Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Problem


  • Please log in to reply
11 replies to this topic

#1 flanders20

flanders20

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 07 March 2010 - 11:44 PM

So today I have had the Google Redirect virus thing a few times. I think its gone then it magically appears again.

I read thru your Preparation Guide and it tells me to download and give some reports. Well when I download the DDS tool and run it a notepad opens with a bunch of random letters and shapes.

I'm not sure what I'm doing wrong but I would have posted it here but it didn't do what your guide said it is suppose to do.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:44 PM

Posted 08 March 2010 - 07:11 AM

Hello, since no log is posted, I am shifting this to the Am I Infected forum.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 flanders20

flanders20
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 March 2010 - 06:28 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 06:33:44
Windows 5.1.2600 Service Pack 3
Running: b7ir8gt5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxldipob.sys


---- System - GMER 1.0.15 ----

SSDT 883A1DF0 ZwAlertResumeThread
SSDT 89CAF1C0 ZwAlertThread
SSDT 88347400 ZwAllocateVirtualMemory
SSDT 897DD418 ZwConnectPort
SSDT 8A7AC7D8 ZwCreateMutant
SSDT 8838AAB0 ZwCreateThread
SSDT 89DBE800 ZwFreeVirtualMemory
SSDT 89D8F870 ZwImpersonateAnonymousToken
SSDT 88368E68 ZwImpersonateThread
SSDT 89DBDDD8 ZwMapViewOfSection
SSDT 882CAD78 ZwOpenEvent
SSDT 89E82840 ZwOpenProcessToken
SSDT 89DC7DE8 ZwOpenThreadToken
SSDT 89D9EE90 ZwResumeThread
SSDT 89CDA1D8 ZwSetContextThread
SSDT 89DCB3F0 ZwSetInformationProcess
SSDT 8836B008 ZwSetInformationThread
SSDT 883454D0 ZwSuspendProcess
SSDT 89CAE1B0 ZwSuspendThread
SSDT 89CE0F68 ZwTerminateProcess
SSDT 89D8C3A0 ZwTerminateThread
SSDT 89D8FBF8 ZwUnmapViewOfSection
SSDT 883646D0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D1C 805045B8 4 Bytes CALL 12CECF98
.text ntkrnlpa.exe!ZwCallbackReturn + 2DD4 80504670 4 Bytes CALL 84DA22F2
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 80504870 8 Bytes PUSH A089CE0F; RET
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB91B6EBF]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\BTHUSB \Device\000000df bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee23335
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cee23335 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:44 PM

Posted 10 March 2010 - 02:34 PM

Hello,

That looks clean, so lets continue with MBAM.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 flanders20

flanders20
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 March 2010 - 06:30 PM

Here is the log from the day I was having the most problems. The total pc defender thing came up twice in that day. Since then when i click on an internet search result sometimes it goes to a strange website and askes to scan my computer, but most times i just close it before it does anything. It doesn't do it everytime more often when using google in firefox.

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/7/2010 4:05:28 PM
mbam-log-2010-03-07 (16-05-28).txt

Scan type: Quick Scan
Objects scanned: 151150
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Total PC Defender (Rogue.TotalPCDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Total PC Defender\Total PC Defender.exe (Rogue.TotalPCDefender) -> Quarantined and deleted successfully.

#6 flanders20

flanders20
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 March 2010 - 07:49 PM

Sorry didn't see to run the full scan. I am working on that now. Will post results when it is done.

#7 flanders20

flanders20
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 March 2010 - 09:01 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/10/2010 8:00:19 PM
mbam-log-2010-03-10 (20-00-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 354164
Time elapsed: 2 hour(s), 13 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP975\A0341309.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:44 PM

Posted 11 March 2010 - 03:05 AM

Hello again,

How are things running now? What problems do you still have left?

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 flanders20

flanders20
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 11 March 2010 - 09:49 PM

My computer hasn't acted up since we started this. Here are the results from today. I currently have Symantec Endpoint Protection, got free from college, for my virus software. I was wondering if you thought it was good or if there is something else better to use that is free or low priced.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/11/2010 at 08:35 PM

Application Version : 4.34.1000

Core Rules Database Version : 4664
Trace Rules Database Version: 2476

Scan type : Complete Scan
Total Scan Time : 02:42:49

Memory items scanned : 302
Memory threats detected : 0
Registry items scanned : 9782
Registry threats detected : 0
File items scanned : 179055
File threats detected : 189

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@specificmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver.adtechus[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats.townnews[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.partsexpress[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partsexpress[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@analytics.rogersmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kanoodle[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising.sheknows[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserv.qconline[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@at.atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@chitika[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@lucidmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adap[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@eyewonder[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@eas.apm.emediate[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@steelhousemedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserving.autotrader[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.clickmanage[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.hrsaccount[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.ogdenpubs[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.accountonline[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tracking.hearthstoneonline[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6whkigkcpchp.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.lockedonmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@lfstmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@socialmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyqmdpwho.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.adfrontiers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.shutterfly[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.elitecarseats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.gmodules[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.website-hit-counters[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pluckit.demandmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@i4commerce.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@qnsr[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.undertone[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hookedmediagroup[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.healthinsurancefinders[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@petfinder[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tripod[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pregnancyquestionsandanswers[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.weddingcountdown[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@rogersmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.cnn[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats.weddingcountdown[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@traveladvertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@website-hit-counters[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kaspersky.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlikmajigo.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkoslajggo.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a1.interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mycounter.tinycounter[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bridgetrack[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ext-us.bestofmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-autodesk.hitbox[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats.paypal[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bridge1.admarketplace[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@smartadserver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@easyduplicatefinder[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.accountonline[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bizzclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@accountonline[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a1.interclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bridgetrack[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
C:\Documents and Settings\f\Cookies\f@2o7[2].txt
C:\Documents and Settings\f\Cookies\f@atdmt[2].txt
C:\Documents and Settings\f\Cookies\f@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.mail[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@bellglobemediapublishing.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn4.specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@gostats[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@homestore.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@lockedonmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracking.realtor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.icityfind[1].txt

Unclassified.Unknown Origin
C:\PROGRAM FILES\EASY SPYREMOVER\KEYGEN.NFO

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:44 PM

Posted 12 March 2010 - 05:09 AM

Hello,

Symantec endpoint is fine to use :thumbsup:

As you can see one of the detected items by SAS is a keygen. Downloading and using cracks and keygens is not only illegal, but also guarantees you will be infected sooner or later because they often install malware on your computer. If you want to make sure you will not be reinfected, I recommend to stay far from them.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 flanders20

flanders20
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 12 March 2010 - 01:17 PM

The ESET Online Scanner found no threats.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:44 PM

Posted 12 March 2010 - 01:22 PM

Hello again,

Unless you have any problems left, you are good to go :trumpet:

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :flowers:.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users