Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Battling Virtumonde- Cannot access internet on infected computer


  • Please log in to reply
16 replies to this topic

#1 easy2DV8

easy2DV8

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 09 December 2008 - 04:11 AM

Hello,
Can anyone please help me. I have been trying to eradicate this problem for a couple of days to no avail. Cannot run Spybot. Have run malwarebytes, ad aware se, bit defender....all scans say there are no threats but I still am not able to access my internet on infected computer. I am sure I still have virtumonde remnants on my computer. Can anyone help? Thanks.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 09 December 2008 - 01:27 PM

SAS has had success removing Vundo.
Since you have no internet, use a different computer to download SAS to a CD or other medium. Once you have SAS on the infected computer and before install, locate the SAS.exe file and rename it. Right click on the file and choose rename. Name it lastchancescan and then click on the file to install SAS. Follow the instructions below for setting SAS for scanning.

http://www.superantispyware.com/
Double-click SUPERAntiSypware.exe and use the default settings for installation. (OR the Renamed .EXE)
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates".
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 09 December 2008 - 05:32 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2008 at 02:17 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 02:13:37

Memory items scanned : 175
Memory threats detected : 0
Registry items scanned : 4876
Registry threats detected : 5
File items scanned : 100135
File threats detected : 277

Adware.Tracking Cookie
C:\Documents and Settings\Robert\Cookies\robert@mediamatters.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@clicktracks.commercebox[2].txt
C:\Documents and Settings\Robert\Cookies\robert@dcswooebsl81mka3xdp0enj6q_1v2p[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ad2.doublepimp[1].txt
C:\Documents and Settings\Robert\Cookies\robert@sales.liveperson[3].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.cartoonnetwork[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\Robert\Cookies\robert@adopt.specificclick[2].txt
C:\Documents and Settings\Robert\Cookies\robert@buzznet.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@3.adbrite[1].txt
C:\Documents and Settings\Robert\Cookies\robert@revsci[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.popuptraffic[2].txt
C:\Documents and Settings\Robert\Cookies\robert@S005-01-8-21-246403-98292[1].txt
C:\Documents and Settings\Robert\Cookies\robert@straightforwardmedia[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adlegend[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.dolric[1].txt
C:\Documents and Settings\Robert\Cookies\robert@anad.tacoda[1].txt
C:\Documents and Settings\Robert\Cookies\robert@rotator.adjuggler[3].txt
C:\Documents and Settings\Robert\Cookies\robert@nextag[1].txt
C:\Documents and Settings\Robert\Cookies\robert@data4.perf.overture[2].txt
C:\Documents and Settings\Robert\Cookies\robert@yadro[1].txt
C:\Documents and Settings\Robert\Cookies\robert@nike.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adopt.euroclick[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.monster[1].txt
C:\Documents and Settings\Robert\Cookies\robert@webpower[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adinterax[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.guardian.co[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.burstnet[1].txt
C:\Documents and Settings\Robert\Cookies\robert@tacoda[1].txt
C:\Documents and Settings\Robert\Cookies\robert@media.adrevolver[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.cluster01.oasis.zmh.zope[2].txt
C:\Documents and Settings\Robert\Cookies\robert@msnportal.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@indextools[2].txt
C:\Documents and Settings\Robert\Cookies\robert@atwola[2].txt
C:\Documents and Settings\Robert\Cookies\robert@track.searchignite[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ad.yieldmanager[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adsrevenue[1].txt
C:\Documents and Settings\Robert\Cookies\robert@burstnet[1].txt
C:\Documents and Settings\Robert\Cookies\robert@80503492[1].txt
C:\Documents and Settings\Robert\Cookies\robert@oasc04.247realmedia[1].txt
C:\Documents and Settings\Robert\Cookies\robert@azjmp[1].txt
C:\Documents and Settings\Robert\Cookies\robert@mediamatters[1].txt
C:\Documents and Settings\Robert\Cookies\robert@seventeen[1].txt
C:\Documents and Settings\Robert\Cookies\robert@stopzilla[2].txt
C:\Documents and Settings\Robert\Cookies\robert@tracking.foxnews[2].txt
C:\Documents and Settings\Robert\Cookies\robert@cnn.122.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@coolsavings[1].txt
C:\Documents and Settings\Robert\Cookies\robert@web-stat[1].txt
C:\Documents and Settings\Robert\Cookies\robert@redorbit[2].txt
C:\Documents and Settings\Robert\Cookies\robert@webstatsmaster[1].txt
