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hgGabBsP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nmuwot.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{192a9842-3015-4eb2-863d-19da8d28d333} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{192a9842-3015-4eb2-863d-19da8d28d333} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{847b4fa4-330a-43e5-ad68-4afb2cc13be7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{847b4fa4-330a-43e5-ad68-4afb2cc13be7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e25c29ab-12b9-4523-a53c-324b5fba648c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b44d9686 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e25c29ab-12b9-4523-a53c-324b5fba648c} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggabbsp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggabbsp -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nmuwot.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hgGabBsP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\PsBbaGgh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PsBbaGgh.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amnwasub.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\busawnma.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qwbjcmtr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\_A00F398B2E.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00DFC69.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPhFUl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




[b]I also did a previous scan this morning on a humbug but didnt remove anything until I head back from this board. I used the free Active Scan ( here is the report as well , just in case)

[/b]
ANALYSIS: 2008-11-29 14:13:46
PROTECTIONS: 0
MALWARE: 77
SUSPECTS: 12
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[3].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@casalemedia[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\house\Cookies\house@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tradedoubler[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[2].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bfast[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
00148840 Cookie/Pollstar TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@pollstar[2].txt
00149104 Cookie/Date TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@date[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revenue[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@stats1.clicktracks[2].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@toplist[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@counter.hitslink[1].txt
00167765 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@hg1.hitbox[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[3].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[3].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.burstbeacon[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@server.iad.liveperson[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@stat.onestat[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\house\Cookies\house@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adrevolver[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@statse.webtrendslive[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@hc2.humanclick[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@myspace[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
00173992 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@c5.zedo[2].txt
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@phg.hitbox[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[3].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adrevolver[3].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\house\Cookies\house@bravenet[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bravenet[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@searchportal.information[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@did-it[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[5].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.addynamix[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt
00462849 Adware/XPAntivirusPro Adware No 0 Yes No C:\WINDOWS\system32\ssqPhFUl.dll
00462849 Adware/XPAntivirusPro Adware No 0 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP445\A0584639.dll
00462849 Adware/XPAntivirusPro Adware No 0 Yes No C:\SDFix\backups\backups.zip[backups/pmnmmKdE.dll]
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adserver.easyad[1].txt
02899326 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for reo compilers new.zip\setup.exe[²ÜÇ\bann.exe][■%%\gzmrt.dll]
02899326 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\Administrator\LimeWire Saved\reo compilers new.zip[setup.exe][²ÜÇ\bann.exe][■%%\gzmrt.dll]
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0499483.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP409\A0532513.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP409\A0532511.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0519469.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0514467.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0512467.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0511468.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0505467.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0502536.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0501467.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP406\A0496464.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP409\A0532514.sys
02904726 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for reo compilers new.zip\setup.exe[²ÜÇ\bann.exe]
02904726 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\Administrator\LimeWire Saved\reo compilers new.zip[setup.exe][²ÜÇ\bann.exe]
02904747 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\Administrator\LimeWire Saved\reo compilers new.zip[setup.exe][²ÜÇ\adw.exe][²ÜÇ\nsBrowserOpt.dll]
02904747 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for reo compilers new.zip\setup.exe[²ÜÇ\adw.exe][²ÜÇ\nsBrowserOpt.dll]
02905991 Spyware/AdClicker Spyware No 1 No No C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for reo compilers new.zip\setup.exe[²ÜÇ\adw.exe]
02905991 Spyware/AdClicker Spyware No 1 No No C:\Documents and Settings\Administrator\LimeWire Saved\reo compilers new.zip[setup.exe][²ÜÇ\adw.exe]
02905994 Adware/BHO Adware No 0 No No C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for reo compilers new.zip\setup.exe[²ÜÇ\adw.exe][²ŞÇ]
02905994 Adware/BHO Adware No 0 No No C:\Documents and Settings\Administrator\LimeWire Saved\reo compilers new.zip[setup.exe][²ÜÇ\adw.exe][²ŞÇ]
02905998 Adware/WebHancer Adware No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for reo compilers new.zip\setup.exe
02905998 Adware/WebHancer Adware No 0 Yes No C:\Documents and Settings\Administrator\LimeWire Saved\reo compilers new.zip[setup.exe]
02941681 Trj/WmaDownloader.G Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\LimeWire Saved\Top of Charts - 2005.wma
02941683 ASF/GetaCodec.A Virus No 0 No No C:\Documents and Settings\Administrator\LimeWire Saved\dont fight pimpin suga free.mp3
02941683 ASF/GetaCodec.A Virus No 0 No No C:\Documents and Settings\Administrator\LimeWire Saved\im really hot clean missy.mp3
03238510 Adware/WinAntispyware2008 Adware No 0 Yes No C:\WINDOWS\karina.dat
03238510 Adware/WinAntispyware2008 Adware No 0 Yes No C:\WINDOWS\system32\karina.dat
03489045 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\__c00DFC69.dat
03489674 Trj/Multidropper.RNT Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\_A00F398B2E.exe
03660171 Adware/MalwareAlarm Adware No 1 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WPEF4TIJ\install1[1].exe
03660171 Adware/MalwareAlarm Adware No 1 Yes No C:\WINDOWS\Temp\rld10D.tmp
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\SDFix.exe[C:\Documents and Settings\Administrator\Desktop\SDFix.exe][SDFix\apps\Cghtme.exe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP445\A0583637.exe[C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP445\A0583637.exe][SDFix\catchme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\catchme.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\SDFix.exe[C:\Documents and Settings\Administrator\Desktop\SDFix.exe][SDFix\catchme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\apps\Cghtme.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP445\A0583637.exe[C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP445\A0583637.exe][SDFix\apps\Cghtme.exe]
04179910 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\wJQs.exe
04180287 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\msansspc.dll
04198064 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{D4CEABA6-712C-46A5-86DF-D42D8F6A273E}\RP445\A0584668.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\WINDOWS\System32\nmuwot.dll
No C:\WINDOWS\system32\nmuwot.dll
No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe]
No C:\Documents and Settings\Administrator\Local Settings\Temp\ImInstaller\incredimail_installer.exe
No C:\Documents and Settings\Administrator\Local Settings\Temp\ImInstaller\incredimail_installer.exe.tcmp[incredimail_installer.exe.tcmp]
No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe]
No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe]
No C:\WINDOWS\system32\nmuwot.dll
No C:\WINDOWS\system32\qwbjcmtr.dll
No C:\WINDOWS\system32\jwdbxk.dll
No C:\WINDOWS\system32\xjomevxr.dll
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#4 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 November 2008 - 05:15 PM

