Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacked browser, can't use system restore


  • Please log in to reply
29 replies to this topic

#1 Kauaiguy58

Kauaiguy58

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 15 December 2008 - 08:18 PM

my browser goes where it wants; it won't let me install anything, or even run system restore. My antivirus ( Trend Micro 2008) can't seem to get it all out...I couldn't even get here on that pc...Help

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,203 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:41 PM

Posted 16 December 2008 - 04:48 AM

Since you have no internet, use a different computer to download SAS to a CD or other medium. Once you have SAS on the infected computer and before install, locate the SAS.exe file and rename it. Right click on the file and choose rename. Name it lastchancescan and then click on the file to install SAS. Follow the instructions below for setting SAS for scanning.

You will need to manually download updates to a CD or other medium, also. See last paragraph below. Very important to get the latest updates as the malware is constantly changing to hide from security programs. Latest SAS is Core 3676

http://www.superantispyware.com/
Double-click SUPERAntiSypware.exe and use the default settings for installation. (OR the Renamed .EXE)
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates".
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.


If you would like to manually update your definitions simply exit SUPERAntiSpyware, then click the "Download" link http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE . Save the file to your desktop and double-click it to run the installer. Once the installation is complete, you must exit and restart SUPERAntiSpyware for the new definitions to be active.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 12:59 PM

Thanks for the prompt reply...I tried SAS yesterday, and even after renaming it, I couldn't get it to run, but I will give it another try with your suggested method.

Thanks again

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 PM

Posted 16 December 2008 - 01:04 PM

Also try this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 05:41 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2008 at 09:37 AM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 01:12:29

Memory items scanned : 184
Memory threats detected : 1
Registry items scanned : 4933
Registry threats detected : 197
File items scanned : 58281
File threats detected : 62

Adware.OpinionSquare-MarketScore
C:\PROGRAM FILES\OPINIONSQUARE\OPNSQR.EXE
C:\PROGRAM FILES\OPINIONSQUARE\OPNSQR.EXE
[OpinionSquare] C:\PROGRAM FILES\OPINIONSQUARE\OPNSQR.EXE

Adware.Tracking Cookie
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@ad.yieldmanager[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@bridge1.admarketplace[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@atdmt[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@www.findstuff[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@doubleclick[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@msnportal.112.2o7[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@kontera[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@revsci[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@admarketplace[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@208.122.40[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@208.122.40[3].txt
C:\Documents and Settings\Juelz\Cookies\juelz@apmebf[2].txt
C:\Documents and Settings\Juelz\Cookies\juelz@maxserving[2].txt
C:\Documents and Settings\Juelz\Cookies\juelz@mediaplex[1].txt
C:\Documents and Settings\Juelz\Cookies\juelz@qksrv[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@ad.yieldmanager[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@ads.pointroll[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@advertising[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@atdmt[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@belnk[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@bs.serving-sys[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@dist.belnk[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@fastclick[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@insightexpressai[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@maxserving[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@media.adrevolver[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@mediaplex[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@perf.overture[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@questionmarket[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@roiservice[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@serving-sys[2].txt
C:\Documents and Settings\Likeke\Cookies\likeke@trafficmp[1].txt
C:\Documents and Settings\Likeke\Cookies\likeke@www.eliteaccess[1].txt
C:\Documents and Settings\Marty\Cookies\marty@2o7[2].txt
C:\Documents and Settings\Marty\Cookies\marty@ad.yieldmanager[2].txt
C:\Documents and Settings\Marty\Cookies\marty@adcentriconline[1].txt
C:\Documents and Settings\Marty\Cookies\marty@adopt.euroclick[1].txt
C:\Documents and Settings\Marty\Cookies\marty@atdmt[2].txt
C:\Documents and Settings\Marty\Cookies\marty@casalemedia[1].txt
C:\Documents and Settings\Marty\Cookies\marty@insightexpressai[1].txt
C:\Documents and Settings\Marty\Cookies\marty@revenue[2].txt
C:\Documents and Settings\Marty\Cookies\marty@rocku.adbureau[2].txt
C:\Documents and Settings\Marty\Cookies\marty@socialmedia[1].txt
C:\Documents and Settings\Marty\Cookies\marty@videoegg.adbureau[2].txt

