Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I seem to have major issues


  • Please log in to reply
14 replies to this topic

#1 Bingo Little

Bingo Little

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 12 December 2009 - 08:45 AM

And my tech savvy friend told me to come here.

I've had noticable slowdown over the last few days with this computer, and AVG found a trojan. Finally realising that Malwarebytes anti malware doesn't update automatically, I got it up to date and actually found the problems. It looks nasty. My technically savvy friend told me to post it here, meaning he can't give any more advice - which I do not see as a good sign.

my end of scan log looks like this:

Malwarebytes' Anti-Malware 1.42
Database version: 3348
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2009 13:23:09
mbam-log-2009-12-12 (13-23-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 386450
Time elapsed: 2 hour(s), 42 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\System Volume Information\_restore{1C55A838-0A15-4C9D-90EE-80BFA77DB835}\RP726\A0274985.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\FSPYJZ9Z\eH100bec43V04f02053003Rb434c00a102T5b2ac718Q000002fc901801F0020000aJ0f000601l0809K939494513180[1] (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\MTZ5IUQN\eH100bec43V04f02053003Rb434c00a102T5b2ac714Q000002fc901801F0020000aJ0f000601l0809K9394945130dP000001090[1] (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\W76T4FSB\eH100bec43V04f02053003Rb3791556102T5b29980bQ000002fc901801F0020000aJ0f000601l0809Kf7d6c8e230dP000001090[1] (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> No action taken.


Once I'd pressed the button to deal with these items, the scan looked like this:

Malwarebytes' Anti-Malware 1.42
Database version: 3348
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2009 13:25:59
mbam-log-2009-12-12 (13-25-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 386450
Time elapsed: 2 hour(s), 42 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{1C55A838-0A15-4C9D-90EE-80BFA77DB835}\RP726\A0274985.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\FSPYJZ9Z\eH100bec43V04f02053003Rb434c00a102T5b2ac718Q000002fc901801F0020000aJ0f000601l0809K939494513180[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\MTZ5IUQN\eH100bec43V04f02053003Rb434c00a102T5b2ac714Q000002fc901801F0020000aJ0f000601l0809K9394945130dP000001090[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\W76T4FSB\eH100bec43V04f02053003Rb3791556102T5b29980bQ000002fc901801F0020000aJ0f000601l0809Kf7d6c8e230dP000001090[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.


Advice for someone who's never done anything like this before much appreciated.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:02 PM

Posted 12 December 2009 - 11:18 AM

Welcome to BC

:inlove:

Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.[/list]
========================

:flowers:
SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

=============================

:thumbsup:

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
===================================

:trumpet:
Update mbam and run a FULL scan
Please post the results
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 12 December 2009 - 05:09 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/12/2009 at 07:46 PM

Application Version : 4.31.1000

Core Rules Database Version : 4363
Trace Rules Database Version: 2207

Scan type : Complete Scan
Total Scan Time : 02:05:47

Memory items scanned : 262
Memory threats detected : 0
Registry items scanned : 5616
Registry threats detected : 2
File items scanned : 179895
File threats detected : 36