Question. and Update


I downloaded the antivirus , windows shut dwown on me and went to a Blue screen right after the downlaod but I was able to restart the computer fine so far.



okay I was able to set automatic updates to automatic/ start as well so that is all good.

Now that I have should I accept the update for Windows Service Pack 2 ??????

I currently have WIndows XP Pro / 2002 / Service Pack 1

Thank you again for all your help so far.

I hope this clears it up for my computer.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 29 November 2008 - 05:31 PM

We have more cleaning to do, Vundo is stubborn. Some online scans are good in at least they expose some malwares that we can get with other tools.
OK yes we need to Update but first we need to clean as that is what is prohibiting the updates.

Now that I have should I accept the update for Windows Service Pack 2 ??????

After the scans are clean, the updates will be easier.Unless along the way a tool says SP2 is required first.

DID AntiVir install tho? IF so run a scan also.This is a good tool.

Have you rebooted since the MBam scan and SP2 update? If not you need to. Hopefully it wont blue screen again. A few more things need to be done from looking at your logs and thanks by the way,
You need to open MBAM again and click UPDATE. Then rescan and post another log.
I see ComboFix was installed .please dont run that tool with out guidance as it can shut you down permanently.

Also run this file cleaner

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Edited by boopme, 29 November 2008 - 05:32 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 November 2008 - 08:24 PM

OK yes we need to Update but first we need to clean as that is what is prohibiting the updates.

A: I was able to set the automatic updates to start automatically in the services command box and it stayed that way so far.
I am actually installing updates/ SP2 no.


QUOTE
Now that I have should I accept the update for Windows Service Pack 2 ??????

After the scans are clean, the updates will be easier.Unless along the way a tool says SP2 is required first.

A; that hasnt happened yet. I am installing now , I had to leave for a bit. I did restart after running the scan ith ANTIVIR but that was it.

DID AntiVir install tho? IF so run a scan also.This is a good tool.

A: It did install /

Have you rebooted since the MBam scan and SP2 update? If not you need to. Hopefully it wont blue screen again. A few more things need to be done from looking at your logs and thanks by the way,

You need to open MBAM again and click UPDATE. Then rescan and post another log.

A; Ok will do shortly

I see ComboFix was installed .please dont run that tool with out guidance as it can shut you down permanently.

