Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it safe to use my PC after a Vundo infection was cleaned?


  • Please log in to reply
13 replies to this topic

#1 Android Man

Android Man

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 24 April 2009 - 04:00 PM

Hi,

I had the Trojan.Vundo.H infection which Avast seemed to completely miss blocking. I finally installed Malwarebytes, ran it in Safe mode, and it found and removed the infection completely. I rescanned in regular Windows mode, and nothing was found. I also ran Vundofix, and ThreatFire, and nothing was found. My computer seems to be running normally, and Windows Update works, but maybe the browser is a little slow (perhaps from the added security programs?) [Running Windows XP Home SP2 on a Dell Vostro 200.]

I then ran SPybot S&D, and although it found a variety of things, most were fairly benign, and none were related to Vundo. I had it fix everything.

I am currently running ThreatFire, Avast, and Spybot resident (with TeaTimer). I've always ran ZoneAlarm Firewall.

I'm still reluctant to use the computer to access sensitive data. Am I being too paranoid? Are there other programs I should run to double check that nothing is left of the malware?

Thanks.
This is an awesome website!
:thumbsup:

Edited by Android Man, 24 April 2009 - 04:01 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 24 April 2009 - 07:36 PM

Hello and welcome ..Let's just do a couple more tests and be sure. I think we'll have whats left after these.
As Teatimer may interfere..
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Next run ATF nad SAS"
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Rerun MBAM
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Android Man

Android Man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 25 April 2009 - 01:07 PM

Thanks for the quick reply.

I will post the two logs below. In summary, very little was found, I have bolded what my guess is significant???

Here are my questions.

1. Do these results suggest that my computer is safe to use for financial transactions such as banking or brokerage use? Are there any other tests I should run? (Search for root kits, etc.)

2. Just for curiosity, why the tools that were suggested? Is it because they are the best of the free tools?

3. Since Avast free version allowed the infection with Vundo, should I be considering switching antivirus programs? What would you recommend for a free, (or a paid) antivirus program?

4. Should I be running Spybot SD resident protection such as tea timer? Also does it make sense to be running something like Threatfire? This question is really-- what should I be running in addition to zone alarm firewall and a regular antivirus program?

Thanks again for the quick help. If not for this forum, I probably wouldn't have been able to figure out how to remove this nasty virus, and I would've spent several days rebuilding my system. And that would've made me bleeping mad!

PS I just checked my startup items using SPybot, and I'm concerning about the following ones. Are they legit?


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-04-24 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-03-25 Includes\Adware.sbi
2009-04-21 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-03-31 Includes\Dialer.sbi
2009-04-21 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-04-21 Includes\Hijackers.sbi
2009-04-21 Includes\HijackersC.sbi
2009-03-17 Includes\Keyloggers.sbi
2009-04-21 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-04-07 Includes\Malware.sbi
2009-04-21 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-03-31 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-04-21 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-04-21 Includes\SpywareC.sbi
2009-04-07 Includes\Tracks.uti
2009-04-21 Includes\Trojans.sbi
2009-04-21 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


[Deleted known startups]

Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 356352
MD5: 972EDEDE23AC8D59AAC0C09799C6F18A

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!





Here are the log files.

SuperAntiSpyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/25/2009 at 09:55 AM

Application Version : 4.26.1000

Core Rules Database Version : 3863
Trace Rules Database Version: 1815

Scan type : Complete Scan
Total Scan Time : 10:40:23

Memory items scanned : 231
Memory threats detected : 0
Registry items scanned : 7845
Registry threats detected : 1
File items scanned : 289802
File threats detected : 248

Rogue.Component/Trace
HKU\S-1-5-21-3789761249-4091140926-1370258014-1006\Software\Microsoft\FIAS4057


