Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Total Security 2009 - Browser Bug!


  • Please log in to reply
11 replies to this topic

#1 andy_is_awesome

andy_is_awesome

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 22 September 2009 - 05:35 PM

I got the Total Security 2009 malware.

Fortunately I was able to get to safe mode (windows XP by the way) and remove it with a combination of an expired free trial version of window's live one care and MBAM.

The bad news... they did not get it all! (they deleted about 24 infected files).

So, here is the bug that is still evading me.
Part 1.) I cannot access the google web page. When I put www.google.com in the url window on internet exporer 7 or foxfire, I get an error "cannot access the server where this page is located" or "the server where this page is located is timed out". Ocassionally get "web address invalid" and in the URL field I see it changed to http:/// so what's going on? I know google didn't disapper, because I can access google on my other computer (sitting right next to this one) just fine. And my browser will visit any other URL I put in just fine (Yahoo, Ask, Dogpile). Also not getting www.bing.com. I also can't link to the pages either. I searched google on dogpile and got a link, but when I click the link the browser can't find it.

Part 2.) I cannot do a Yahoo search. When I search anything on yahoo I get a error message (most usually about a connection problem with an offer to diagnose which when done it says there is not connection problem). I downloaded internet explorer 8 and even Safari. They cannot find google or do yahoo searches either.

So, before I have to backup all files and restore my operating system...
Is there anybody that can tell me where this bug is hiding? And how to dig it out?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:33 AM

Posted 22 September 2009 - 09:14 PM

Hello,please post your infected malwarebytes log. so we can see what we were dealing with.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 andy_is_awesome

andy_is_awesome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 23 September 2009 - 09:02 PM

The first Scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2830
Windows 5.1.2600 Service Pack 3

9/20/2009 2:00:52 AM
mbam-log-2009-09-20 (02-00-52).txt

Scan type: Quick Scan
Objects scanned: 106024
Time elapsed: 15 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7314ed99-8643-4e82-a4f8-5e9f4dec14be} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{68babd09-3464-499c-ae1d-93bef03ee163} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7f4e61f2-76ac-4083-9179-ac7553189b81} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7a1c7250-8e63-490a-b375-4954608f07e0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19733434 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\19733434 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Start Menu\Programs\Total Security (Rogue.TotalSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Start Menu\Programs\Total Security\Total Security 2009.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VolumeControl.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Local Settings\Temp\csrss8.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrss8.dll (Trojan.Agent) -> Delete on reboot.


The second scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2830
Windows 5.1.2600 Service Pack 3

9/20/2009 9:04:26 AM
mbam-log-2009-09-20 (09-04-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 188412
Time elapsed: 1 hour(s), 27 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1637\A0061129.exe (Rogue.TotalSecurity) -> Delete on reboot.

#4 andy_is_awesome

andy_is_awesome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 24 September 2009 - 06:33 PM

Then I ran ATF in safemode
Then I ran SAS in safemode

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/24/2009 at 03:55 PM

Application Version : 4.29.1002

Core Rules Database Version : 4123
Trace Rules Database Version: 2062

Scan type : Complete Scan
Total Scan Time : 00:35:18

Memory items scanned : 251
Memory threats detected : 0
Registry items scanned : 5905
Registry threats detected : 0
File items scanned : 23478
File threats detected : 0

#5 andy_is_awesome

andy_is_awesome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 24 September 2009 - 06:40 PM

And here is what windows live one care did

9/21/2009 6:21 PM Virus and spyware scan was completed

Scanned Items: C:\
D:\

Scan Type: Complete Scan
Scan StartTime: 9/21/2009 5:00 PM
Scan EndTime: 9/21/2009 6:21 PM
Total Number of Files Scanned: 103067
Total Number of Files Not Scanned: 2
Total Number of Threats Found: 0
Total Number of Threats Cleaned: 0
Total Number of Threats Removed: 0
Total Number of Threats Quarantined: 0
Total Number of Threats Still Present But Suspended: 0