C:\Documents and Settings\Robert\Cookies\robert@112.2o7[2].txt
C:\Documents and Settings\Robert\Cookies\robert@wpni.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@bizrate[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Robert\Cookies\robert@insightexpressai[1].txt
C:\Documents and Settings\Robert\Cookies\robert@cgi-bin[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.cnn[2].txt
C:\Documents and Settings\Robert\Cookies\robert@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.esmas[2].txt
C:\Documents and Settings\Robert\Cookies\robert@screensaversandwallpapersfree[2].txt
C:\Documents and Settings\Robert\Cookies\robert@enterprise.clickdefense[2].txt
C:\Documents and Settings\Robert\Cookies\robert@embarq.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adprofile[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adbrite[2].txt
C:\Documents and Settings\Robert\Cookies\robert@overviewclicks[1].txt
C:\Documents and Settings\Robert\Cookies\robert@65896788[2].txt
C:\Documents and Settings\Robert\Cookies\robert@dcs4z9z5284gol4nko46dauim_9c9l[2].txt
C:\Documents and Settings\Robert\Cookies\robert@stats1.reliablestats[2].txt
C:\Documents and Settings\Robert\Cookies\robert@clickntrack[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.us.e-planning[1].txt
C:\Documents and Settings\Robert\Cookies\robert@myaccount.peoplepc[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.adtrak[2].txt
C:\Documents and Settings\Robert\Cookies\robert@partypoker[2].txt
C:\Documents and Settings\Robert\Cookies\robert@marketlive.122.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@server.cpmstar[1].txt
C:\Documents and Settings\Robert\Cookies\robert@cgi-bin[4].txt
C:\Documents and Settings\Robert\Cookies\robert@ats[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.pstats[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.realtechnetwork[1].txt
C:\Documents and Settings\Robert\Cookies\robert@icc.intellisrv[2].txt
C:\Documents and Settings\Robert\Cookies\robert@roiservice[2].txt
C:\Documents and Settings\Robert\Cookies\robert@collective-media[1].txt
C:\Documents and Settings\Robert\Cookies\robert@cgi-bin[3].txt
C:\Documents and Settings\Robert\Cookies\robert@stats.espinthebottle[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ge.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@drivecleaner[2].txt
C:\Documents and Settings\Robert\Cookies\robert@winantispyware[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.winantispyware[1].txt
C:\Documents and Settings\Robert\Cookies\robert@pop.webfile[1].txt
C:\Documents and Settings\Robert\Cookies\robert@track.bestbuy[1].txt
C:\Documents and Settings\Robert\Cookies\robert@freecodesource.advertserve[1].txt
C:\Documents and Settings\Robert\Cookies\robert@stalkertrack[1].txt
C:\Documents and Settings\Robert\Cookies\robert@eyewonder[1].txt
C:\Documents and Settings\Robert\Cookies\robert@huludev.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.glispa[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads3.blastro[1].txt
C:\Documents and Settings\Robert\Cookies\robert@kontera[1].txt
C:\Documents and Settings\Robert\Cookies\robert@jokes[2].txt
C:\Documents and Settings\Robert\Cookies\robert@media6degrees[1].txt
C:\Documents and Settings\Robert\Cookies\robert@cheergirl72690.tripod[2].txt
C:\Documents and Settings\Robert\Cookies\robert@sec1.liveperson[2].txt
C:\Documents and Settings\Robert\Cookies\robert@1067912086[2].txt
C:\Documents and Settings\Robert\Cookies\robert@adult-sex-searcher[1].txt
C:\Documents and Settings\Robert\Cookies\robert@network.realmedia[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ar.atwola[2].txt
C:\Documents and Settings\Robert\Cookies\robert@men4sexnow[2].txt
C:\Documents and Settings\Robert\Cookies\robert@naked[1].txt
C:\Documents and Settings\Robert\Cookies\robert@2.adbrite[1].txt
C:\Documents and Settings\Robert\Cookies\robert@p[2].txt
C:\Documents and Settings\Robert\Cookies\robert@qnsr[1].txt
C:\Documents and Settings\Robert\Cookies\robert@insurancejournal.freestats[2].txt
C:\Documents and Settings\Robert\Cookies\robert@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@login.tracking101[1].txt
C:\Documents and Settings\Robert\Cookies\robert@1062235376[1].txt
C:\Documents and Settings\Robert\Cookies\robert@directtrack[1].txt
C:\Documents and Settings\Robert\Cookies\robert@sales.liveperson[2].txt
C:\Documents and Settings\Robert\Cookies\robert@podshow.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@atlas.entrepreneur[1].txt
C:\Documents and Settings\Robert\Cookies\robert@laptopmag.122.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@1070008164[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adult-feed[2].txt
C:\Documents and Settings\Robert\Cookies\robert@adultfriendfinder[2].txt
C:\Documents and Settings\Robert\Cookies\robert@banners.pictures.sprintpcs[2].txt
C:\Documents and Settings\Robert\Cookies\robert@www.zango[2].txt
C:\Documents and Settings\Robert\Cookies\robert@richmedia.yahoo[1].txt