Adware.MyWebSearch/FunWebProducts
HKLM\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
HKLM\SOFTWARE\Fun Web Products#CacheDir
HKLM\SOFTWARE\Fun Web Products\MSNMessenger
HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLFile
HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLDir
HKLM\SOFTWARE\Fun Web Products\ScreenSaver
HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
HKLM\SOFTWARE\Fun Web Products\Settings
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#ETag
HKLM\SOFTWARE\Fun Web Products\Settings\Promos
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive2
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.1
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.2
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.3
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.4
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.5
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.6
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.7
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.8
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#LastHTMLMenuURL
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuRevision
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#ETag
HKLM\SOFTWARE\FunWebProducts
HKLM\SOFTWARE\FunWebProducts\Installer
HKLM\SOFTWARE\FunWebProducts\Installer#Dir
HKLM\SOFTWARE\FunWebProducts\Installer#CurInstall
HKLM\SOFTWARE\FunWebProducts\Installer#sr
HKLM\SOFTWARE\FunWebProducts\Installer#pl
HKLM\SOFTWARE\FunWebProducts\Installer#CheckForConnection
HKLM\SOFTWARE\FunWebProducts\Installer#CacheDir
HKLM\SOFTWARE\FunWebProducts\PopSwatter
HKU\S-1-5-21-3346758793-3566318748-2539834945-1006\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch\bar
HKLM\SOFTWARE\MyWebSearch\bar#pid
HKLM\SOFTWARE\MyWebSearch\bar#fwp
HKLM\SOFTWARE\MyWebSearch\bar#mwsask
HKLM\SOFTWARE\MyWebSearch\bar#tiec
HKLM\SOFTWARE\MyWebSearch\bar#Dir
HKLM\SOFTWARE\MyWebSearch\bar#PluginPath
HKLM\SOFTWARE\MyWebSearch\bar#UninstallString
HKLM\SOFTWARE\MyWebSearch\bar#Id
HKLM\SOFTWARE\MyWebSearch\bar#CurInstall
HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir
HKLM\SOFTWARE\MyWebSearch\bar#sr
HKLM\SOFTWARE\MyWebSearch\bar#pl
HKLM\SOFTWARE\MyWebSearch\bar#CacheDir
HKLM\SOFTWARE\MyWebSearch\bar#ConfigDateStamp
HKLM\SOFTWARE\MyWebSearch\bar#HTMLMenuRevision
HKLM\SOFTWARE\MyWebSearch\bar#sscLabel
HKLM\SOFTWARE\MyWebSearch\bar#sscURL
HKLM\SOFTWARE\MyWebSearch\bar#Flags
HKLM\SOFTWARE\MyWebSearch\bar#HistoryDir
HKLM\SOFTWARE\MyWebSearch\SearchAssistant
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#mwsask
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Id
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#CurInstall
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#ConfigDateStamp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#ABS
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#DES
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sscEnabled
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#eintl
HKLM\SOFTWARE\MyWebSearch\SkinTools
HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
HKLM\Software\FocusInteractive
HKLM\Software\FocusInteractive\bar
HKLM\Software\FocusInteractive\bar\Switches
HKLM\Software\FocusInteractive\bar\Switches#incmail.exe
HKLM\Software\FocusInteractive\bar\Switches#msimn.exe
HKLM\Software\FocusInteractive\bar\Switches#msn.exe
HKLM\Software\FocusInteractive\bar\Switches#outlook.exe
HKLM\Software\FocusInteractive\bar\Switches#waol.exe
HKLM\Software\FocusInteractive\bar\Switches#aim.exe
HKLM\Software\FocusInteractive\bar\Switches#icq.exe
HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe
HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe
HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe
HKLM\Software\FocusInteractive\bar\Switches#ypager.exe
HKLM\Software\FocusInteractive\bar\Switches#au
HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll
HKLM\Software\FocusInteractive\bar\Switches#ps
HKLM\Software\FocusInteractive\bar\Switches#ok
HKLM\Software\FocusInteractive\bar\Switches#od
HKLM\Software\FocusInteractive\bar\Switches#nk
HKLM\Software\FocusInteractive\bar\Switches#nd
HKLM\Software\FocusInteractive\Email-IM
HKLM\Software\FocusInteractive\Email-IM\0
HKLM\Software\FocusInteractive\Email-IM\0#Toolbar
HKLM\Software\FocusInteractive\Email-IM\0#AppName
HKLM\Software\FocusInteractive\Outlook
C:\Program Files\MyWebSearch\bar\History\search3
C:\Program Files\MyWebSearch\bar\History
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings
C:\Program Files\MyWebSearch\bar
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts\ScreenSaver\Images
C:\Program Files\FunWebProducts\ScreenSaver
C:\Program Files\FunWebProducts\Shared
C:\Program Files\FunWebProducts