Adware.Tracking Cookie
.shopping.112.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjkyshdjeaq.stats.esomniture.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjkysncpsep.stats.esomniture.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjnywncpago.stats.esomniture.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjkygmdzmlo.stats.esomniture.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.ehg-jellyfish.hitbox.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.paypal.112.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.stpetersburgtimes.122.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjliojdjwbp.stats.esomniture.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.rebtelnetworks.112.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.stats.paypal.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
cashbackaccount.search.live.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
cashbackaccount.search.live.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
cashbackaccount.search.live.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.cashbackaccount.search.live.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.cashbackaccount.search.live.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.s.clickability.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.s.clickability.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.www.investorsinsight.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.toplist.cz [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.indextools.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.meetupcom.122.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.buycom.122.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
traffic.buyservices.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usatoday1.112.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.smartmoney.112.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.ehg-morningstar.hitbox.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.cneteurope.122.2o7.net [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.roiservice.com [ C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.shopping.112.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjkyshdjeaq.stats.esomniture.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjkysncpsep.stats.esomniture.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjnywncpago.stats.esomniture.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjkygmdzmlo.stats.esomniture.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.ehg-jellyfish.hitbox.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.paypal.112.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.stpetersburgtimes.122.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjliojdjwbp.stats.esomniture.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.rebtelnetworks.112.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.stats.paypal.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
cashbackaccount.search.live.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
cashbackaccount.search.live.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
cashbackaccount.search.live.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.cashbackaccount.search.live.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.cashbackaccount.search.live.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
stats.sphere.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.s.clickability.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.s.clickability.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
data.coremetrics.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
sales.liveperson.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
sales.liveperson.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.www.investorsinsight.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.toplist.cz [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.indextools.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.meetupcom.122.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.apmebf.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.apmebf.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.buycom.122.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
traffic.buyservices.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
counter.hitslink.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
web4.realtracker.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.dmtracker.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
www.googleadservices.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
www.googleadservices.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usatoday1.112.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.smartmoney.112.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.ehg-morningstar.hitbox.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.cneteurope.122.2o7.net [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.roiservice.com [ C:\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.shopping.112.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjkyshdjeaq.stats.esomniture.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjkysncpsep.stats.esomniture.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjnywncpago.stats.esomniture.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjkygmdzmlo.stats.esomniture.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.ehg-jellyfish.hitbox.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.paypal.112.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.stpetersburgtimes.122.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.e-2dj6wjliojdjwbp.stats.esomniture.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.rebtelnetworks.112.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.stats.paypal.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
stats.sphere.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.s.clickability.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.s.clickability.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
data.coremetrics.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
sales.liveperson.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
sales.liveperson.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.www.investorsinsight.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.toplist.cz [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.indextools.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.meetupcom.122.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.apmebf.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.apmebf.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.buycom.122.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
traffic.buyservices.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
counter.hitslink.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
web4.realtracker.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.dmtracker.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
www.googleadservices.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
www.googleadservices.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.usatoday1.112.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.smartmoney.112.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.ehg-morningstar.hitbox.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.cneteurope.122.2o7.net [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
.roiservice.com [ J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\profile.bak\cookies.txt ]
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@2o7[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.associatedcontent[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[3].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[4].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[5].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[7].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@adinterax[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@adlegend[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@adopt.specificclick[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@adrevolver[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ads.addynamix[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ads.bigfoot[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ads.heliumreport[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ads.pointroll[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ads.revsci[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@ads.vr-zone[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@advertising[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@apmebf[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@apmebf[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@at.atwola[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@atwola[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@cashbackaccount.search.live[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@collective-media[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@data.coremetrics[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@dmtracker[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@doubleclick[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@dowjones.122.2o7[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@dynamic.media.adrevolver[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@edge.ru4[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@flightstats[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@iacas.adbureau[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@imrworldwide[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@insightexpressai[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@media.adrevolver[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@mediaplex[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@microsoftwlcashback.112.2o7[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@msnbc.112.2o7[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@msnportal.112.2o7[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@partner2profit[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@paypal.112.2o7[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@questionmarket[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@revsci[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@richmedia.yahoo[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@server.iad.liveperson[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@server.iad.liveperson[3].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@specificclick[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@statcounter[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@statse.webtrendslive[2].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@tacoda[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@test.coremetrics[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@www.clickmanage[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@www.flightstats[1].txt
J:\D36LDXF1\HD_C\Documents and Settings\Andrew\Cookies\andrew@zedo[2].txt
.shopping.112.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjkyshdjeaq.stats.esomniture.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjkysncpsep.stats.esomniture.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjnywncpago.stats.esomniture.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjkygmdzmlo.stats.esomniture.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.ehg-jellyfish.hitbox.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.paypal.112.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.stpetersburgtimes.122.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.e-2dj6wjliojdjwbp.stats.esomniture.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.rebtelnetworks.112.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.stats.paypal.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.cashbackaccount.search.live.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
stats.sphere.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.s.clickability.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.s.clickability.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
data.coremetrics.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
sales.liveperson.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
sales.liveperson.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.www.investorsinsight.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usenext.de [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.toplist.cz [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.indextools.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.meetupcom.122.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.apmebf.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.apmebf.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.buycom.122.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
traffic.buyservices.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
counter.hitslink.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
web4.realtracker.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.dmtracker.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
www.googleadservices.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
www.googleadservices.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.usatoday1.112.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.smartmoney.112.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.ehg-morningstar.hitbox.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.track.bestbuy.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.cneteurope.122.2o7.net [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]
.roiservice.com [ J:\D36LDXF1\HD_C\Program Files\Mozilla Firefox\defaults\proflie\cookies.txt ]