C:\Documents and Settings\Robert\Cookies\robert@files.youporn[2].txt
C:\Documents and Settings\Robert\Cookies\robert@catalog[2].txt
C:\Documents and Settings\Robert\Cookies\robert@deucescracked[2].txt
C:\Documents and Settings\Robert\Cookies\robert@m1.webstats.motigo[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.precisioncounter[1].txt
C:\Documents and Settings\Robert\Cookies\robert@onclickvideos[2].txt
C:\Documents and Settings\Robert\Cookies\robert@go.winantispyware[1].txt
C:\Documents and Settings\Robert\Cookies\robert@webstat[2].txt
C:\Documents and Settings\Robert\Cookies\robert@adv.webmd[1].txt
C:\Documents and Settings\Robert\Cookies\robert@go.drivecleaner[1].txt
C:\Documents and Settings\Robert\Cookies\robert@catalog[4].txt
C:\Documents and Settings\Robert\Cookies\robert@mcclatchy.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@homeschooldiscount[1].txt
C:\Documents and Settings\Robert\Cookies\robert@blockbuster.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@try.starware[1].txt
C:\Documents and Settings\Robert\Cookies\robert@1069165504[1].txt
C:\Documents and Settings\Robert\Cookies\robert@smartcpc.advertserve[1].txt
C:\Documents and Settings\Robert\Cookies\robert@centralmediaserver[2].txt
C:\Documents and Settings\Robert\Cookies\robert@www.freebiefind[2].txt
C:\Documents and Settings\Robert\Cookies\robert@1071795655[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.thesmokinggun[1].txt
C:\Documents and Settings\Robert\Cookies\robert@webstat[1].txt
C:\Documents and Settings\Robert\Cookies\robert@honoluluadvertiser[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.clickmanage[2].txt
C:\Documents and Settings\Robert\Cookies\robert@autodiscountgroup[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.screensavers[1].txt
C:\Documents and Settings\Robert\Cookies\robert@toseeka[2].txt
C:\Documents and Settings\Robert\Cookies\robert@blockbuster[3].txt
C:\Documents and Settings\Robert\Cookies\robert@hertz.122.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.fulltiltpoker[2].txt
C:\Documents and Settings\Robert\Cookies\robert@e-2dj6whmieldjado.stats.esomniture[2].txt
C:\Documents and Settings\Robert\Cookies\robert@playonclick[2].txt
C:\Documents and Settings\Robert\Cookies\robert@i.screensavers[2].txt
C:\Documents and Settings\Robert\Cookies\robert@media.adrevolver[3].txt
C:\Documents and Settings\Robert\Cookies\robert@mediamall.wireless.att[1].txt
C:\Documents and Settings\Robert\Cookies\robert@clicksor[2].txt
C:\Documents and Settings\Robert\Cookies\robert@tracker.cliquality[1].txt
C:\Documents and Settings\Robert\Cookies\robert@player[1].txt
C:\Documents and Settings\Robert\Cookies\robert@pt.crossmediaservices[1].txt
C:\Documents and Settings\Robert\Cookies\robert@h.starware[1].txt
C:\Documents and Settings\Robert\Cookies\robert@easy-hit-counters[1].txt
C:\Documents and Settings\Robert\Cookies\robert@www.claxonmedia[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.neverbeg[2].txt
C:\Documents and Settings\Robert\Cookies\robert@media.ntsserve[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.shorttail[2].txt
C:\Documents and Settings\Robert\Cookies\robert@msnbc.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.joinaxxess[2].txt
C:\Documents and Settings\Robert\Cookies\robert@media.photobucket[1].txt
C:\Documents and Settings\Robert\Cookies\robert@hulu.112.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.expedia[1].txt
C:\Documents and Settings\Robert\Cookies\robert@wmvmedialease[1].txt
C:\Documents and Settings\Robert\Cookies\robert@specificmedia[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads4.blastro[1].txt
C:\Documents and Settings\Robert\Cookies\robert@LPBofA1[1].txt
C:\Documents and Settings\Robert\Cookies\robert@crackle[2].txt
C:\Documents and Settings\Robert\Cookies\robert@cdn.at.atwola[1].txt
C:\Documents and Settings\Robert\Cookies\robert@at.atwola[1].txt
C:\Documents and Settings\Robert\Cookies\robert@chitika[2].txt
C:\Documents and Settings\Robert\Cookies\robert@serv12.bluffmedia[1].txt
C:\Documents and Settings\Robert\Cookies\robert@e-2dj6wfk4wldpceo.stats.esomniture[2].txt
C:\Documents and Settings\Robert\Cookies\robert@1067421519[1].txt
C:\Documents and Settings\Robert\Cookies\robert@youporn[1].txt
C:\Documents and Settings\Robert\Cookies\robert@adcentriconline[2].txt
C:\Documents and Settings\Robert\Cookies\robert@1057277686[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ads.dietdetective[2].txt
C:\Documents and Settings\Robert\Cookies\robert@e-2dj6wgkyokcjwgp.stats.esomniture[2].txt
C:\Documents and Settings\Robert\Cookies\robert@rotator.adjuggler[2].txt
C:\Documents and Settings\Robert\Cookies\robert@ads-dev.youporn[2].txt
C:\Documents and Settings\Robert\Cookies\robert@friendlytrack[2].txt
C:\Documents and Settings\Robert\Cookies\robert@earthlink.122.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@media.brandreachsys[2].txt
C:\Documents and Settings\Robert\Cookies\robert@mediafire[2].txt
C:\Documents and Settings\Robert\Cookies\robert@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\Robert\Cookies\robert@mybannermaker[1].txt