9/20/2009 9:04 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: VirTool:Win32/Obfuscator.FW
Detection Date and Time: 9/20/2009 9:03 AM
File Name: C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1637\A0061129.exe
Threat Severity: Severe
Threat Category: Tool
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)
Threat Status: Quarantined


9/20/2009 3:05 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: VirTool:Win32/Obfuscator.FW
Detection Date and Time: 9/20/2009 3:04 AM
File Name: C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1637\A0061129.exe
Threat Severity: Severe
Threat Category: Tool
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)
Threat Status: Detected


9/20/2009 1:55 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:JS/FakeXPA
Detection Date and Time: 9/20/2009 1:54 AM
File Name: C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\0OFE2IJI\scan1[1].htm
Threat Severity: Severe
Threat Category: Trojan
Contained Object: (SCRIPT0000)
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)
Threat Status: Removed


9/20/2009 1:55 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:JS/FakeXPA
Detection Date and Time: 9/20/2009 1:54 AM
File Name: C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\0OFE2IJI\scan1[1].htm->(SCRIPT0000)
Threat Severity: Severe
Threat Category: Trojan
Contained Object: (SCRIPT0000)
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)
Threat Status: Removed


9/20/2009 1:54 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:JS/FakeXPA
Detection Date and Time: 9/20/2009 1:54 AM
File Name: C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\0OFE2IJI\scan1[1].htm->(SCRIPT0000)
Threat Severity: Severe
Threat Category: Trojan
Contained Object: (SCRIPT0000)
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)
Threat Status: Detected


9/20/2009 1:54 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:Win32/AgentBypass.gen!A
Detection Date and Time: 9/20/2009 1:53 AM
File Name: C:\WINDOWS\Temp\27004.exe
Threat Severity: Severe
Threat Category: Trojan
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)
Threat Status: Quarantined


9/20/2009 1:54 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:Win32/AgentBypass.gen!A
Detection Date and Time: 9/20/2009 1:53 AM
File Name: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\\C:\WINDOWS\TEMP\27004.exe
Threat Severity: Severe
Threat Category: Trojan
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)
Threat Status: Quarantined


9/20/2009 1:54 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:Win32/AgentBypass.gen!A
Detection Date and Time: 9/20/2009 1:53 AM
File Name: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\\C:\WINDOWS\TEMP\27004.exe
Threat Severity: Severe
Threat Category: Trojan
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)
Threat Status: Quarantined


9/20/2009 1:52 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
Threat Name: Trojan:Win32/AgentBypass.gen!A
Detection Date and Time: 9/20/2009 1:52 AM
File Name: C:\WINDOWS\Temp\27004.exe
Threat Severity: Severe
Threat Category: Trojan
Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)
Threat Status: Detected

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:33 AM

Posted 24 September 2009 - 07:05 PM

Well you look good are there any other signs of malware?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 andy_is_awesome

andy_is_awesome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 28 September 2009 - 10:24 AM

Maybe.

The fact that my none of my browsers are working properly.
They don't find the url www.google.com
They won't perform a seach engine search on any of the major search engines.

I'm left to reason that either:
1.) There is still a piece of the virus left behind that is disabling my browser
2.) During the removal, my brower files were damaged.

I rule out situation 2 because I just downloaded internet explorer 8 from the microsoft website and it is having the same problem as my old IE7.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:33 AM