MALWAREBYTES

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/25/2009 10:39:11 AM
mbam-log-2009-04-25 (10-39-11).txt

Scan type: Quick Scan
Objects scanned: 85291
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Android Man, 25 April 2009 - 01:22 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 25 April 2009 - 07:39 PM

Hello again. We will check fot everything then as you do financials on here. But we are looking good . MBAM needs to update. it's probably at 2040 by now. Yes I(we) like these as thet are free ,accurate,high detection rates and updated very often. plus they have great support. They have paid versions if you prefer the real time protection. QAnother good tools Kaspersky's online scanner. Tho it doesn't remove it will show you what's on here.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Now we'll run part 1 (analyzer ) for S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Android Man

Android Man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 08 May 2009 - 09:03 PM

I have been unable to continue on the system because in the process of changing firewalls from zone alarm to comodo personal firewall, I somehow broke my Internet connectivity. Absolutely nothing I've tried has fixed it, so I'm about to do a repair install for my Windows CD after backing up all my data. I really appreciate the help so far, and if I succeed in restoring Internet connectivity, I can continue, otherwise I'll be reinstalling Windows and formatting hard drive.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 08 May 2009 - 09:15 PM

Hello,Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Android Man

Android Man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 10 May 2009 - 03:08 AM

Okay, I was able to fix the internet by doing a repair install of Windows XP.

I updated MBAM and it found nothing. Here's the scan:


Malwarebytes' Anti-Malware 1.36
Database version: 2102
Windows 5.1.2600 Service Pack 2

5/10/2009 12:41:54 AM
mbam-log-2009-05-10 (00-41-54).txt

Scan type: Quick Scan
Objects scanned: 97544
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky found some things, and I went in and deleted them and flushed the recycle bin as well. I wasn't sure about he UBCD4Win so I just deleted it. Here's the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 09, 2009 15:42:48
Records in database: 2151052
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
I:\
J:\

Scan statistics:
Files scanned: 370773
Threat name: 11
Infected objects: 34
Suspicious objects: 0
Duration of the scan: 16:22:42