C:\Documents and Settings\Robert\Cookies\robert@ad.fed.msn[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@2o7[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@ad.yieldmanager[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@adbrite[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@adlegend[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@adopt.euroclick[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@adopt.specificclick[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@adrevolver[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@ads.addesktop[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@ads.pointroll[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@advertising[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@apmebf[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@atdmt[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@bluestreak[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@bs.serving-sys[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@burstnet[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@casalemedia[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@doubleclick[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@electronicarts.112.2o7[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@eyewonder[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@fastclick[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@imrworldwide[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@insightexpressai[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@kontera[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@media.adrevolver[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@media.adrevolver[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@media.ntsserve[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@media.photobucket[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@media6degrees[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@mediaplex[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@msnbc.112.2o7[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@overture[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@qnsr[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@questionmarket[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@realmedia[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@revsci[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@serving-sys[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@specificclick[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@specificmedia[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@statcounter[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@tacoda[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@trafficmp[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@tribalfusion[2].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@viacom.adbureau[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@www.burstbeacon[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@www.burstnet[1].txt
C:\Documents and Settings\FAMILY(Laptop paswrd\Cookies\family(laptop_paswrd@zedo[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@ad.yieldmanager[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@adbrite[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@adlegend[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@adopt.euroclick[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@adopt.specificclick[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@adprofile[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@ads.adbrite[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@ads.esmas[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@anad.tacoda[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@anat.tacoda[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@atwola[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@azjmp[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@burstnet[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@cb.adprofile[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@icc.intellisrv[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@insightexpressai[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@kanoodle[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@kontera[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@media.adrevolver[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@revsci[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@stpetersburgtimes.122.2o7[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@tacoda[1].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@www.burstbeacon[2].txt
C:\Documents and Settings\Robert\Local Settings\Temp\Cookies\robert@www.burstnet[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\B08F1055
HKLM\Software\Microsoft\B08F1055#b08f1055
HKLM\Software\Microsoft\B08F1055#Version
HKLM\Software\Microsoft\B08F1055#b08fbdd5
HKLM\Software\Microsoft\B08F1055#b08fd430

