Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer crashed, mozilla won't launch


  • Please log in to reply
14 replies to this topic

#1 jerame

jerame

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 13 June 2009 - 01:05 PM

Hi everybody,

my wife clicked on a link that was sent to her via facebook, and then our computer crashed immediately afterwards. back on facebook, all of her friends have reported the same problem after having received the same message/link. Now our browser of choice, Mozilla, won't launch, spybot supposedly fixed 105 new issues, but the system is still freezing, crashing, missbehaving. My wife mentioned an ad popping up stating that she was infected etc., so she conducted a system restore to a previous check point... ad seems to be gone, but there's still a problem, and it's beyond my knowledge. Any ideas?

BC AdBot (Login to Remove)

 


#2 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:10:46 AM

Posted 13 June 2009 - 01:26 PM

The first thing you'll want to do is download MalwareBytes' Anit-Malware (use Internet Explorer if you have to) and run a scan. After we make sure your computer is cleaned, you'll probably have to uninstall Firefox (using RevoUninstaller or some other removal tool) thoroughly and reinstall it from scratch.
But first, follow these instructions on using MBAM:

Please download Malwarebytes Anti-Malware and save it to your desktop from here.

Double-click on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When the installation has finished, leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Click the Finish button.

MBAM should start and you will be asked to update the program before performing a scan.

From the scanner tab, select a QUICK SCAN and click the Scan button.

After the scan finishes, click on the Show Results button to see a list of any malware that was found. Make sure that everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. This log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the entire contents of that report in your next post.

MBAM may tell you to reboot your computer to complete the process. If so, then reboot and post the contents of the log afterwards.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#3 jerame

jerame
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 18 June 2009 - 11:54 PM

Okay, there were three logs under the Log tab in Malware:

Malwarebytes' Anti-Malware 1.05
Database version: 405

Scan type: Quick Scan
Objects scanned: 42480
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 47
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 8
Files Infected: 57

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\xxyyaay.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\awvvw.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jiwtebut.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\omabwklt.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{07c7156e-d651-4acc-9ad3-498c916e9651} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07c7156e-d651-4acc-9ad3-498c916e9651} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyaay (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4cfa141e-a2de-4a9c-bdcb-1811fe014020} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4cfa141e-a2de-4a9c-bdcb-1811fe014020} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jiwtebut (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{64130be8-2b67-4a65-9ca5-1cc6948c1471} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4e54d728-1fa3-4125-b468-c8b43c123e65} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videomp3.mp3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5de176a4-b5ff-4d50-b084-e047526b8e97} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{5de176a4-b5ff-4d50-b084-e047526b8e97} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mscontrolservice (Trojan.Zapchast) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mscontrolservice (Trojan.Zapchast) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mscontrolservice (Trojan.Zapchast) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\IEDefender (Rogue.IE.Defender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{07c7156e-d651-4acc-9ad3-498c916e9651} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awvvw.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awvvw.dll -> Delete on reboot.

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\data (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\xxyyaay.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awvvw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvvwa.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvvwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiwtebut.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jiwtebut.dllbox (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kitfrjry.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\omabwklt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tlkwbamo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uftuajkp.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\VideoMP3.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (BackDoor.Ntrootkit) -> Delete on reboot.
C:\WINDOWS\system32\BRAVIAX(1).INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BRAVIAX(2).INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BRAVIAX(3).INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BRAVIAX(4).INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BRAVIAX.INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\users32.dat (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\windows (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (BackDoor.Ntrootkit) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\arbfikac.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\qrwkjyd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\qsdjpwpb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wpohl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa Quaranto\Local Settings\Temp\uninst.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Local Settings\Temp\uninst.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Local Settings\Temp\~DFA25B.tmp (Malware.trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Local Settings\Temporary Internet Files\Content.IE5\Y7UH51J4\Installer[1].exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\htmlayout.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\install.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\pthreadVC2.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\un.ico (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\unzip32.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\WinReanimator.cfg (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\WinReanimator.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\WinReanimator.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\data\daily.cvd (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert\Log\2008 Feb 23 - 01_55_51 AM_500.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert\Log\2008 Feb 23 - 01_56_16 AM_812.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa Quaranto\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerame Farnum\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer.EXE.Z-missing.txt (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

here's the second:

Malwarebytes' Anti-Malware 1.38
Database version: 2307
Windows 5.1.2600 Service Pack 3

6/18/2009 9:20:42 PM
mbam-log-2009-06-18 (21-20-42).txt

Scan type: Quick Scan
Objects scanned: 122705
Time elapsed: 18 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07c7156e-d651-4acc-9ad3-498c916e9651} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5de176a4-b5ff-4d50-b084-e047526b8e97} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

and the third:

Malwarebytes' Anti-Malware 1.05
Database version: 405

Scan type: Quick Scan
Objects scanned: 34978
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Adware.Search Toolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Adware.Search Toolbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winsrc.dll (Adware.Search Toolbar) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer.EXE.Z-missing.txt (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:10:46 AM

Posted 19 June 2009 - 07:02 AM

The first and last log you posted are all using a very old version of MBAM. They don't have dates on them so it doesn't tell me when they were scanned. The second log is using the most up to date definitions and latest version of MBAM.