Posted 28 September 2009 - 11:52 AM

Ok ,must be a lurker in there. Let's run Drweb-cureit ,it will take more than an hour.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by boopme, 28 September 2009 - 11:53 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 andy_is_awesome

andy_is_awesome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 08 October 2009 - 07:54 AM

update.exe\data170;C:\Documents and Settings\Annie\Desktop\Desktop Folder\update.exe;Probably BACKDOOR.Trojan;;
update.exe;C:\Documents and Settings\Annie\Desktop\Desktop Folder;Archive contains infected objects;Moved.;
PopCapActiveXInstaller.exe;C:\Program Files;Program.PopcapLoader;Incurable.Moved.;
HLMPlay.exe;C:\Program Files\HOTLLAMA Media\Player;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0061178.exe;C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1640;Trojan.Fakealert.4811;Deleted.;
A0061209.exe;C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1641;Trojan.Fakealert.4811;Deleted.;
A0061536.exe;C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1644;Trojan.Fakealert.4811;Deleted.;
A0061915.exe\data170;C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1655\A0061915.exe;Probably BACKDOOR.Trojan;;
A0061915.exe;C:\System Volume Information\_restore{2E6CB426-BF14-48AF-84AA-AEE33C5E70A1}\RP1655;Archive contains infected objects;Moved.;

I forgot to uncheck "Heuristic analysis", but I ran the Dr Web Cure it in safe mode.

It Worked! All Browser problems are now resolved!
Thank you kind Sir! You're good at what you do!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:33 AM

Posted 08 October 2009 - 12:17 PM

Thanks andy, let's take another few minutes to be sure.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 andy_is_awesome

andy_is_awesome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 25 October 2009 - 09:32 PM

MBAM ran in normal mode.
Found no malware


Malwarebytes' Anti-Malware 1.41
Database version: 3031
Windows 5.1.2600 Service Pack 3

10/25/2009 7:26:36 PM
mbam-log-2009-10-25 (19-26-36).txt

Scan type: Quick Scan
Objects scanned: 105482
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


For good measure I ran MBAM, Dr Web Cure it, and Super anti-spyware in normal and safemode. They found no malware or spyware.

But Super anti-spyware did find 64 adware.tracking cookies. What does that mean? Is there still some adware somewhere? Or am I clean and that is left over from before?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2009 at 11:37 AM

Application Version : 4.29.1002

Core Rules Database Version : 4123
Trace Rules Database Version: 2062

Scan type : Complete Scan
Total Scan Time : 01:29:29

Memory items scanned : 213
Memory threats detected : 0
Registry items scanned : 5913
Registry threats detected : 0
File items scanned : 24786
File threats detected : 68