File name / Threat name / Threats count
C:\DATA\Finished Downloads\Inactive Downloads\Partition Magic 8 Pro.rar Infected: Trojan.Win32.Buzus.audq 1
C:\Documents and Settings\Andrew\Desktop\Essential Software\PartitionMagicPro\Partition Magic 8 Pro\Setup\PartitionMagic.msi Infected: Trojan.Win32.Buzus.audq 1
C:\Documents and Settings\Andrew\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Documents and Settings\Andrew\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Documents and Settings\Andrew\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 2
C:\Documents and Settings\Andrew\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2
C:\MasterDataFolder\Downloads--Software\Blocklist manager\BLMInstall277.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\MasterDataFolder\Downloads--Software\Hamachi\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1
C:\MasterDataFolder\Downloads--Software\TinyUSB Office\tiny_usb_office.zip Infected: not-a-virus:Server-FTP.Win32.SFH.k 1
C:\MasterDataFolder\Downloads--Software\TinyUSB Office\tiny_usb_office.zip Infected: not-a-virus:PSWTool.Win32.Asterisk.e 2
C:\Program Files\Bluetack\Blocklist Manager\Tools\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
I:\Backup of data from C drive 5-8-09\DATA\Finished Downloads\Inactive Downloads\Partition Magic 8 Pro.rar Infected: Trojan.Win32.Buzus.audq 1
I:\Backup of data from C drive 5-8-09\Desktop\Essential Software\PartitionMagicPro\Partition Magic 8 Pro\Setup\PartitionMagic.msi Infected: Trojan.Win32.Buzus.audq 1
I:\Backup of data from C drive 5-8-09\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
I:\Backup of data from C drive 5-8-09\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
I:\Backup of data from C drive 5-8-09\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 2
I:\Backup of data from C drive 5-8-09\Desktop\Essential Software\Ultimate Boot CD 4 Win\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2
I:\Backup of data from C drive 5-8-09\MasterDataFolder\Downloads--Software\Blocklist manager\BLMInstall277.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
I:\Backup of data from C drive 5-8-09\MasterDataFolder\Downloads--Software\Hamachi\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1
I:\Backup of data from C drive 5-8-09\MasterDataFolder\Downloads--Software\TinyUSB Office\tiny_usb_office.zip Infected: not-a-virus:Server-FTP.Win32.SFH.k 1
I:\Backup of data from C drive 5-8-09\MasterDataFolder\Downloads--Software\TinyUSB Office\tiny_usb_office.zip Infected: not-a-virus:PSWTool.Win32.Asterisk.e 2
J:\D36LDXF1\HD_C\MasterDataFolder\Downloads--Software\Blocklist manager\BLMInstall277.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
J:\D36LDXF1\HD_C\MasterDataFolder\Downloads--Software\Hamachi\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1
J:\D36LDXF1\HD_C\MasterDataFolder\Downloads--Software\TinyUSB Office\tiny_usb_office.zip Infected: not-a-virus:Server-FTP.Win32.SFH.k 1
J:\D36LDXF1\HD_C\MasterDataFolder\Downloads--Software\TinyUSB Office\tiny_usb_office.zip Infected: not-a-virus:PSWTool.Win32.Asterisk.e 2
J:\Downloads from C\Finished Downloads\dBPoweramp\dBpoweramp Batch Converter.exe Infected: Backdoor.Win32.IRCBot.ijy 1
J:\Downloads from C\Finished Downloads\Inactive Downloads\Programs\Ad-Aware 2008 Pro 7.1.0.10\Setup.exe Infected: Trojan.Win32.Agent.avyk 1

The selected area was scanned.
------------------------------------------------------------------------------------------------------------------------------------------------

Next I ran SmitFraudFix and here is it's results, which I need help reading.