A; No I wont , I downloaded it and then as i continued to read the forums dedicided to leave that alone. LOL!!!!

I will reply soon

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 29 November 2008 - 08:28 PM

Ok update it then as it wants to . Thats good. Then reboot if it asks and follow with UPdated MBam scan and antiVir scan ,, great job !!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 December 2008 - 01:12 AM

here is the second scan report




Malwarebytes' Anti-Malware 1.30
Database version: 1439
Windows 5.1.2600 Service Pack 3

11/30/2008 11:06:13 PM
mbam-log-2008-11-30 (23-06-12).txt

Scan type: Quick Scan
Objects scanned: 69732
Time elapsed: 21 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\geBuRIAR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iaxldcck.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqPhGxv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hahoer.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46cb50fa-7256-4abb-9944-33a57d6a8a52} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{46cb50fa-7256-4abb-9944-33a57d6a8a52} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqphgxv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff74cccb-1902-40df-a4dd-a47d203197c7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ff74cccb-1902-40df-a4dd-a47d203197c7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46cb50fa-7256-4abb-9944-33a57d6a8a52} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ff74cccb-1902-40df-a4dd-a47d203197c7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b44d9686 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\geburiar -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geburiar -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Downloader) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hahoer.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqPhGxv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBuRIAR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\RAIRuBeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RAIRuBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iaxldcck.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kccdlxai.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwnlvpbg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkJcde.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\wJQs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JKHGO1LC\upd[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1O4OQS9C\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\P26RHTMN\KB908467[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PIRLAI5A\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 01 December 2008 - 02:30 PM

Man this is going to take a few scans I see. Do it again ,even twice,reboot and post back logs..
You will also need to do these. Download and install both. Then both into Safe mode and run them. (safe Mode instruction in SAS scan if you need it).

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 02 December 2008 - 11:53 PM

here is the MBAM scan done tonight



alwarebytes' Anti-Malware 1.30
Database version: 1439
Windows 5.1.2600 Service Pack 3

12/2/2008 8:46:39 PM
mbam-log-2008-12-02 (20-46-39).txt

Scan type: Quick Scan
Objects scanned: 71111
Time elapsed: 19 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyaaAPi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pmnnopNF.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1c42633f-b97a-4fbb-9817-70de104bb34e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1c42633f-b97a-4fbb-9817-70de104bb34e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnnopnf (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyaaapi -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyaaapi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Downloader) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xxyaaAPi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iPAaayxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iPAaayxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnopNF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBSJcCv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Downloader) -> Delete on reboot.

#11 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 03 December 2008 - 10:31 AM

here are the other two scans done last night

UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2008 at 11:54 PM

Application Version : 4.22.1014

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 02:18:19

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 6568
Registry threats detected : 0
File items scanned : 76168
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt

Trace.Known Threat Sources
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K2D41CK2\rp[1].txt



this one below i did before I went into safe mode.. i didnt scroll down and completely read the instructions u gave me at first. the one above is per your instructions.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2008 at 09:18 PM

Application Version : 4.22.1014

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Quick Scan
Total Scan Time : 00:13:13

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 411
Registry threats detected : 5
File items scanned : 5952
File threats detected : 3

Rogue.Component/Trace
HKLM\Software\Microsoft\B44D8408
HKLM\Software\Microsoft\B44D8408#b44d8408
HKLM\Software\Microsoft\B44D8408#Version
HKLM\Software\Microsoft\B44D8408#b44d2988
HKLM\Software\Microsoft\B44D8408#b44d406d

Trojan.Fake-Alert/Trace
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts

Trojan.Unclassified/GadCom
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\GADCOM\GADCOM.EXE

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@wmvmedialease[1].txt

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 03 December 2008 - 10:10 PM

Well this was good. How is the PC running now??
It will run in either mode but SAS is stronger in safe as it removes malware easier that is not avtive when in safe mode. MBam on the other hand works opposite. Now do this.
Open MBAM again and Update it as it at like 1456 now. scan again ,post another log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 ajennings

ajennings
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 05 December 2008 - 11:51 PM

just got on .. didnt scan yet but I will do.... now and post the log.

Thanks

and it is running good now.. just need to stay off the adult web sites and I will be good.. LOL>.. :thumbsup:

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 07 December 2008 - 04:05 PM

just got on .. didnt scan yet but I will do.... now and post the log.

Thanks

and it is running good now.. just need to stay off the adult web sites and I will be good.. LOL>.. :thumbsup:

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users