Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirected, Other Fixes have not Helped.


  • Please log in to reply
11 replies to this topic

#1 BLM73

BLM73

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 04 August 2009 - 06:45 PM

Hi Everyone, here's the most thorough description I can offer as to what exactly is going on with my computer.

Key Issues:

1. The Browser is Hijacked for Sure (ex. search for Hamburger at Google, search results display). Upon clicking a link and the search results, you are redirected to some bogus search site, or some random shopping thing, Woman's Day Magazine or some such thing. The redirect is SLOW, if you click Back in your browser it will stop it, at which point you can re-click the link and you'll go where you wanted to be.

2. When I was first infected the computer would all of a sudden at random, no windows open or nothing, just start playing sounds, was never really able to tell what they were, but it sounded to be parts of TV shows, Commercials, or maybe Radio Ads. I could track this down in Task Manager > Processes, and stop this (In Task Manager, to the best of my memory, these always seemed to be a.exe, b.exe, c.exe, etc), eventually it went away completely for the most part, though the comp still makes random clicks and such, as if web pages were being opened, though I'm not using the internet at all of those times.

3. Tells me via pop-up periodically that my comp is currently being run in Unsafe Mode (There's at least 1 typo in this pop-up, and it's Publisher is Microsoft Windows, not Microsoft Corporation, so I have never allowed the install it wants to run)

4. Performance is getting increasingly worse, locking up, strange lag spiking, freezing on reboot

5. Tells me my Wireless connection is Acquiring Network Address (it's connected obviously)

What I've Tried so Far - And Associated Results

1. ESET NOD32 - Runs, says Operating Memory Win32/Rootkit.Agent.ODG Trojan unable to clean

i. I did try to run ESET NOD32 in Safe Mode (had to force Safe Mode with BOOT.INI in msconfig lol, F8, Tab, Esc, nothing would give me the option of how to start, only choose boot device), it ran, though I can't really tell what if anything it did - None of the others will even run.

2. HiJack This - Downloaded, Won't Launch

3. MalWare Bytes - Downloaded, Won't Launch, also triggers the Windows Explorer has experienced and unexpected error and must close, and DrWatson's Postmortem Debugger Windows

4. RootRepeal - Causes BSOD on scan everytime, additionally when I launch the program I have to clear 5 or so warning messages about not being able to access Boot Sector, change something in Options

5. Super Anti-Spyware - Downloaded, Won't Launch

I really don't know what to do, I'm in school, I don't trust using my Thumb-drives, I don't even have the Windows XP Pro CD any more, maybe can afford new ones. Additionally, I'm sure I need some sort of files on a Floppy if I'm going to even let the hard drive know it's a hard drive after formatting and trying to reinstall Windows. Any help would be greatly appreciated. I know how to get in the registry, but I don't know what I'd be looking for, nor can I get anything to run that might tell me, it's very frustrating.

Edited by BLM73, 04 August 2009 - 06:54 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 04 August 2009 - 07:11 PM

Hello let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Please download and run Processexplorer

Under file and save as, create a log.
Copy and paste that log into your next reply.

Edited by boopme, 04 August 2009 - 07:16 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 BLM73

BLM73
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 04 August 2009 - 11:51 PM

Hey, thanks so much thus far - this is a lot more progress than I've made on my own.

MBAM Log

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/5/2009 12:30:11 AM
mbam-log-2009-08-05 (00-30-11).txt

Scan type: Quick Scan
Objects scanned: 87302
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{73364d99-1240-4dff-b12a-67e448373148} (Spyware.Bzub) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> Delete on reboot.
_____________

Process Explorer Log

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 424 Windows NT Session Manager Microsoft Corporation
csrss.exe 472 Client Server Runtime Process Microsoft Corporation
winlogon.exe 512 Windows NT Logon Application Microsoft Corporation
services.exe 556 Services and Controller app Microsoft Corporation
ati2evxx.exe 716 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 728 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 800 Generic Host Process for Win32 Services Microsoft Corporation
MsMpEng.exe 896 Service Executable Microsoft Corporation
svchost.exe 940 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 3432 Windows Security Center Notification App Microsoft Corporation
wuauclt.exe 352 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 1072 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1144 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1316 Spooler SubSystem App Microsoft Corporation
svchost.exe 1396 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 1468 Apple Mobile Device Service Apple Inc.
ATKKBService.exe 1548 ASUS Keyboard Service ASUSTeK COMPUTER INC.
mDNSResponder.exe 1564 Bonjour Service Apple Inc.
ekrn.exe 1608 ESET Service ESET
sdhelp.exe 1824 PC Tools Research Pty Ltd
ventrilo_svc.exe 1952
ventrilo_srv.exe 1988
WLService.exe 2008 WLService GEMTEKS
WUSB54GC.exe 216 Linksys
alg.exe 1112 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 2976 iPodService Module Apple Inc.
svchost.exe 3616 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 568 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1000 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 364 1.54 Windows Explorer Microsoft Corporation
ULi5287.exe 2060 ULiRAID Application
RTHDCPL.EXE 2076 Realtek HD Audio Control Panel Realtek Semiconductor Corp.
tgcmd.exe 2092 Support.com Scheduler and Command Dispatcher SupportSoft, Inc.
MSASCui.exe 2116 Windows Defender User Interface Microsoft Corporation
jusched.exe 2132 Java™ Platform SE binary Sun Microsystems, Inc.
realsched.exe 2144 RealNetworks Scheduler RealNetworks, Inc.
iTunesHelper.exe 2188 iTunesHelper Module Apple Inc.
egui.exe 2200 ESET GUI ESET
swdoctor.exe 2216 Spyware Doctor PC Tools Research Pty Ltd
ctfmon.exe 2244 CTF Loader Microsoft Corporation
iexplore.exe 3880 Internet Explorer Microsoft Corporation
iexplore.exe 2808 Internet Explorer Microsoft Corporation
iexplore.exe 2660 Internet Explorer Microsoft Corporation
winace.exe 3340 WinAce Archiver v2.69 e-merge GmbH
procexp.exe 692 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
MOM.exe 2124 Catalyst Control Center: Monitoring program Advanced Micro Devices Inc.
CCC.exe 2684 Catalyst Control Centre: Host application ATI Technologies Inc.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 05 August 2009 - 09:52 AM

