Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus help - Exploit.com backdoor.sinowal


  • Please log in to reply
40 replies to this topic

#1 Rob_P

Rob_P

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 25 March 2010 - 08:25 PM

I'm running a PC with XP SP2.
I recently upgraded from IE6 to IE8 after this I noted some occasional issues with Youtube (play buttons missing) however all was well with the PC which has AVG 8.? and Malware bytes.
On Monday my wife got an AVG pop up warning for Exploit.pdf. After that it started running really slow.
I disabled my Restore points and updated and ran Malware bytes which found and removed two copies of backdoor.sinowal. Successive runs showed the PC was clean. then switching to AVG in safe mode I was finally able to remove the Exploit.com.
If I start up the PC in safemode AVG does not find anything, If i try to run it in normal mode the PC runs slow and does not respond properly. If I try to run AVG it will just freeze after a few mins.
I don't have the original install disks and very little space on C to install additional Windows updates.

I was told by a friend I probably need a Rootkit?
I downloaded the AVG recovery disc but I'm unable to view the video notes on how to operate it.

Someone suggested I try Combofix but I'm a little intimidated by the warnings plus I'd have to try and download and install Windows Recovery Console which would propbably require a number of additional updates.

Help !
Rob

EDIT: Moved from XP Forum.

Edited by Budapest, 25 March 2010 - 08:36 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:22 PM

Posted 25 March 2010 - 08:56 PM

Hi Rob, Yes just running anything can be dangerous. one of my favorite examples ..

it went to remove it and shut down my computer but when I turned it back on to reboot I got a "NTLDR is missing press Ctrl+Alt+Delete" message and it just kept hanging at that message each time so I put in my Windows XP Home CD in hopes it would replace the missing file (I can't remember the order of the following but I did try to let it boot from the Windows XP Home CD and also tried the Recovery Console) but when I tried to run the Recovery Console I just got a C:\ (no prompt to choose an OS) and when I tried to boot from the Windows CD it did start to load the drivers but then was prompting me to seemingly format the drive.

Oh, please tell me there is some hope I'm nauseous that I've lost everything!


First this is likly an Adobe isue,an outdated product.. so go here and Update Adobe Reader
http://get.adobe.com/reader/otherversions/...Reboot.


Now run TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How's it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 25 March 2010 - 09:21 PM

Should I do this after booting in safe mode?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:22 PM

Posted 25 March 2010 - 09:41 PM

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

So,No :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 25 March 2010 - 10:13 PM

I ran the TFC in Safe mode and it ran straight through with no issues.
On completion it re-booted. on restarting in normal mode I ran MalwareBytes. Your link was to the same version that I already had installed. I updated the file and ran. No issues were un-covered.
I re-booted the machine again and noted that opening Word and Excel for the first time was very slow. On sucessive openings it was much quicker.
I am now running my AVG in normal mode to see if it will make it through without locking up.
8 mins in and so far so good.
Many thanks for your help so far :^)

#6 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 25 March 2010 - 10:22 PM

:^(
AVG froze after running for 13 mins 16 seconds.
It did uncover quite a few tracking cookies but I can't do anything to delete them as the program is frozen.

Should I re-run TFC in normal mode rather than safe boot?

Robert

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:22 PM

Posted 25 March 2010 - 10:35 PM

Rob,you can run TFC in Safe.. but we'll run SAS next in safe also.. It will get those cookies too. I am leaving now but will look back tomorrow.
Let me know how it's running.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 25 March 2010 - 11:09 PM

Minor problem in that I can't run the file. Its saved to the desktop but it won't let me run it (Extract) while in safe mode. If I go through the Start, All Programs, I don't see it listed as I guess it does not look like a program to the PC yet.
Its currently saved to the Administrator desktop profile and I can only log on as Administrator after booting in safe mode.
Is it just as effective if I re-save the file to a user desktop, run the file (to extract) then re-boot to safe and run as a user rather than administrator?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:22 PM

Posted 26 March 2010 - 08:26 AM

Yes ,OK, run SAS on all user accts
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 26 March 2010 - 10:58 PM

I installed SAS and ran it it Safe Mode as myseld as the user rather than my wifes login or the administrator It found some issues which it went through the actions of deleting. I didn't note them down as I thoght the Log would record it.
I have re-booted and open the statistics tab. I see a box called scanner logs and in it at the top it says LOG but I think thats a heading and there is nothing listed below it.