Open MBAM again, click the Update tab at the top and update the program. Then, run a complete scan and post the log. That way we can compare that log to the second log posted above.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#5 jerame

jerame
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 19 June 2009 - 10:52 PM

Weird. I updated, here's the log:

Malwarebytes' Anti-Malware 1.38
Database version: 2310
Windows 5.1.2600 Service Pack 3

6/19/2009 8:46:59 PM
mbam-log-2009-06-19 (20-46-59).txt

Scan type: Quick Scan
Objects scanned: 123371
Time elapsed: 18 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I tried launching firefox, but it was a no go.

#6 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:10:46 AM

Posted 20 June 2009 - 10:02 PM

Now our browser of choice, Mozilla, won't launch, spybot supposedly fixed 105 new issues, but the system is still freezing, crashing, missbehaving. My wife mentioned an ad popping up stating that she was infected etc., so she conducted a system restore to a previous check point... ad seems to be gone, but there's still a problem, and it's beyond my knowledge. Any ideas?

Is the whole system still acting up or is it just Firefox not starting?

If Firefox is the only issue, go here and follow the instructions for creating a new profile in Firefox. Then, when launching Firefox, use that profile and see if the problem persists. If the problem remains, you will need to uninstall Firefox completely and reinstall it from scratch. If the problem goes away, then you can move your bookmarks and stuff over from the first profile to the new profile and use that profile from now on.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:46 AM

Posted 20 June 2009 - 10:20 PM

Hello jerame,

System restore, as you can see, will not remove the infection.

Were those MBAM logs created before or after the system restore?

Please wait for someone more knowledgeable than I to assist you.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 21 June 2009 - 02:10 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:10:46 AM

Posted 21 June 2009 - 01:59 PM

Jerame,
It looks to me like your last MBAM scan has come up clean. I was giving you suggestions on trying to get Firefox up and running. After that, I was going to suggest you download and run a SuperAntiSpyware scan to see what it finds. I was also going to suggest that you clear out all the system restore points once everything is cleaned so that no infections will return due to system restore.

Edited by Orange Blossom, 21 June 2009 - 02:03 PM.
Remove unnecessary quote and unnecessary comment. ~ OB

What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 21 June 2009 - 02:12 PM

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jerame

jerame
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 21 June 2009 - 05:18 PM

Thanks for all of your help!

I think my wife had a friend from work "fix" her laptop last year, using malware, then uninstalled it. It was not currently installed when I started posting here. I'm sure that's where the logs came from.

I went to add/remove programs in an effort to uninstall firefox, but when I click 'remove' nothing happens.

I downloaded SUPER, updated it, went into safe mode, (hijack this was on the desktop in safe mode, btw) and started a complete scan. It got to about 6,000 reg items, scanning system32, then shut itself off, like somebody pulled the plug.

I'll try it again.

edit: I did not run atf first, arghhh! sorry, will try again.

edit: I ran ATF, and did a scan with SUPER, here'e the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/21/2009 at 05:46 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 01:34:49

Memory items scanned : 383
Memory threats detected : 0
Registry items scanned : 6174
Registry threats detected : 0
File items scanned : 113141
File threats detected : 2

Trojan.Agent/Gen-MSFake
C:\PROGRAM FILES\COMMON FILES\ADOBE\UPDATER\MSVCRT.DLL
C:\WINDOWS\$NTSERVICEPACKUNINSTALL$\MSVCRT.DLL

Edited by jerame, 21 June 2009 - 08:07 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 21 June 2009 - 09:18 PM

Run one more scan and is it running good now?

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 jerame

jerame
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 21 June 2009 - 10:45 PM

After having done these few steps, my computer is running much better, thank you. But I am still unable to launch mozilla, or uninstall it, also I'm being prompted to activate my windows firewall, and I've tried to, but the check box is not available to be selected. I chose to restore the windows firewall defaults thinking that it would come on , but no.

Malwarebytes' Anti-Malware 1.38
Database version: 2320
Windows 5.1.2600 Service Pack 3

6/21/2009 8:29:48 PM
mbam-log-2009-06-21 (20-29-48).txt

Scan type: Quick Scan
Objects scanned: 103480
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 22 June 2009 - 10:28 PM

Go to your windows start button and type this in the run box - "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode

It starts firefox in safe mode and gives you the option to disable and change things. Disable all the add ons. See if there is an uninstall option there.

EDIT:
What meesage do ypu get when you try to activate?

Edited by boopme, 22 June 2009 - 10:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 jerame

jerame
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 02 July 2009 - 10:40 PM

I tried launching mozilla in safe mode by going to run, and something weird happens. An applicaton opens that consists of nothing but a grey bar, and an "x" button to close it. I don't get it.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 03 July 2009 - 08:25 PM

Drat! We will need for you to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users