Adware.Casino Games (Golden Palace Casino)
C:\PROGRAM FILES\SPORTSBOOK.COM CASINO\CASINO.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\V19PNGWH\indexsg[1].htm
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\Q864PM12\favicon[5].ico
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\4LBSUF3U\l.s.bg2z[1].gif
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\OA76QQIT\l.s.bg1z[1].gif







-----------------------------------------------------------------------------------------------------------------------------------------

seemed to clean a lot of bad stuff out. Internet still not working though! Thanks for all your help.

#4 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 09 December 2008 - 05:58 PM

The SAS needs updating. The definitions you scanned with are way out of date. In the link below is an installer and latest definitions for SAS. Put those on a CD or other medium and transfer them to the infected computer.
http://www.superantispyware.com/definitions.html

Use MBAM to scan your computer, too. Transfer to the infected computer the same as SAS.
Instructions for scanning with MBAM are in the link below.
http://www.bleepingcomputer.com/forums/ind...st&p=944365

When you post back after doing the two scans, tell me what messages you are seeing and what happens when you try to
connect to the web.

Edited by buddy215, 09 December 2008 - 05:59 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 09 December 2008 - 06:13 PM

Malwarebytes' Anti-Malware-
Update failed.Make Sure you are connected to the internet and your firewall is set to allow Malwarebytes Anti_malware to access the internet.

That's the error message I receive when trying to install the update for MBAM.\

SAS is currently scanning, will post log when available.

EDIT: JUST MANUALLY DL'D MBAM UPDATE MANUALLY AND INSTALLED ON INFECTED COMP, CURRENTLY SCANNING WITH MBAM WITH UPDATES WILL POST LOG WHEN AVAILABLE THANKS AGAIN.

Edited by easy2DV8, 09 December 2008 - 06:19 PM.


#6 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 10 December 2008 - 02:41 PM

Alright, here are the logs:
Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

12/9/2008 5:19:12 PM
mbam-log-2008-12-09 (17-19-12).txt

Scan type: Quick Scan
Objects scanned: 107252
Time elapsed: 1 hour(s), 35 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\V19PNGWH\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2008 at 06:38 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 03:24:33

Memory items scanned : 444
Memory threats detected : 0
Registry items scanned : 4877
Registry threats detected : 0
File items scanned : 112236
File threats detected : 0

------------------------------------------------------------------------------------------------------

Internet problem still persists, Thanks again.

