Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Juan, MS Tracker and more...


  • This topic is locked This topic is locked
12 replies to this topic

#1 Mr. Sparkle

Mr. Sparkle

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 02:00 PM

I seem to have the MS Juan and MS Tracker amongst other things going on with my machine since yesterday. I have since ran malwarebytes, ad aware and spybot. They all find and kill stuff but I am still getting trojan popups from Avast, as well as returning ms juan and tracker in malwarebytes.

This is the first time this has happened to me and I am unsure of what to do next to try to clean my machine up, any help would be greatly appreciated. I can post logs of my previous scans if you wish.

Thank you.

BC AdBot (Login to Remove)

 


#2 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 02:14 PM

Here was my first scan last night


Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

1/15/2009 8:32:34 PM
mbam-log-2009-01-15 (20-32-34).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 214716
Time elapsed: 1 hour(s), 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
E:\WINDOWS\system32\geBrOedb.dll (Trojan.Vundo.H) -> Delete on reboot.
E:\WINDOWS\system32\qvorpbdt.dll (Trojan.Vundo.H) -> Delete on reboot.
E:\WINDOWS\system32\khfCvUnO.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3eb56daa-bd88-46ee-80c8-0bca5d5d6455} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3eb56daa-bd88-46ee-80c8-0bca5d5d6455} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3eb56daa-bd88-46ee-80c8-0bca5d5d6455} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfcvuno (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: e:\windows\system32\gebroedb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: e:\windows\system32\gebroedb -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\geBrOedb.dll (Trojan.Vundo.H) -> Delete on reboot.
E:\WINDOWS\system32\bdeOrBeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\bdeOrBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\qvorpbdt.dll (Trojan.Vundo.H) -> Delete on reboot.
E:\WINDOWS\system32\tdbprovq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\khfCvUnO.dll (Trojan.Vundo) -> Delete on reboot.
E:\System Volume Information\_restore{9F4254F0-F22C-4037-BBDD-83DC8D29CE95}\RP749\A0053668.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\pfcgmddk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hgGxXrom.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


And my last quick scan today:

Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

1/16/2009 2:05:17 PM
mbam-log-2009-01-16 (14-05-17).txt

Scan type: Quick Scan
Objects scanned: 64833
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Mr. Sparkle, 16 January 2009 - 02:15 PM.


#3 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 02:20 PM

Here is my Avast list:


1/15/2009 5:37:42 PM SYSTEM 2004 Sign of "Win32:Trojan-gen {Other}" has been found in "E:\DOCUME~1\Jesse\LOCALS~1\Temp\winvsnet.tmp" file.
1/15/2009 6:43:47 PM SYSTEM 2004 Sign of "Win32:Patched-JF [Trj]" has been found in "E:\DOCUME~1\Jesse\LOCALS~1\Temp\senekab51c.tmp" file.
1/15/2009 6:43:59 PM SYSTEM 2004 Sign of "Win32:Fasec [Trj]" has been found in "E:\WINDOWS\system32\drivers\seneka.sys" file.
1/15/2009 6:48:40 PM SYSTEM 2004 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "E:\WINDOWS\system32\drivers\ndqpbajw.sys" file.
1/15/2009 6:51:39 PM SYSTEM 2004 Sign of "Win32:Trojan-gen {Other}" has been found in "E:\DOCUME~1\Jesse\LOCALS~1\Temp\winvsnet.tmp" file.
1/15/2009 6:58:18 PM SYSTEM 2004 Sign of "Win32:Trojan-gen {Other}" has been found in "E:\DOCUME~1\Jesse\LOCALS~1\Temp\emsrcoxawn.tmp" file.
1/15/2009 6:59:00 PM SYSTEM 2004 Sign of "Win32:Patched-JF [Trj]" has been found in "E:\DOCUME~1\Jesse\LOCALS~1\Temp\senekad3f.tmp" file.
1/15/2009 6:59:03 PM SYSTEM 2004 Sign of "Win32:Fasec [Trj]" has been found in "E:\WINDOWS\system32\drivers\seneka.sys" file.
1/15/2009 7:06:27 PM Jesse 2648 Sign of "Win32:Patched-JF [Trj]" has been found in "E:\Documents and Settings\Jesse\Local Settings\Temp\trz4C.tmp" file.
1/15/2009 7:46:42 PM SYSTEM 2004 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "E:\System Volume Information\_restore{9F4254F0-F22C-4037-BBDD-83DC8D29CE95}\RP749\A0053668.sys" file.
1/16/2009 11:59:17 AM SYSTEM 2016 Sign of "Win32:Trojan-gen {Other}" has been found in "E:\WINDOWS\system32\nnnnOIXR.dll" file.
1/16/2009 12:01:04 PM SYSTEM 2016 Sign of "Win32:Trojan-gen {Other}" has been found in "E:\WINDOWS\system32\jkkJawTL.dll" file.

