Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Antivirus Pro


  • Please log in to reply
8 replies to this topic

#1 SJK

SJK

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 06 November 2009 - 06:42 PM

Ok, so I updated a friend's computer, their service pack, yahoo messenger and internet explorer (to IE 8) on Sunday. Previously have installed The Shield Deluxe 2009 on the system and since he had not run it, he wanted me to get it working for him. There is Vista on his Dell Laptop, it is a 32 bit operating system.

One problem...The Shield Deluxe when I was all done updating everything popped and asked if I wanted to allow this program and it looked like it could have been something from his computer, so like an idiot I believe I said 'allow'.

Well now he has this Antivirus Pro popping up and it also manages to open both porno.com and some viagra site whenever you are online. This virus inundates you with numerous pop ups and tries to get you to scan the computer using this fake software, which is just a scam to get you to give them your credit card information.

So, how do I get rid of this problem? I had something similiar happen to my old Dell desktop and I eventually got rid of it, but I cannot remember how I did it. Any help would be great! I know on my old desktop at one point the Shield Deluxe did pick up on this rogue virus and I was able to quarantine it, but I know I had to delete some files, which was a pain. Thank you.

BC AdBot (Login to Remove)

 


#2 CoolCatBad

CoolCatBad

  • Members
  • 233 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 06 November 2009 - 08:24 PM

http://www.bleepingcomputer.com/virus-remo...s-antivirus-pro

#3 SJK

SJK
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 06 November 2009 - 08:43 PM

I did the following on this:

http://www.bleepingcomputer.com/virus-remo...ivirus-pro-2009

I did through step 13...now the porno and viagra sites don't pop up, but the virus is still there.

I tried what the previous poster said and merged the registry, opened task manager and the windows antivirus is not listed under applications or processes. Any other ideas now? Do I have to now delete all the associated files one by one? Or should I start the computer in safe mode and try doing a virus scan that way?

Thanks.

I should add that when you open the fake virus software, it is called 'Antivirus System Pro' if that makes any difference.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:15 PM

Posted 06 November 2009 - 09:11 PM

Hello I am moving this from Vista to Am I Infected.
Please post the Scan log for review.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 SJK

SJK
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 06 November 2009 - 09:42 PM

Well, made the mistake of rebooting the computer after getting the log and now it's popping up the sites and tons of pop ups again...here's the log, took a few attempts to get it as it kept closing notepad on me:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6000

11/6/2009 7:27:26 PM
mbam-log-2009-11-06 (19-27-26).txt

Scan type: Quick Scan
Objects scanned: 91361
Time elapsed: 12 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 9

Memory Processes Infected:
C:\Windows\msa.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\17954264 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\Solt Lake Software (Rogue.ProAntiSpyware) -> Quarantined and deleted successfully.
C:\ProgramData\Solt Lake Software\Pro Antispyware 2009 (Rogue.ProAntiSpyware) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Roaming\VirusRemover2008 (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Roaming\VirusRemover2008\Logs (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\Program Files\VirusRemover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\17954264\17954264 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\17954264\pc17954264ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Roaming\VirusRemover2008\Logs\scns.log (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\Users\James\Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\James\Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Windows\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\a.exe (Trojan.Downloader) -> Delete on reboot.


So I don't know if this is now put back on the system or what! I will try what was suggested by the person who moved this topic.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:15 PM

Posted 06 November 2009 - 11:03 PM

After those scans post that and this new one.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 SJK

SJK
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 07 November 2009 - 12:53 AM

Ok, sorry, fell asleep waiting on the scan. Here is the log from the super antispyware, I will go re run the mallwarebyte program as suggested. So far, cross your fingers, it appears that everything was quarantined during safe mode.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2009 at 11:44 PM

Application Version : 4.29.1004

Core Rules Database Version : 4162
Trace Rules Database Version: 2138

Scan type : Complete Scan
Total Scan Time : 01:33:57

Memory items scanned : 271
Memory threats detected : 0
Registry items scanned : 5895
Registry threats detected : 39
File items scanned : 179707
File threats detected : 204

Trojan.Dropper/Gen
[vhifngur] C:\USERS\JAMES\APPDATA\LOCAL\GVXCYH\FBYPSYSGUARD.EXE
C:\USERS\JAMES\APPDATA\LOCAL\GVXCYH\FBYPSYSGUARD.EXE

Rogue.Agent/Gen
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#aazalirt
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#skaaanret
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#jungertab
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#zibaglertz
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#iddqdops
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#ronitfst
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#tobmygers
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#jikglond
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#tobykke
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#klopnidret
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#jiklagka
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#salrtybek
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#seeukluba
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#jrjakdsd
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#krkdkdkee
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#dkewiizkjdks
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#dkekkrkska
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#rkaskssd
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#kuruhccdsdd
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#krujmmwlrra
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#kkwknrbsggeg
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#ktknamwerr
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#iqmcnoeqz
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#ienotas
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#krkmahejdk
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#otpeppggq
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#krtawefg
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#oranerkka
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#kitiiwhaas
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#otowjdseww
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#otnnbektre
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#oropbbsee
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#irprokwks
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#ooorjaas
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#id
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#ready
HKU\S-1-5-21-2606387247-2069259893-3391954982-1000\SOFTWARE\AVSCAN#knkd