Adware.Tracking Cookie
C:\Documents and Settings\Ben\Cookies\ben@doubleclick[1].txt
C:\Documents and Settings\Ben\Cookies\ben@apmebf[1].txt
C:\Documents and Settings\Ben\Cookies\ben@atdmt[1].txt
C:\Documents and Settings\Ben\Cookies\ben@atdmt[2].txt
C:\Documents and Settings\Ben\Cookies\ben@mediaplex[2].txt
C:\Documents and Settings\Ben\Cookies\ben@ad1.emediate[2].txt
C:\Documents and Settings\Ben\Cookies\ben@ads.adbrite[1].txt
C:\Documents and Settings\Ben\Cookies\ben@ads.pointroll[1].txt
C:\Documents and Settings\Ben\Cookies\ben@ads.pointroll[3].txt
C:\Documents and Settings\Ben\Cookies\ben@ads.pointroll[4].txt
C:\Documents and Settings\Ben\Cookies\ben@adserver.mediarun[2].txt
C:\Documents and Settings\Ben\Cookies\ben@apmebf[2].txt
C:\Documents and Settings\Ben\Cookies\ben@channel4.112.2o7[1].txt
C:\Documents and Settings\Ben\Cookies\ben@content.yieldmanager[1].txt
C:\Documents and Settings\Ben\Cookies\ben@cracked[2].txt
C:\Documents and Settings\Ben\Cookies\ben@dmtracker[1].txt
C:\Documents and Settings\Ben\Cookies\ben@doubleclick[2].txt
C:\Documents and Settings\Ben\Cookies\ben@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\Ben\Cookies\ben@go.globaladsales[1].txt
C:\Documents and Settings\Ben\Cookies\ben@ice.112.2o7[1].txt
C:\Documents and Settings\Ben\Cookies\ben@imrworldwide[2].txt
C:\Documents and Settings\Ben\Cookies\ben@insightexpressai[1].txt
C:\Documents and Settings\Ben\Cookies\ben@maxserving[2].txt
C:\Documents and Settings\Ben\Cookies\ben@media.adrevolver[3].txt
C:\Documents and Settings\Ben\Cookies\ben@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Ben\Cookies\ben@mywebsearch[1].txt
C:\Documents and Settings\Ben\Cookies\ben@sales.liveperson[2].txt
C:\Documents and Settings\Ben\Cookies\ben@sales.liveperson[3].txt
C:\Documents and Settings\Ben\Cookies\ben@smileycentral[2].txt
C:\Documents and Settings\Ben\Cookies\ben@specificclick[2].txt
C:\Documents and Settings\Ben\Cookies\ben@track.adform[2].txt
C:\Documents and Settings\Ben\Cookies\ben@www.smartadserver[2].txt
C:\Documents and Settings\Mum\Cookies\mum@iacas.adbureau[1].txt
C:\Documents and Settings\Mum\Cookies\mum@maxserving[1].txt
C:\Documents and Settings\Mum\Cookies\mum@media.adrevolver[1].txt
C:\Documents and Settings\Mum\Cookies\mum@mywebsearch[1].txt

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-606747145-854245398-725345543-1006\SOFTWARE\FunWebProducts

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-606747145-854245398-725345543-1006\SOFTWARE\Microsoft\fias4013


That's the result of the Superantispyware scan, which surprised me. Mainly just tracking cookies - which surely should have been cleaned out in the temporary file purge - one instance of a trojan, and that annoying free smiley thing which I swear I dealt with about a year ago.

However, I probably ought to scan from another account which has been open since the infection as well. I'll run step three and also check from that other account and post that log and my final malwarebytes log here.

#4 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 12 December 2009 - 06:23 PM

The express scan in step 3 came up with nothing, in the morning I'll try the full scan and whatever else I have to run.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:02 PM

Posted 12 December 2009 - 08:42 PM

in the morning I'll try the full scan and whatever else I have to run.


I'll wait for that
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 13 December 2009 - 11:43 AM

Nothing on the Dr Web Cureit at all.

Scanning from another acccount with SAS, I got this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2009 at 02:47 PM

Application Version : 4.31.1000

Core Rules Database Version : 4304
Trace Rules Database Version: 0

Scan type : Complete Scan
Total Scan Time : 00:38:08

Memory items scanned : 269
Memory threats detected : 0
Registry items scanned : 5622
Registry threats detected : 7
File items scanned : 33936
File threats detected : 37

