Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM trojan fake alert not removed.


  • Please log in to reply
18 replies to this topic

#1 buchank

buchank

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 03 January 2010 - 07:50 AM

I have this exact same problem, could someone please help? i know it says not to follow the previous instuctions because they are user specific, but it's tempting!!!

Here's a copy of my MBAM log

Malwarebytes' Anti-Malware 1.43
Database version: 3486
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/01/2010 12:31:10
mbam-log-2010-01-03 (12-31-10).txt

Scan type: Quick Scan
Objects scanned: 154944
Time elapsed: 1 hour(s), 54 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\friendlyname (Trojan.FakeAlert) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



thanks

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 03 January 2010 - 09:11 AM

Hello,

I moved your post to a separate topic. Posting about your problem in someone elses topic is considered hijacking a thread and is not allowed. Furthermore, its a lot simpler to have your own topic, as people will only reply to your issues :thumbsup:

Please let me know if you are having any problems with your computer besides this MBAM detection.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 03 January 2010 - 02:44 PM

anyone? :thumbsup:

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 03 January 2010 - 03:12 PM

I asked you this, so if you could just reply to it, I can provide you with further steps :thumbsup:

Please let me know if you are having any problems with your computer besides this MBAM detection.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 04 January 2010 - 10:10 AM

Oh sorry, i thought you meant you couldn't help me with that problem and were asking if i had any other problems.

I was infected with a virus that was giving me fake security alerts, Antivirus live i think it was. I was unable to open task manager or any other application and was getting lots of red sheilds up in my task bar. I started up in safe made and ran a MBAM scan and also searched my computer for any files containing svsguard.exe(when i originally got the virus i got a pop up saying one care had blocked this from accessing the internet). i then deleted the 2 files from temp folder containing svsguard.exe and deleted the files MBAM found, then restarted my computer.

Now everything is working fine, no pop ups and seems to be working at it's usual speed, but when i run MBAM it keeps finding one problem and tells me it will delete it on reboot....but when i reboot and rescan it is still there!! The log is posted above.

Thanks


:thumbsup:

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 04 January 2010 - 10:40 AM

Hi, sorry for confusing you there :thumbsup:

Just to clarify, I am able to fix this problem with you, but I have to be sure its just a leftover. Therefore, please do the following first.

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 January 2010 - 05:40 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2010 at 02:46 AM

Application Version : 4.32.1000

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 09:16:22

Memory items scanned : 223
Memory threats detected : 0
Registry items scanned : 5682
Registry threats detected : 157
File items scanned : 70696
File threats detected : 103

Trojan.NewDotNet
HKCR\Tldctl2.URLLink
HKCR\Tldctl2.URLLink\CLSID
HKCR\Tldctl2.URLLink\CurVer
HKCR\Tldctl2.URLLink.1
HKCR\Tldctl2.URLLink.1\CLSID
HKLM\Software\New.net
HKLM\Software\New.net#InstalledVersion
HKLM\Software\New.net#InstalledPath
HKLM\Software\New.net#Tag
HKLM\Software\New.net#DiscardTag
HKLM\Software\New.net#FirstTime
HKLM\Software\New.net#Source
HKLM\Software\New.net#Prt
HKLM\Software\New.net#LSPStatus
HKLM\Software\New.net#NextUpgradeHi
HKLM\Software\New.net#NextUpgradeLo
HKLM\Software\New.net#UpgradeCounter
HKLM\Software\New.net#Search

Adware.GAIN/Gator
HKLM\Software\Gator.com
HKLM\Software\Gator.com\Gator
HKLM\Software\Gator.com\Gator\dyn
HKLM\Software\Gator.com\Gator\dyn#PdpFirstStart
HKLM\Software\Gator.com\Gator\dyn\GCH
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#096-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#096-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#097-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#097-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#098-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#098-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#099-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#099-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#100-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#100-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#101-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#101-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#102-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#102-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#103-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#103-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#104-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#104-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#105-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#105-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#106-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#106-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#107-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#107-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#110-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#110-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#111-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#111-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#112-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#112-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#117-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#117-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gi#117-200
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#076-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#076-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#077-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#077-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_trickle#077-2
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#088-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#088-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#091-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#091-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#096-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#096-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#097-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#097-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#098-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#098-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#099-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#099-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#100-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#100-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#101-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#101-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#102-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#102-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#103-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#103-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#104-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#104-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#105-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#105-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#106-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#106-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#107-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#107-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#110-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#110-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#111-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#111-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#112-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#112-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#113-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#113-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#117-12007
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#117-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_ts#117-200
HKLM\Software\Gator.com\Gator\stat
HKLM\Software\Gator.com\Gator\stat#Guid
HKLM\Software\Gator.com\Gator\stat#MID
HKLM\Software\Gator.com\GInternet
HKLM\Software\Gator.com\GInternet\Proxy
HKLM\Software\Gator.com\GInternet\Proxy#Enabled