Rogue.AdvancedXPDefender
C:\Program Files\AXPDefender\AXPDefender.exe.local
C:\Program Files\AXPDefender\database.dat
C:\Program Files\AXPDefender

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#build
HKLM\SOFTWARE\TDSS#type
HKLM\SOFTWARE\TDSS#affid
HKLM\SOFTWARE\TDSS#subid
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS#serversdown
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#7e72e91c
HKLM\SOFTWARE\TDSS\connections#f6065612
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe
HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe
HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe
HKLM\SOFTWARE\TDSS\disallowed#combofix.exe
HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe
HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe
HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe
HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\TDSS\disallowed#daft.exe
HKLM\SOFTWARE\TDSS\disallowed#gmer.exe
HKLM\SOFTWARE\TDSS\disallowed#catchme.exe
HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe
HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe
HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe
HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe
HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe
HKLM\SOFTWARE\TDSS\disallowed#techweb.exe
HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe
HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\versions
HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init
HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged

Trojan.Zlob Downloader
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\QUARANTINE\ZCODEC.1039[1].EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CTFMONB.BMP
OOF; here's the log from the SAS scan...it took a few tries to get it over to this computer...I still have very little control.

#6 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 05:52 PM

And right after running SAS, I followed the next post and did the malware scan too...it also removed more junk, but still don't have control.Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/16/2008 11:24:03 AM
malware-log-2008-12-16 (11-23-08)

Scan type: Quick Scan
Objects scanned: 59243
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\setup.player (Spyware.MarketScore) -> No action taken.
HKEY_CLASSES_ROOT\setup.player.2k2 (Spyware.MarketScore) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSmhxt.sys (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS45dd.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS47f1.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS4a42.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS4cf2.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS504d.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\TDSSfxwp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> No action taken.
after running this one, I had to manually reboot.

#7 buddy215

buddy215

  • Moderator
  • 13,203 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:41 PM

Posted 16 December 2008 - 06:00 PM

Both programs are way out of date.

QUOTE:
You will need to manually download updates to a CD or other medium, also. See last paragraph below. Very important to get the latest updates as the malware is constantly changing to hide from security programs. Latest SAS is Core 3676
(MBAM latest update is 1506)


If you would like to manually update your definitions simply exit SUPERAntiSpyware, then click the "Download" link http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE . Save the file to your desktop and double-click it to run the installer. Once the installation is complete, you must exit and restart SUPERAntiSpyware for the new definitions to be active.

The malware you have constantly changes in order to hide from the security programs. VERY important to get the latest updates. If you still can't go online, get the manual updates for both.

Edited by buddy215, 16 December 2008 - 06:02 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 06:05 PM

Belay that last remark...after reboot, I now have my browser back, and I can now log in here on this PC...I haven't tried system restore, but I don't think I want to now...should I create a new restore point and clear out the rest?