Adware.MyWebSearch
HKU\S-1-5-21-606747145-854245398-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-21-606747145-854245398-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-606747145-854245398-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-606747145-854245398-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware.Tracking Cookie
C:\Documents and Settings\Chris\Cookies\chris@serving-sys[2].txt
C:\Documents and Settings\Chris\Cookies\chris@apmebf[1].txt
C:\Documents and Settings\Chris\Cookies\chris@tribalfusion[2].txt
C:\Documents and Settings\Chris\Cookies\chris@channel4.112.2o7[1].txt
C:\Documents and Settings\Chris\Cookies\chris@zedo[1].txt
C:\Documents and Settings\Chris\Cookies\chris@adtech[1].txt
C:\Documents and Settings\Chris\Cookies\chris@imrworldwide[2].txt
C:\Documents and Settings\Chris\Cookies\chris@mediaplex[1].txt
C:\Documents and Settings\Chris\Cookies\chris@questionmarket[1].txt
C:\Documents and Settings\Chris\Cookies\chris@ad.yieldmanager[1].txt
C:\Documents and Settings\Chris\Cookies\chris@clickshift[1].txt
C:\Documents and Settings\Chris\Cookies\chris@statse.webtrendslive[1].txt
C:\Documents and Settings\Chris\Cookies\chris@adviva[1].txt
C:\Documents and Settings\Chris\Cookies\chris@bs.serving-sys[1].txt
C:\Documents and Settings\Chris\Cookies\chris@msnportal.112.2o7[2].txt
C:\Documents and Settings\Chris\Cookies\chris@media.adrevolver[1].txt
C:\Documents and Settings\Chris\Cookies\chris@www.googleadservices[1].txt
C:\Documents and Settings\Chris\Cookies\chris@atdmt[1].txt
C:\Documents and Settings\Chris\Cookies\chris@tradedoubler[1].txt
C:\Documents and Settings\Chris\Cookies\chris@media.adrevolver[2].txt
C:\Documents and Settings\Chris\Cookies\chris@advertising[2].txt
C:\Documents and Settings\Chris\Cookies\chris@doubleclick[2].txt
C:\Documents and Settings\Chris\Cookies\chris@atoc.112.2o7[1].txt
C:\Documents and Settings\Chris\Cookies\chris@mywebsearch[1].txt
C:\Documents and Settings\Chris\Cookies\chris@specificclick[2].txt
C:\Documents and Settings\Chris\Cookies\chris@revsci[2].txt
C:\Documents and Settings\Chris\Cookies\chris@adrevolver[2].txt
C:\Documents and Settings\Ben\Cookies\ben@atdmt[2].txt
C:\Documents and Settings\Pongo\Cookies\pongo@windowsmedia[2].txt
C:\Documents and Settings\Pongo\Cookies\pongo@ad1.emediate[2].txt
C:\Documents and Settings\Pongo\Cookies\pongo@media.adrevolver[1].txt
C:\Documents and Settings\Pongo\Cookies\pongo@mywebsearch[1].txt
C:\Documents and Settings\Pongo\Cookies\pongo@apmebf[1].txt
C:\Documents and Settings\Pongo\Cookies\pongo@adrevenue[1].txt
C:\Documents and Settings\Pongo\Cookies\pongo@specificclick[1].txt
C:\Documents and Settings\Pongo\Cookies\pongo@adecn[1].txt
C:\Documents and Settings\Pongo\Cookies\pongo@ad.zanox[2].txt

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-606747145-854245398-725345543-1004\SOFTWARE\Fun Web Products
HKU\S-1-5-21-606747145-854245398-725345543-1004\SOFTWARE\FunWebProducts
HKU\S-1-5-21-606747145-854245398-725345543-1004\SOFTWARE\MyWebSearch


Again, just tracking cookies and the irritating free smiley site. Running a final malware bytes scan, but it still hasn't found anything so this may well have cleared it.

#7 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 13 December 2009 - 12:55 PM

And the new malware bytes scan is empty too.

Reckon it's safe?

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:02 PM

Posted 13 December 2009 - 07:28 PM

How is it acting for you Run your AV and see if it shows clean
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 14 December 2009 - 03:01 AM

It seems to be back to normal speed. I'll run a virus scan, but AVG didn't really detect it the first time round: scans didn't pick it up, but as soon as it tried to do anything, AVG would find something.

#10 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 14 December 2009 - 04:57 PM

AVG says it's completely clear.

Safe computer, or malware that's very good at hiding?

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:02 PM

Posted 14 December 2009 - 06:29 PM

I believe you are good to go


If there are no longer signs of malware then please....

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 15 December 2009 - 04:42 PM

Oh, words that the swear filter will probably censor.

It's found another one.

When this started, it had a trojan called sheur2. I removed it and went on with scanning, where I found the results listed above, including the trojan fake alert. This time, it's a trojan called psw.sinowal.

This is hardly filling me with confidence. It looks like there's something hidden there constantly installing more of these.

This trojan crashed my computer, twice. The first time it crashed it was just after AVG found it: worryingly, when I scanned with AVG a second time, it didn't show up at all.

Words do not convey just how annoyed I am getting at this.

I'm considering just sticking in a live cd, using ubuntu to recover data, then switching to windows 7.

Edited by Bingo Little, 15 December 2009 - 04:50 PM.


#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:02 PM

Posted 15 December 2009 - 08:36 PM

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 Bingo Little

Bingo Little
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 16 December 2009 - 11:11 AM

Unsure if that'spossible - computer seems to crash within a few minutes of booting up.

#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:02 PM

Posted 16 December 2009 - 07:35 PM

Only alternatives I can think of:

Vipre rescue disk
http://live.sunbeltsoftware.com/


If you cannot bootup normally, cannot transfer required tools to the infected machine and cannot download anything while in safe mode, then your options are limited to what security tools you have on your computer. If those tools do not work, then your options become even more limited.

Have you tried using System Restore from a command prompt in Safe Mode to return to a previous state before your problems began?

If that doesn't work. these are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computerís BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users