Adware.Tracking Cookie
C:\Documents and Settings\Annie\Cookies\annie@richmedia.yahoo[1].txt
C:\Documents and Settings\Annie\Cookies\annie@tacoda[1].txt
C:\Documents and Settings\Annie\Cookies\annie@content.yieldmanager[3].txt
C:\Documents and Settings\Annie\Cookies\annie@e-2dj6wjlociazwaq.stats.esomniture[1].txt
C:\Documents and Settings\Annie\Cookies\annie@insightexpressai[2].txt
C:\Documents and Settings\Annie\Cookies\annie@statcounter[1].txt
C:\Documents and Settings\Annie\Cookies\annie@hitbox[2].txt
C:\Documents and Settings\Annie\Cookies\annie@e-2dj6wjlocmdzmlq.stats.esomniture[2].txt
C:\Documents and Settings\Annie\Cookies\annie@2o7[1].txt
C:\Documents and Settings\Annie\Cookies\annie@nextag[2].txt
C:\Documents and Settings\Annie\Cookies\annie@imrworldwide[2].txt
C:\Documents and Settings\Annie\Cookies\annie@specificclick[2].txt
C:\Documents and Settings\Annie\Cookies\annie@bluestreak[2].txt
C:\Documents and Settings\Annie\Cookies\annie@tribalfusion[1].txt
C:\Documents and Settings\Annie\Cookies\annie@trafficmp[1].txt
C:\Documents and Settings\Annie\Cookies\annie@e-2dj6wjlywnc5kap.stats.esomniture[2].txt
C:\Documents and Settings\Annie\Cookies\annie@adserver.adtechus[1].txt
C:\Documents and Settings\Annie\Cookies\annie@bs.serving-sys[1].txt
C:\Documents and Settings\Annie\Cookies\annie@kontera[2].txt
C:\Documents and Settings\Annie\Cookies\annie@questionmarket[1].txt
C:\Documents and Settings\Annie\Cookies\annie@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Annie\Cookies\annie@ad.yieldmanager[1].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.us.e-planning[1].txt
C:\Documents and Settings\Annie\Cookies\annie@doubleclick[1].txt
C:\Documents and Settings\Annie\Cookies\annie@realmedia[1].txt
C:\Documents and Settings\Annie\Cookies\annie@perf.overture[1].txt
C:\Documents and Settings\Annie\Cookies\annie@burstnet[2].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.nba[2].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\Annie\Cookies\annie@overture[2].txt
C:\Documents and Settings\Annie\Cookies\annie@247realmedia[1].txt
C:\Documents and Settings\Annie\Cookies\annie@statse.webtrendslive[1].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.bridgetrack[1].txt
C:\Documents and Settings\Annie\Cookies\annie@ehg-idgentertainment.hitbox[2].txt
C:\Documents and Settings\Annie\Cookies\annie@rambler[1].txt
C:\Documents and Settings\Annie\Cookies\annie@specificmedia[1].txt
C:\Documents and Settings\Annie\Cookies\annie@server.iad.liveperson[1].txt
C:\Documents and Settings\Annie\Cookies\annie@e-2dj6wdloagcjwdp.stats.esomniture[1].txt
C:\Documents and Settings\Annie\Cookies\annie@mediaplex[1].txt
C:\Documents and Settings\Annie\Cookies\annie@invitemedia[2].txt
C:\Documents and Settings\Annie\Cookies\annie@at.atwola[1].txt
C:\Documents and Settings\Annie\Cookies\annie@beacon.dmsinsights[2].txt
C:\Documents and Settings\Annie\Cookies\annie@adinterax[2].txt
C:\Documents and Settings\Annie\Cookies\annie@zedo[1].txt
C:\Documents and Settings\Annie\Cookies\annie@adbrite[2].txt
C:\Documents and Settings\Annie\Cookies\annie@revsci[1].txt
C:\Documents and Settings\Annie\Cookies\annie@edge.ru4[1].txt
C:\Documents and Settings\Annie\Cookies\annie@adecn[1].txt
C:\Documents and Settings\Annie\Cookies\annie@atdmt[2].txt
C:\Documents and Settings\Annie\Cookies\annie@content.yieldmanager[1].txt
C:\Documents and Settings\Annie\Cookies\annie@msnportal.112.2o7[1].txt
C:\Documents and Settings\Annie\Cookies\annie@fastclick[1].txt
C:\Documents and Settings\Annie\Cookies\annie@collective-media[1].txt
C:\Documents and Settings\Annie\Cookies\annie@advertising[2].txt
C:\Documents and Settings\Annie\Cookies\annie@apmebf[2].txt
C:\Documents and Settings\Annie\Cookies\annie@pointroll[2].txt
C:\Documents and Settings\Annie\Cookies\annie@www.burstnet[1].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.undertone[1].txt
C:\Documents and Settings\Annie\Cookies\annie@interclick[1].txt
C:\Documents and Settings\Annie\Cookies\annie@atwola[1].txt
C:\Documents and Settings\Annie\Cookies\annie@cdn4.specificclick[1].txt
C:\Documents and Settings\Annie\Cookies\annie@a1.interclick[2].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.nascar[1].txt
C:\Documents and Settings\Annie\Cookies\annie@ads.pointroll[2].txt
C:\Documents and Settings\Annie\Cookies\annie@serving-sys[1].txt
C:\Documents and Settings\Annie\Cookies\annie@adcentriconline[1].txt
C:\Documents and Settings\Annie\Cookies\annie@server.iad.liveperson[2].txt
C:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt

Edited by andy_is_awesome, 25 October 2009 - 09:34 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:33 AM

Posted 25 October 2009 - 10:06 PM

Ok this looks good. Did you run MBAM also in Safe as it is stronger in normal?
The PC is running well now correct?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users