Adware.Tracking Cookie
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@247realmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@a1.interclick[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ad.wsod[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ad.yieldmanager[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ad1.clickhype[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adbrite[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adecn[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adinterax[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adlegend[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adopt.specificclick[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adrevolver[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.adap[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.as4x.tmcs.ticketmaster[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.bluelithium[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.bridgetrack[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.cnn[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.denverbroncos[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.imarketservices[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.monster[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.nba[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.networldmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.pointroll[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ads.undertone[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adserve.podaddies[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adserver.adtechus[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adserver.funbox[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adserver.matchcraft[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adtech[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@adultfriendfinder[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@advertising.sheknows[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@advertising[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@affiliates.ticketsnow[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@apmebf[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@asicsamerica.findlocation[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@at.atwola[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@atdmt[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@avgtechnologies.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@azjmp[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@banners.andomedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@bizrate[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@bluestreak[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@brownshoe.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@bs.serving-sys[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@burstbeacon[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@burstnet[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@buzznet.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@capitalgainsmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@casalemedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@cbs.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@cct.clickable[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@cdn4.specificclick[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@chitika[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@citi.bridgetrack[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@clickbank[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@collective-media[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@content.yieldmanager[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@content.yieldmanager[3].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@counter6.sextracker[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@data.coremetrics[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@dc.tremormedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@dminsite.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@dmtracker[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@doubleclick[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@dreamsinc.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@earthlinkfinder[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@eb.adbureau[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@edge.ru4[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@eharmony.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ehg-consumerenergyco.hitbox[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ehg-verizon.hitbox[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ehg-zoom.hitbox[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ehg.hitbox[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@fastclick[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@findingsingles[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@findlocation[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@free.wegcash[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@freesexoffenderwatch[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@googleads.g.doubleclick[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@hearstmagazines.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@hitbox[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@homestore.122.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@iacas.adbureau[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@imrworldwide[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@insightexpressai[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@interclick[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@intermundomedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@invitemedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@kontera[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@lfstmedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@lockedonmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@lucidmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@media.adrevolver[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@media.causes[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@media.legacy[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@media.zoominfo[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@media6degrees[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@mediaplex[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@metrics.ignitemedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@microsoftwindows.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@mo-media[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@msnbc.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@msnportal.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@myxer.adbureau[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@nba.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@network.realmedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@networldmedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@newbalance.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@nextag[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@nhl.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@nintendo.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@northwestairlines.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@oasn03.247realmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@oasn04.247realmedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@onetoone.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@openx.tvclickr[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@overture[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@perf.overture[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@pfizer.122.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@pointroll[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@polls.clickability[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@precisionclick[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@primetimesolutionsinc.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@pro-market[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@pubads.g.doubleclick[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@qnsr[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@questionmarket[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@realmedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@rev.remnantmedianetwork[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@revenue[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@revsci[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@richmedia.yahoo[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@roiservice[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@rotator.adjuggler[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@s.clickability[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sales.liveperson[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sales.liveperson[3].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sales.liveperson[4].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sales.liveperson[5].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@samsclub.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sdctrack.thomasnet[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sdctrack.thomasnet[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sdctrack.thomasnet[4].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@server.cpmstar[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@server.iad.liveperson[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@server.iad.liveperson[3].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@server.iad.liveperson[4].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@serving-sys[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sexlist[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sextracker[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sixapart.adbureau[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@snapfish.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@socialmedia[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@sparknetworks.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@specificclick[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@specificmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@stat.onestat[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@statcounter[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@stats.cmarket[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@statse.webtrendslive[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@t.lynxtrack[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@tacoda[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@teenboat[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@teenslikeitbig[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@theadultsonlygame[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ticketnetwork.122.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ticketsnow.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@tour.teenslikeitbig[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@track.bestbuy[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@tracking.gajmp[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@tracking.realtor[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@traffic.prod.cobaltgroup[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@trafficmp[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@traveladvertising[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@tribalfusion[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@tvclickr[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@uac.advertising[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@usatoday1.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@ussearch.122.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@viacom.adbureau[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@view.atdmt[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@vitamine.networldmedia[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.burstbeacon[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.burstnet[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.freesexoffenderwatch[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.googleadservices[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.googleadservices[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.googleadservices[3].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.socialtrack[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.theadultsonlygame[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.ticketsnow2[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.ticketsnow[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.tracklead[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www.xxxblackbook[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@www3.clickr[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@xiti[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@xxxblackbook[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@yadro[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@yellowpages.112.2o7[1].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@yieldmanager[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@zedo[2].txt
C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies\Low\james@zillow.adbureau[2].txt

#8 SJK

SJK
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 07 November 2009 - 01:03 AM

Ok, re ran malwarebytes and here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6000

11/7/2009 1:01:11 AM
mbam-log-2009-11-07 (01-01-11).txt

Scan type: Quick Scan
Objects scanned: 88932
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I really do appreciate everyone's help with this pain in the butt virus...so far, knock on wood, it appears to be gone after running the super anti spyware through safe mode....yeah!!! Will reboot in the morning and double check it. So far no porn or viagra sites have shown up neither are there any pop ups!!!!! I am so friggin grateful!!!!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:15 PM

Posted 08 November 2009 - 03:36 PM

Ok, now if all is still good here....
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users