#4 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:11 AM

Posted 16 January 2009 - 02:34 PM

Keep updating and using MBAM until it finds no more malware. It takes a few days for the security programs to catch up with the latest malware identifiers as the malware constantly changes to hide from them.

Another excellent program to use is Super Antispyware. It is a good idea to use more than one program as no one program always finds all of the malware.
After downloading, installing and UPDATING SAS in regular mode, reboot to safe mode to run the scan. Further instructions are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

Use Secunia's online scanner to find missing security updates for all of your programs. After updating Sun Java go to the Add/Remove program and remove ALL old java programs. Old Java programs are known to be exploited by Vundo.
http://secunia.com/vulnerability_scanning/online/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 10:28 PM

Uggg I have done all of the above and vundofix and still am getting popups in FF and IE as well as recurring MS tracker and MS juan in reg, any other things i should do?

here is my latest log:

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 5.1.2600 Service Pack 3

1/16/2009 10:22:45 PM
mbam-log-2009-01-16 (22-22-45).txt

Scan type: Quick Scan
Objects scanned: 64988
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 10:30 PM

SuperAntisprware 1

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2009 at 09:44 PM

Application Version : 4.24.1004

Core Rules Database Version : 3713
Trace Rules Database Version: 1688

Scan type : Quick Scan
Total Scan Time : 00:48:21

Memory items scanned : 660
Memory threats detected : 0
Registry items scanned : 477
Registry threats detected : 35
File items scanned : 95079
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumundobegone
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumundobegone#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumundobegone#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumundobegone#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

#7 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 10:32 PM

sas 2

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2009 at 07:40 PM

Application Version : 4.24.1004

Core Rules Database Version : 3713
Trace Rules Database Version: 1688

Scan type : Complete Scan
Total Scan Time : 04:14:54

Memory items scanned : 177
Memory threats detected : 0
Registry items scanned : 7322
Registry threats detected : 37
File items scanned : 154000
File threats detected : 43

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

Rogue.Component/Trace
HKLM\Software\Microsoft\605E0367
HKLM\Software\Microsoft\605E0367#605e0367
HKLM\Software\Microsoft\605E0367#Version
HKLM\Software\Microsoft\605E0367#605eaee7
HKLM\Software\Microsoft\605E0367#605ec702
HKU\S-1-5-21-1123561945-879983540-725345543-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-1123561945-879983540-725345543-1003\Software\Microsoft\FIAS4018

Adware.Tracking Cookie
E:\Documents and Settings\Jenn\Cookies\jenn@247realmedia[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@2o7[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@ad.yieldmanager[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@adecn[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@ads.associatedcontent[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@ads.revsci[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@ads.us.e-planning[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@advertising[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@advertising[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@anad.tacoda[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@anat.tacoda[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@atwola[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@bannerads.wedalert[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@bluegreen-push.worldmedia[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@casalemedia[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@content.yieldmanager.edgesuite[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@content.yieldmanager[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@counter.hitslink[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@data.coremetrics[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@doubleclick[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@doubleclick[3].txt
E:\Documents and Settings\Jenn\Cookies\jenn@edge.ru4[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@eharmony.112.2o7[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@ehg-verizon.hitbox[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@fastclick[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@hc2.humanclick[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@hitbox[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@mason.112.2o7[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@media.adrevolver[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@nextag[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@oasc02.247realmedia[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@smilestore.picturepeople.com.112.2o7[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@tacoda[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@trafficmp[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@tribalfusion[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@vhost.oddcast[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@worldmedia[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@www.clickmanage[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@www.ezytrack[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@www.googleadservices[1].txt
E:\Documents and Settings\Jenn\Cookies\jenn@www.googleadservices[2].txt
E:\Documents and Settings\Jenn\Cookies\jenn@www.googleadservices[5].txt
E:\Documents and Settings\Jenn\Cookies\jenn@www6.addfreestats[1].txt