Do I need to re-run SAS under the admin and my wifes Login?

Its late and I don't have time to fully check out the computer at the moment. I opened Word and Excel a couple of times and they were slow to open and I noted it said virus scan / virus check at the bottom for a few secs - Is that SAS?

Thanks for your help so far
Rob

#11 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 27 March 2010 - 10:12 AM

I ran SAS on the administrator account and it found and should have cleaned off the following:
I ran it in normal mode and its still very slow and eventually locked up.
I will now repeat running SAS on the two user accounts.

Rob

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2010 at 11:35 PM

Application Version : 4.34.1000

Core Rules Database Version : 4738
Trace Rules Database Version: 2550

Scan type : Complete Scan
Total Scan Time : 02:27:30

Memory items scanned : 253
Memory threats detected : 0
Registry items scanned : 7100
Registry threats detected : 5
File items scanned : 176243
File threats detected : 234

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cnn.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwindows.112.2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
C:\Documents and Settings\Barb\Cookies\barb@a.websponsors[2].txt
C:\Documents and Settings\Barb\Cookies\barb@a1.interclick[2].txt
C:\Documents and Settings\Barb\Cookies\barb@ad.wsod[2].txt
C:\Documents and Settings\Barb\Cookies\barb@adecn[1].txt
C:\Documents and Settings\Barb\Cookies\barb@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Barb\Cookies\barb@ads.cnn[1].txt
C:\Documents and Settings\Barb\Cookies\barb@ads.pointroll[2].txt
C:\Documents and Settings\Barb\Cookies\barb@affiliates.mediaspecials[2].txt
C:\Documents and Settings\Barb\Cookies\barb@app.insightgrit[1].txt
C:\Documents and Settings\Barb\Cookies\barb@bank.countrywide[1].txt
C:\Documents and Settings\Barb\Cookies\barb@collective-media[2].txt
C:\Documents and Settings\Barb\Cookies\barb@content.yieldmanager[2].txt
C:\Documents and Settings\Barb\Cookies\barb@content.yieldmanager[3].txt
C:\Documents and Settings\Barb\Cookies\barb@da-tracking[2].txt
C:\Documents and Settings\Barb\Cookies\barb@dealclick.co[1].txt
C:\Documents and Settings\Barb\Cookies\barb@gmd.mediawebconnect[1].txt
C:\Documents and Settings\Barb\Cookies\barb@interclick[2].txt
C:\Documents and Settings\Barb\Cookies\barb@invitemedia[1].txt
C:\Documents and Settings\Barb\Cookies\barb@login.tracking101[2].txt
C:\Documents and Settings\Barb\Cookies\barb@media5.sitebrand[1].txt
C:\Documents and Settings\Barb\Cookies\barb@media6degrees[1].txt
C:\Documents and Settings\Barb\Cookies\barb@microsoftwindows.112.2o7[2].txt
C:\Documents and Settings\Barb\Cookies\barb@nextag[2].txt
C:\Documents and Settings\Barb\Cookies\barb@oasc09.247realmedia[1].txt
C:\Documents and Settings\Barb\Cookies\barb@oasc09.247realmedia[3].txt
C:\Documents and Settings\Barb\Cookies\barb@oasc10.247realmedia[1].txt
C:\Documents and Settings\Barb\Cookies\barb@oasc10.247realmedia[3].txt
C:\Documents and Settings\Barb\Cookies\barb@partner2profit[1].txt
C:\Documents and Settings\Barb\Cookies\barb@publishers.clickbooth[2].txt
C:\Documents and Settings\Barb\Cookies\barb@qnsr[2].txt
C:\Documents and Settings\Barb\Cookies\barb@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\Barb\Cookies\barb@specificclick[1].txt
C:\Documents and Settings\Barb\Cookies\barb@specificmedia[1].txt
C:\Documents and Settings\Barb\Cookies\barb@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\Barb\Cookies\barb@www.azoogleads[2].txt
C:\Documents and Settings\Barb\Cookies\barb@www.burstbeacon[1].txt
C:\Documents and Settings\Barb\Cookies\barb@www.clickmanage[2].txt
C:\Documents and Settings\Barb\Cookies\barb@www.dgm2[1].txt
C:\Documents and Settings\Barb\Cookies\barb@www.jartrack[1].txt
C:\Documents and Settings\Barb\Cookies\barb@www.qsstats[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@ad.wsod[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@collective-media[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@content.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@content.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@content.yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@insightexpressai[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\administrator@microsoftwindows.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@a.websponsors[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@a1.interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ad.