Adware.MyWay
HKCR\MyWayToolBar.NetscapeShutdown
HKCR\MyWayToolBar.NetscapeShutdown\CLSID
HKCR\MyWayToolBar.NetscapeShutdown\CurVer
HKCR\MyWayToolBar.NetscapeShutdown.1
HKCR\MyWayToolBar.NetscapeShutdown.1\CLSID
HKCR\MyWayToolBar.NetscapeStartup
HKCR\MyWayToolBar.NetscapeStartup\CLSID
HKCR\MyWayToolBar.NetscapeStartup\CurVer
HKCR\MyWayToolBar.NetscapeStartup.1
HKCR\MyWayToolBar.NetscapeStartup.1\CLSID
HKCR\MyWayToolBar.SettingsPlugin
HKCR\MyWayToolBar.SettingsPlugin\CLSID
HKCR\MyWayToolBar.SettingsPlugin\CurVer
HKCR\MyWayToolBar.SettingsPlugin.1
HKCR\MyWayToolBar.SettingsPlugin.1\CLSID
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigRevision
HKLM\Software\MyWay\myBar#ConfigRevisionURL
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar#Branding
HKLM\Software\MyWay\myBar\partner
HKLM\Software\MyWay\myBar\partner#autologin
HKLM\Software\MyWay\myBar\partner#cfg
HKLM\Software\MyWay\myBar\partner#mywayurl
HKLM\Software\MyWay\myBar\partner#search
HKLM\Software\MyWay\myBar\partner#uninstallurl
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UrlInfoAbout

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1974549567-2919261365-1684456354-1005\Software\uninstall

Rogue.Agent/Gen-Nullo[BIN]
C:\WINDOWS\CECOFOH.BIN

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@atdmt[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@ad.zanox[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adopt.euroclick[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@atdmt[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adtech[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@tribalfusion[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adviva[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@casalemedia[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@burstnet[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@msnportal.112.2o7[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@serving-sys[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@kontera[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@tradedoubler[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@revsci[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adrevolver[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@revsci[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@hitbox[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@serving-sys[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@media.adrevolver[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@galleries1.adult-empire[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@xxxcounter[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@media.adrevolver[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@premiumtv.122.2o7[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@ad.yieldmanager[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@counter11.sextracker[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@apmebf[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@bs.serving-sys[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@mediaplex[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@galleries.adult-empire[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@casalemedia[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@counter13.sextracker[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@sextracker[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@www.burstnet[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@advertising[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adbrite[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@statse.webtrendslive[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@specificclick[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adrevolver[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@advertising[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@specificclick[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@doubleclick[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@ad.yieldmanager[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@eas.apm.emediate[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@fastclick[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@rotator.adjuggler[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@serving-sys[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@trafficmp[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@doubleclick[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@fastclick[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@tribalfusion[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@2o7[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@mediaplex[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@interclick[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@burstnet[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@wapdiscovery.infomediatechnologies[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@media.adrevolver[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adviva[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@123count[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@tradedoubler[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@media.adrevolver[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@casalemedia[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@bs.serving-sys[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@doubleclick[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@apmebf[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@imrworldwide[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@kontera[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@atdmt[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@questionmarket[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@tribalfusion[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@fastclick[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@media6degrees[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@zedo[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@atdmt[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@serving-sys[5].txt
C:\Documents and Settings\Kevin\Cookies\kevin@zedo[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@www.googleadservices[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@msnportal.112.2o7[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@atdmt[5].txt
C:\Documents and Settings\Kevin\Cookies\kevin@doubleclick[5].txt
C:\Documents and Settings\Kevin\Cookies\kevin@bs.serving-sys[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@112.2o7[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adtech[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@serving-sys[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@bs.serving-sys[5].txt
C:\Documents and Settings\Kevin\Cookies\kevin@questionmarket[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adviva[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@specificclick[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@revsci[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@cdn5.specificclick[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@apmebf[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@cbs.112.2o7[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@mediaplex[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@statse.webtrendslive[3].txt
C:\Documents and Settings\Kevin\Cookies\kevin@ads.bootcampmedia[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@adserver.adreactor[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@clicktorrent[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@ad.yieldmanager[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@content.yieldmanager[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@zedo[4].txt
C:\Documents and Settings\Kevin\Cookies\kevin@moneybanner728[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@content.yieldmanager[3].txt



I performed the MBAM scan again after performing this one and still getting the same one left over.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 05 January 2010 - 05:52 AM

That cleaned up quite some stuff :thumbsup:

I only want to fix that MBAM entry, after I am convinced you don't have any other nasty stuff lurking.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 January 2010 - 08:17 AM

ok i've completed the scan and no threats were found so no report was created. During the scan One Care popped up saying it had detected a worm and it removed it successfully.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 05 January 2010 - 08:21 AM

How're things running now? Is there anything left except for that MBAM detection?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 January 2010 - 08:28 AM

Everything seems to be running fine as far as i can see, apart from the MBAM detection. :thumbsup:

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 05 January 2010 - 09:01 AM

Okay, then lets start to get that reg value fixed :thumbsup:

Click start > run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below and save it as export.bat to your desktop.
@echo off
regedit /e "export.txt" "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0"
start export.txt
del %0
Exite Notepad and double-click on export.bat to run it. A text file named export.txt will open.
Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 January 2010 - 11:51 AM

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,05,00,00,fe,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\
00,00,01,00,00,00

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 05 January 2010 - 01:36 PM

Okay, lets get that fixed :thumbsup:

The following fix is written for this member only! Do NOT use this on your own!

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Click Start > Run, in the box that opens type notepad and press enter.
Copy/paste the text in the codebox below in Notepad and save it as fixme.bat to your desktop.
Windows Registry Editor Version 5.00

; @echo off
; REGEDIT.EXE /S "%~f0"
; REGEDIT /E export.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0"
; start export.txt
; EXIT

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName"="My Current Home Page"
Exit Notepad and double-click on fixme.bat to run it.

A textfile named export.txt should open. Please posts its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 buchank

buchank
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 January 2010 - 02:37 PM

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,05,00,00,fe,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\
00,00,01,00,00,00




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users