Did get online and got Core 3676 for SAS...it's running right now

Edited by Kauaiguy58, 16 December 2008 - 06:27 PM.


#9 buddy215

buddy215

  • Moderator
  • 13,203 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:41 PM

Posted 16 December 2008 - 06:32 PM

Some of your restore points are infected. DO NOT use system restore or create a new restore point until your computer is
completely free of malware.

Glad you could get to the updates. Update MBAM and run a scan with it, too.
Reboot after running MBAM.

Post back with logs and for further instruction.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 07:06 PM

right on...SAS still running and finding more junk...we're making progress here. Hold on, SAS just finished, I will have the log momentarily...have MSUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2008 at 01:57 PM

Application Version : 4.23.1006

Core Rules Database Version : 3676
Trace Rules Database Version: 1655

Scan type : Complete Scan
Total Scan Time : 00:44:31

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 4938
Registry threats detected : 0
File items scanned : 58824
File threats detected : 17

Adware.Tracking Cookie
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@ad.yieldmanager[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@msnbc.112.2o7[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@ads.bleepingcomputer[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@tacoda[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@mediaplex[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@casalemedia[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@atdmt[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@apmebf[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@advertising[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@rambler[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@adopt.euroclick[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@doubleclick[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@msnportal.112.2o7[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@revsci[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@questionmarket[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@208.122.40[1].txt

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT
BAM 1508 installed and running now

#11 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 07:14 PM

and here is the latest MBAM log...looking better allMalwarebytes' Anti-Malware 1.31
Database version: 1508
Windows 5.1.2600 Service Pack 3

12/16/2008 2:12:42 PM
mbam-log-2008-12-16 (14-12-42).txt

Scan type: Quick Scan
Objects scanned: 60041
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
the time.

#12 buddy215

buddy215

  • Moderator
  • 13,203 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:41 PM

Posted 16 December 2008 - 07:50 PM

Better do another scan with SAS in safe mode.
Best to do that til it comes up zeroes like MBAM's latest scan.

Do a scan using Sdfix. Instructions are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1042092

Use Ccleaner to remove temporary files, logs, cookies, etc. During install you will be offered the Yahoo toolbar. UNcheck
if not wanted. http://www.ccleaner.com/

Scan your computer with Secunia's online scanner for missing security updates. Flash, Adobe Reader, and Java have all been exploited recently and unless you have them updated, they can be exploited.
http://secunia.com/vulnerability_scanning/online/
After updating Java, go to add/remove program and remove ALL old Java programs.

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies)
Click OK to exit
Then run Ccleaner to remove the third party cookies that exist now.

Edited by buddy215, 16 December 2008 - 08:03 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 16 December 2008 - 11:27 PM

OK, running SAS in safe mode now...SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2008 at 06:42 PM

Application Version : 4.23.1006

Core Rules Database Version : 3676
Trace Rules Database Version: 1655

Scan type : Complete Scan
Total Scan Time : 01:12:25

Memory items scanned : 157
Memory threats detected : 0
Registry items scanned : 4937
Registry threats detected : 0
File items scanned : 58744
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@msnbc.112.2o7[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@insightexpressai[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@tacoda[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@mediaplex[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@atdmt[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@apmebf[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@advertising[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@doubleclick[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@msnportal.112.2o7[1].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@statse.webtrendslive[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@questionmarket[2].txt
C:\Documents and Settings\GrampaNorm\Cookies\grampanorm@zedo[2].txt

Will continue with instructions...

Edited by Kauaiguy58, 16 December 2008 - 11:54 PM.


#14 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 17 December 2008 - 12:18 AM

Link to sdfix not found

#15 Kauaiguy58

Kauaiguy58
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kauai, Hawaii
  • Local time:12:41 PM

Posted 17 December 2008 - 01:00 AM

ran CCleaner and Secunia, but I couldn't get the latest version of Adobe to download; Java is up to date.


Link to sdfix not found




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users