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ad.zanox[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@adecn[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@adinterax[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@adlegend[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ads.bridgetrack[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ads.cnn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ads.pointroll[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ads.undertone[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@adserver.adtechus[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@adxpose[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@americanheart.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@angleinteractive.directtrack[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@apmebf[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@app.insightgrit[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@at.atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@atdmt[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@avgtechnologies.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@bdsmongolianbarbeque.fbmta[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@borders.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@cdn4.specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@classmates.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@clickshift[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@clickwww3[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@clickwww3[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@collective-media[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@content.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@content.yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@counter.hitslink[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@d7.zedo[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@da-tracking[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@dardenrestaurants.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@directtrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@discounts.cruisesforless[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@doubleclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@e-2dj6wjnyqgdzwco.stats.esomniture[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ehg-iwantoneofthose.hitbox[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ehg-nestlepurinapetcare.hitbox[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ehg-nestleusainc.hitbox[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@etrade.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@f2network.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@gap.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@imrworldwide[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@kanoodle[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@linksynergy[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@lynxtrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@media.adfrontiers[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@media6degrees[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@media6degrees[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@meijer.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@msnbc.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@msnportal.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@nextag[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@oasn04.247realmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@paypal.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@richmedia.yahoo[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@sales.liveperson[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@sales.liveperson[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@sesamestats[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@specificmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@statcounter[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@stats.paypal[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@stats.townnews[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@t.pointroll[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@uac.advertising[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@uol.realmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@walmart.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@www.burstnet[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@yieldmanager[1].txt
C:\Documents and Settings\Rob\Cookies\rob@a.websponsors[2].txt
C:\Documents and Settings\Rob\Cookies\rob@a1.interclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@ad.wsod[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ad.yieldmanager[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ad.zanox[1].txt