Actually this was the first scan, the previous post was the second which i stopped early.

Edited by Mr. Sparkle, 16 January 2009 - 10:34 PM.


#8 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 January 2009 - 11:12 PM

Ok I disabled system restore and rebooted after my last MWB quick scan and I think I got it. No more popups....we will see. Thanks!

#9 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:11 AM

Posted 17 January 2009 - 06:32 AM

Yeah, I think you got it on the run.

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that AVG deletes)
Click OK to exit
Then just run another quick scan with SAS to remove the third party cookies that were installed before changing the settings.

Be sure to turn system restore back on.

For Internet Explorer 5 and above, you can follow these directions to clear out temporary files and delete cookies.

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive.

To clear the Internet History in IE:

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Clear History
4) Click OK

To clean up other temporary files on your computer in Windows 98 or higher:

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 17 January 2009 - 02:12 PM

Arrghhhh.......

MS Juan and MS Tracker are back with the popups again, I will run scans and post an update......I still have system restore off, should I turn it back on after I run scans?

#11 Mr. Sparkle

Mr. Sparkle
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 17 January 2009 - 02:44 PM

Latest scan after it came back with system restore off:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/17/2009 at 02:16 PM

Application Version : 4.24.1004

Core Rules Database Version : 3714
Trace Rules Database Version: 1689

Scan type : Custom Scan
Total Scan Time : 00:03:09

Memory items scanned : 639
Memory threats detected : 0
Registry items scanned : 7363
Registry threats detected : 35
File items scanned : 0
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+computer
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+computer#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+computer#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+computer#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

Here is the MWB scan which picked up nothing after SAS cleaned it out:

Malwarebytes' Anti-Malware 1.33
Database version: 1663
Windows 5.1.2600 Service Pack 3

1/17/2009 2:36:40 PM
mbam-log-2009-01-17 (14-36-40).txt

Scan type: Quick Scan
Objects scanned: 64741
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And here is a MWB scan 20 min layer....


Malwarebytes' Anti-Malware 1.33
Database version: 1663
Windows 5.1.2600 Service Pack 3

1/17/2009 3:02:02 PM
mbam-log-2009-01-17 (15-02-02).txt

Scan type: Quick Scan
Objects scanned: 64729
Time elapsed: 1 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


On a side note the popups seem to be triggered from me googling malware related topics.....I have cleaned everything numerous times with ccleaner, ad aware, spybot, vundofix, and SAS I do not know what to do next. :thumbsup:

Should I consider my private stuff (logins etc...) compromised? What about my laptop on my wireless network is that at risk as well?

Edited by Mr. Sparkle, 17 January 2009 - 03:05 PM.


#12 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:11 AM

Posted 17 January 2009 - 03:26 PM

Just use MBAM and SAS to scan with. The others are ineffective against the malware you have.
My best advice is to stay offline until one or both programs update again. Since you have another computer to check for updates with.
I see in the SAS log that you did a "custom" scan. It is best to do a full scan in safe mode.
On weekends, those programs don't update as often as weekdays.

As far as system restore goes, since you have disabled it, no point in reenabling until the malware is gone.

If you have Spybot's teatimer enabled you should disable it as it may interfere with removing the malware as it protects registry changes.

Edited by buddy215, 17 January 2009 - 03:28 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:11 AM

Posted 17 January 2009 - 06:23 PM

Hello Mr. Sparkle,

I see that you have a log posted here: http://www.bleepingcomputer.com/forums/t/195970/sas-mwb-sb-s-d-no-help-here-is-my-log/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users