Yes this is good. I see a way thru this ,there is a rootkit.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 BLM73

BLM73
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 11 August 2009 - 03:07 PM

As mentioned in my original post, I can't run Root Repeal, it give me the Blue Screen almost immediately after I click Scan, this Virus does not want to go away nicely :thumbsup:

Any help is appreciated.

Edited by BLM73, 11 August 2009 - 03:07 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 11 August 2009 - 04:04 PM

OK, I thought i saw the rootkit piece being removed by MBAM after a reboot..So thought we were good to go..

Can we update and run MBAM again?

Also try this Rootkit scanner.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 BLM73

BLM73
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 12 August 2009 - 03:12 PM

Lot of Cutting and Pasting here, but this is what Sophos found, it is not recommended that I remove any of it. Additionally, the one listed at the bottom of the MBAM (above post) log that says it will be removed on reboot, is never actually removed.

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SOFTWARE\ESQUL
Removable: No
Notes: (no more detail available)

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ESQULserv.sys
Removable: No
Notes: (no more detail available)

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ESQULserv.sys
Removable: No
Notes: (no more detail available)

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012006102320061030
Removable: No
Notes: (no more detail available)

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012006110520061106
Removable: No
Notes: (no more detail available) Area: Windows registry

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\ESQULzcounter
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Avenger\ESQULzcounter-ren-189
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Documents and Settings\Brian Martin\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Documents and Settings\Brian Martin\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\drivers\ESQULslqdjcgwapjqyvbmwfkriqvisiwpjlwk.sys
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\ESQULexivlufmhiosfhdtplbtbvqohashptdh.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\ESQULwrwutyfogcobnauilpvklhwcdgytrbgo.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Avenger\ESQULzcounter
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PEFKTAJ\AAAAAIAAwAAAAAA6AhediIBAAAAAQAAAGNjYmQzNTZjLTcwMDEtMTFkZS1iNzc5LTAwMWNjNGE1N2NjZQAAAAAAAAA=YXA-AA==,,http%3A%2F%2Fbollywoodhungama[1].com%2F,;ord=1247526389
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 12 August 2009 - 03:17 PM

Hello, rerun Sophos have it remove this..
C:\WINDOWS\system32\drivers\ESQULslqdjcgwapjqyvbmwfkriqvisiwpjlwk.sys
Reboot to normal mode.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 BLM73

BLM73
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 12 August 2009 - 10:03 PM

Feels like Progress again, thanks so much Boopme. Here's the new MBAM Log after deleting the one you asked me too, and rerunning MBAM, which found 2 more.

Malwarebytes' Anti-Malware 1.40
Database version: 2614
Windows 5.1.2600 Service Pack 3

8/12/2009 10:55:45 PM
mbam-log-2009-08-12 (22-55-45).txt

Scan type: Quick Scan
Objects scanned: 86116
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ESQULexivlufmhiosfhdtplbtbvqohashptdh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 12 August 2009 - 10:48 PM

Ok good,, The TDDS is a password and credit card stealer.. If you do financials on here I would change them.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 BLM73

BLM73
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 13 August 2009 - 10:38 AM

Seems like that fixed it man!

Browser is working normally again, I haven't seen what I believe was a fake Microsoft pop-up to install additional software. For the most part everything's great. Comp seems a little slower than it used to be, but I can't really complain about that, and can work on that problem on my own. Only other thing is that certain applications are causing the 'Windows Explorer has experienced an error and needs to close' pop-up. Computer doesn't crash or lock up though, just flashes and goes back to the Desktop, or sometimes I have to go into Task Manager to shut down a Not Responding Application.

Dunno how you knew which file to tell me to allow Sophos to remove Boopme, but you were on apparently, with that gone I had no problems whatsoever running SAS, MBAM, ESET NOD32, other than minor things listed above, everything works like normal now it seems.

Here's the log from the last SAS I ran.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/13/2009 at 09:27 AM

Application Version : 4.27.1002

Core Rules Database Version : 4054
Trace Rules Database Version: 1994

Scan type : Complete Scan
Total Scan Time : 00:30:20

Memory items scanned : 231
Memory threats detected : 0
Registry items scanned : 5251
Registry threats detected : 2
File items scanned : 47131
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Brian Martin\Cookies\brian_martin@ad2.yieldmanager[2].txt
C:\Documents and Settings\Brian Martin\Cookies\brian_martin@iacas.adbureau[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@yellowlinebanner[1].txt

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare

Malware.AntiVermins
C:\Program Files\AntiVermins\AntiVermins.url
C:\Program Files\AntiVermins\av.dat
C:\Program Files\AntiVermins\blacklist.txt
C:\Program Files\AntiVermins\ignored.lst
C:\Program Files\AntiVermins

It said it cleaned them all. If you have any questions, or would like to see logs from me let me know. I'd be happy to help.

Thank you very much,
BLM73

Edited by BLM73, 13 August 2009 - 11:41 AM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 13 August 2009 - 04:24 PM

OK, great! This looks good.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users