C:\Documents and Settings\Rob\Cookies\rob@adecn[2].txt
C:\Documents and Settings\Rob\Cookies\rob@adinterax[1].txt
C:\Documents and Settings\Rob\Cookies\rob@adlegend[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.bridgetrack[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.cnn[1].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.pointroll[1].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.undertone[2].txt
C:\Documents and Settings\Rob\Cookies\rob@adserver.adtechus[1].txt
C:\Documents and Settings\Rob\Cookies\rob@adxpose[1].txt
C:\Documents and Settings\Rob\Cookies\rob@americanheart.122.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Rob\Cookies\rob@apmebf[2].txt
C:\Documents and Settings\Rob\Cookies\rob@app.insightgrit[2].txt
C:\Documents and Settings\Rob\Cookies\rob@at.atwola[1].txt
C:\Documents and Settings\Rob\Cookies\rob@atdmt[1].txt
C:\Documents and Settings\Rob\Cookies\rob@atwola[1].txt
C:\Documents and Settings\Rob\Cookies\rob@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@avgtechnologies.112.2o7[2].txt
C:\Documents and Settings\Rob\Cookies\rob@bdsmongolianbarbeque.fbmta[1].txt
C:\Documents and Settings\Rob\Cookies\rob@borders.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@cdn4.specificclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@classmates.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@clickshift[1].txt
C:\Documents and Settings\Rob\Cookies\rob@clickwww3[1].txt
C:\Documents and Settings\Rob\Cookies\rob@clickwww3[2].txt
C:\Documents and Settings\Rob\Cookies\rob@collective-media[1].txt
C:\Documents and Settings\Rob\Cookies\rob@content.yieldmanager[1].txt
C:\Documents and Settings\Rob\Cookies\rob@content.yieldmanager[3].txt
C:\Documents and Settings\Rob\Cookies\rob@counter.hitslink[1].txt
C:\Documents and Settings\Rob\Cookies\rob@d7.zedo[1].txt
C:\Documents and Settings\Rob\Cookies\rob@da-tracking[2].txt
C:\Documents and Settings\Rob\Cookies\rob@dardenrestaurants.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@directtrack[1].txt
C:\Documents and Settings\Rob\Cookies\rob@discounts.cruisesforless[1].txt
C:\Documents and Settings\Rob\Cookies\rob@doubleclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@e-2dj6wjnyqgdzwco.stats.esomniture[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ehg-iwantoneofthose.hitbox[1].txt
C:\Documents and Settings\Rob\Cookies\rob@ehg-nestlepurinapetcare.hitbox[2].txt
C:\Documents and Settings\Rob\Cookies\rob@f2network.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@gap.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@imrworldwide[2].txt
C:\Documents and Settings\Rob\Cookies\rob@interclick[2].txt
C:\Documents and Settings\Rob\Cookies\rob@invitemedia[2].txt
C:\Documents and Settings\Rob\Cookies\rob@kanoodle[1].txt
C:\Documents and Settings\Rob\Cookies\rob@linksynergy[2].txt
C:\Documents and Settings\Rob\Cookies\rob@lynxtrack[1].txt
C:\Documents and Settings\Rob\Cookies\rob@media.adfrontiers[1].txt
C:\Documents and Settings\Rob\Cookies\rob@media6degrees[1].txt
C:\Documents and Settings\Rob\Cookies\rob@media6degrees[2].txt
C:\Documents and Settings\Rob\Cookies\rob@msnbc.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@nextag[2].txt
C:\Documents and Settings\Rob\Cookies\rob@oasn04.247realmedia[1].txt
C:\Documents and Settings\Rob\Cookies\rob@paypal.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@richmedia.yahoo[2].txt
C:\Documents and Settings\Rob\Cookies\rob@sales.liveperson[1].txt
C:\Documents and Settings\Rob\Cookies\rob@sales.liveperson[3].txt
C:\Documents and Settings\Rob\Cookies\rob@sesamestats[2].txt
C:\Documents and Settings\Rob\Cookies\rob@specificclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@specificmedia[1].txt
C:\Documents and Settings\Rob\Cookies\rob@statcounter[1].txt
C:\Documents and Settings\Rob\Cookies\rob@stats.paypal[2].txt
C:\Documents and Settings\Rob\Cookies\rob@stats.townnews[2].txt
C:\Documents and Settings\Rob\Cookies\rob@t.pointroll[1].txt
C:\Documents and Settings\Rob\Cookies\rob@uac.advertising[1].txt
C:\Documents and Settings\Rob\Cookies\rob@uol.realmedia[1].txt
C:\Documents and Settings\Rob\Cookies\rob@walmart.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@www.burstnet[1].txt
C:\Documents and Settings\Rob\Cookies\rob@yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\rob@wmvmedialease[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\44ABF3F6
HKLM\Software\Microsoft\44ABF3F6#44abf3f6
HKLM\Software\Microsoft\44ABF3F6#Version
HKLM\Software\Microsoft\44ABF3F6#44ab5e76
HKLM\Software\Microsoft\44ABF3F6#44ab3793