SmitfraudFix report:

SmitFraudFix v2.416

Scan done at 0:42:42.00, Sun 05/10/2009
Run from C:\Program Files\PortableFirefox3\FirefoxPortable\App\firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlservr.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe
C:\Program Files\Andrea Electronics\AudioCommander\AEFltrs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Everything\Everything.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Syncplicity\Syncplicity.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\PortableFirefox3\FirefoxPortable\FirefoxPortable.exe
C:\Program Files\PortableFirefox3\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Andrew


C:\DOCUME~1\Andrew\LOCALS~1\Temp


C:\Documents and Settings\Andrew\Application Data


Start Menu


C:\DOCUME~1\Andrew\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL "
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

HKLM\SYSTEM\CCS\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{99F1B724-23B2-444B-8630-7406D7E33212}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B367BAC5-7BCD-4D24-9313-7675042418CE}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B52CFB8D-46D3-48FA-BA4A-9047C6ECE254}: DhcpNameServer=10.239.255.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.239.255.254


Scanning for wininet.dll infection


End



So, what's next? should I run SmitFraudFix in Safe mode and select the Clean option? I'll wait on your answer. Thanks so much for the help, this has been a long process. BTW, I also ran the Microsoft Rootkit Revealer, which didn't find anything suspicious.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 10 May 2009 - 05:21 PM

Hi,, mother's day ,so i was busy with the mom :thumbsup:

OK rerun Smit and selsct option 2 post log
rerun again and select Opition 5. hopefully we still have net. and killed everything.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Android Man

Android Man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 10 May 2009 - 09:07 PM

thanks for helping on Mom's day!

Reran SmitFFix in safe mode, option 2, here's the log.



SmitFraudFix v2.416

Scan done at 18:43:05.46, Sun 05/10/2009
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost



VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{99F1B724-23B2-444B-8630-7406D7E33212}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B367BAC5-7BCD-4D24-9313-7675042418CE}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B52CFB8D-46D3-48FA-BA4A-9047C6ECE254}: DhcpNameServer=10.239.255.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.239.255.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




Rebooted into normal mode and here's the DNS fix log:


SmitFraudFix v2.416

Scan done at 19:01:50.20, Sun 05/10/2009
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

HKLM\SYSTEM\CCS\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{99F1B724-23B2-444B-8630-7406D7E33212}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B367BAC5-7BCD-4D24-9313-7675042418CE}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B52CFB8D-46D3-48FA-BA4A-9047C6ECE254}: DhcpNameServer=10.239.255.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.239.255.254

DNS After Fix

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

Description: NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 66.218.44.5
DNS Server Search Order: 66.218.44.90

HKLM\SYSTEM\CCS\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{05BED4EB-EB5A-423D-B13A-5ACDA90E2EDC}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6C2E4A82-8757-4F3A-B355-DDC1863B6757}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{64403AA3-67BC-4FF8-B45C-7A826C12EB23}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{99F1B724-23B2-444B-8630-7406D7E33212}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B367BAC5-7BCD-4D24-9313-7675042418CE}: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B52CFB8D-46D3-48FA-BA4A-9047C6ECE254}: DhcpNameServer=10.239.255.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.218.44.5 66.218.44.90
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.239.255.254



All seems good. What do you think? Is it safe? I'm using windows firewall, what would you recommend as a better firewall. Zonealarm has some crash BSOD issues with my system, and Comodo failed install and took my internet with it.

Thanks again for all the help. This site is bleeping great!


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 10 May 2009 - 09:49 PM

Good!! let's do the MBAm thingy one more time'

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Android Man

Android Man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 10 May 2009 - 11:50 PM

Here you go:



Malwarebytes' Anti-Malware 1.36
Database version: 2106
Windows 5.1.2600 Service Pack 2

5/10/2009 9:36:27 PM
mbam-log-2009-05-10 (21-36-27).txt

Scan type: Quick Scan
Objects scanned: 97361
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 11 May 2009 - 10:33 AM

Looks good!.. I like the Comodo free firewall. It's takes some getting used to but I like it. Find it here on the BC Freware list..

http://www.bleepingcomputer.com/forums/topic3616.html ... then go to page 16,and see install note in posts 229, 230.


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Android Man

Android Man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 11 May 2009 - 05:13 PM

All done! thanks for the help!!!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 AM

Posted 11 May 2009 - 08:43 PM

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users