#7 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 10 December 2008 - 03:04 PM

The MBAM log shows the latest updates were used.

The SAS log shows that it was not updated. The latest updates are---Core 3670, Trace 1649

Today's update alone had 27 new Vundo items to scan for.

I understood that you downloaded the installer and updates to manually install on SAS. Try downloading anew since there
is a new update today. Something didn't work. Looks like the update you downloaded never got installed in SAS.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 10 December 2008 - 05:54 PM

After a half dozen manual attempts to update SAS definitions this is a screen shot of the version I keep coming up with.Posted Image

#9 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 10 December 2008 - 06:33 PM

The latest is "core 3670" and "Trace 1649"

Once the Manual update download is on your computer, I think all that is needed is to double click on it to install it. I have never done the manual step and I updated this morning so I want be able to test that until the next update.
Is that what you are doing? Is SAS running during attempted install of updates?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 10 December 2008 - 06:44 PM

That is exactly what I do every time, I double click to run the inst and everytime after it says it has completed I close and restart SAS and get the same version seen in the screen shot. I am sure that I am downloading the correct update limk from the SAS website. I'm stumped.

#11 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 10 December 2008 - 06:54 PM

Just went looking and at the bottom of the page where you get the manual update is this:

If you would like to manually update your definitions simply exit SUPERAntiSpyware, then click the "Download" link http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE . Save the file to your desktop and double-click it to run the installer. Once the installation is complete, you must exit and restart SUPERAntiSpyware for the new definitions to be active.

Reminds me of the adage "if all else fails, read the instructions". Sorry for not seeing that sooner.

Edited by buddy215, 10 December 2008 - 06:58 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 11 December 2008 - 11:09 PM

ok here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2008 at 05:34 PM

Application Version : 4.23.1006

Core Rules Database Version : 3670
Trace Rules Database Version: 1649

Scan type : Complete Scan
Total Scan Time : 01:44:16

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 4875
Registry threats detected : 2
File items scanned : 103509
File threats detected : 1

Rogue.Component/Trace
HKU\S-1-5-21-1275210071-725345543-317363477-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-1275210071-725345543-317363477-1003\Software\Microsoft\FIAS4018

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\ROBERT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2KA1V3VU\KB908687[1].EXE


-----------------------------------------------------------------------------------------------------------------------------------------

Still cannot connect to the internet.

#13 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 14 December 2008 - 02:36 PM

Update and rescan with both MBAM and SAS. Please post the logs.

Open SAS and click on the "repairs tab", choose "repair broken network connection", click on it to highlight it, then click on the
"perform repair button".

According to the SAS website some of the repair tools may be disabled in the free SAS. This may or may not be one of them.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 easy2DV8

easy2DV8
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 18 December 2008 - 01:12 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 5.1.2600 Service Pack 2

12/17/2008 10:05:31 PM
mbam-log-2008-12-17 (22-05-31).txt

Scan type: Quick Scan
Objects scanned: 107627
Time elapsed: 1 hour(s), 29 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/17/2008 at 04:28 PM

Application Version : 4.23.1006

Core Rules Database Version : 3677
Trace Rules Database Version: 1656

Scan type : Quick Scan
Total Scan Time : 01:05:00

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 450
Registry threats detected : 0
File items scanned : 20379
File threats detected : 0
--------------------------------------------------------------------------------------------

still cannot use internet....

#15 buddy215

buddy215

  • Moderator
  • 13,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:10 AM

Posted 18 December 2008 - 04:23 AM

In your next post describe how your internet connection. Wireless, cable, dialup, etc. Is there another computer using the same router, modem, wireless, etc?

Try this:
Log on as an administrator, go Start > Run and type: "cmd". In the window that appears type: "netsh winsock reset". When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." Close the command box and reboot your computer.

Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot. Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.

Do a scan with SD Fix. Directions for use are in the link below.
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users