Adware.CouponBar
C:\WINDOWS\COUPONBARIE.DLL

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\JHQBQNLU.INI
C:\WINDOWS\SYSTEM32\XSIPQLTG.INI

#12 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 27 March 2010 - 10:13 AM

To be clear I ran SAS in safe mode, after cleaning and rebooting I started in normal mode as a user. It was then that it ran slow and eventually froze.

Rob

#13 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 27 March 2010 - 01:08 PM

I started to run SAS on one of the two user accounts and all was going well. It had gone through c:\ and had found a fake.tojan? Can't remember the exact name. It was then working on D:\.
When I came back to it it looked as though it had stopped responding and it had looked like it was back on C:\ with a file highlighted in the status bar, and had stopped. I clicked next to quarantine and remove threats. It started but only one block on the progress bar appeared and its been like that for the last 10 mins. Also the system clock in the toolbar appears to have stopped too.
I may hit Finish and try to re-scan again.

Robert

#14 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 27 March 2010 - 01:10 PM

I just clicked on Finish and its frozen with out completing the quarantine.

#15 Rob_P

Rob_P
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 27 March 2010 - 02:03 PM

I re-booted and scanned that user again in safe mode, this time stopping the scan after it had found the fake.trojan. I was then able to complete removing those viruses. Posted below.
I will now and try and let it do a complete scan through.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/27/2010 at 02:50 PM

Application Version : 4.34.1000

Core Rules Database Version : 4596
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:30:39

Memory items scanned : 223
Memory threats detected : 0
Registry items scanned : 7464
Registry threats detected : 1
File items scanned : 17918
File threats detected : 52

Adware.Tracking Cookie
C:\Documents and Settings\Rob\Cookies\rob@tacoda[2].txt
C:\Documents and Settings\Rob\Cookies\rob@cdn4.specificclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@bdsmongolianbarbeque.fbmta[1].txt
C:\Documents and Settings\Rob\Cookies\rob@richmedia.yahoo[2].txt
C:\Documents and Settings\Rob\Cookies\rob@apmebf[2].txt
C:\Documents and Settings\Rob\Cookies\rob@at.atwola[1].txt
C:\Documents and Settings\Rob\Cookies\rob@avgtechnologies.112.2o7[2].txt
C:\Documents and Settings\Rob\Cookies\rob@tribalfusion[1].txt
C:\Documents and Settings\Rob\Cookies\rob@sesamestats[2].txt
C:\Documents and Settings\Rob\Cookies\rob@interclick[2].txt
C:\Documents and Settings\Rob\Cookies\rob@advertising[1].txt
C:\Documents and Settings\Rob\Cookies\rob@a1.interclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@imrworldwide[2].txt
C:\Documents and Settings\Rob\Cookies\rob@adecn[2].txt
C:\Documents and Settings\Rob\Cookies\rob@stats.townnews[2].txt
C:\Documents and Settings\Rob\Cookies\rob@doubleclick[1].txt
C:\Documents and Settings\Rob\Cookies\rob@adbrite[2].txt
C:\Documents and Settings\Rob\Cookies\rob@commission-junction[2].txt
C:\Documents and Settings\Rob\Cookies\rob@content.yieldmanager[3].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Rob\Cookies\rob@www.burstnet[1].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.undertone[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ru4[1].txt
C:\Documents and Settings\Rob\Cookies\rob@americanheart.122.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@atwola[1].txt
C:\Documents and Settings\Rob\Cookies\rob@uol.realmedia[1].txt
C:\Documents and Settings\Rob\Cookies\rob@atdmt[1].txt
C:\Documents and Settings\Rob\Cookies\rob@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@classmates.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@pointroll[1].txt
C:\Documents and Settings\Rob\Cookies\rob@sales.liveperson[3].txt
C:\Documents and Settings\Rob\Cookies\rob@realmedia[1].txt
C:\Documents and Settings\Rob\Cookies\rob@f2network.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@da-tracking[2].txt
C:\Documents and Settings\Rob\Cookies\rob@sales.liveperson[1].txt
C:\Documents and Settings\Rob\Cookies\rob@walmart.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@trafficmp[1].txt
C:\Documents and Settings\Rob\Cookies\rob@mediaplex[1].txt
C:\Documents and Settings\Rob\Cookies\rob@serving-sys[2].txt
C:\Documents and Settings\Rob\Cookies\rob@yieldmanager[1].txt
C:\Documents and Settings\Rob\Cookies\rob@zedo[2].txt
C:\Documents and Settings\Rob\Cookies\rob@ads.bridgetrack[2].txt
C:\Documents and Settings\Rob\Cookies\rob@content.yieldmanager[1].txt
C:\Documents and Settings\Rob\Cookies\rob@adinterax[1].txt
C:\Documents and Settings\Rob\Cookies\rob@questionmarket[1].txt
C:\Documents and Settings\Rob\Cookies\rob@msnbc.112.2o7[1].txt
C:\Documents and Settings\Rob\Cookies\rob@collective-media[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@doubleclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\rob@realmedia[1].txt
C:\Documents and Settings\Rob\Cookies\rob@doubleclick[2].txt

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-2301314021-58110987-4070424714-1005\SOFTWARE\Microsoft\fias4013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users