Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Defender removal


  • This topic is locked This topic is locked
22 replies to this topic

#1 daguca6

daguca6

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 31 March 2010 - 01:21 PM

My wife has XP Defender on her laptop for about a month now. I have been able to buy a couple days here and there by running Spy Sweeper, Spybot, and Symantec Antivirus. But sure enough it returns and drops pop-ups all over the screen. I am done. I know just enough about computers to get into trouble so at this point, with my knowledge, I have no other solutions. From what I have seen on these forums, everyone seems to have to do something a little different so that's why I am creating a new topic. Please send help as I am done with this Virus. Thanks in advance.

Edited by Orange Blossom, 31 March 2010 - 02:50 PM.
Move to AII as no logs posted. ~ OB


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:53 AM

Posted 01 April 2010 - 10:45 AM

Please have a look at the removal instructions posted here. When you have completed the MalwareBytes scan, please post the results.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 01 April 2010 - 02:01 PM

QUOTE(techextreme @ Apr 1 2010, 08:45 AM) View Post
Please have a look at the removal instructions posted here. When you have completed the MalwareBytes scan, please post the results.


Here (below) are the results to my scan via the notepad doc. from the Malwarebytes scan. I hope I did this right. Thanks again for the help.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/1/2010 11:37:55 AM
mbam-log-2010-04-01 (11-37-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 195996
Time elapsed: 46 minute(s), 17 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe" /START "%programfiles%\mozilla firefox\firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe" /START "%programfiles%\internet explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe" /START "%programfiles%\mozilla firefox\firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-1183700081-3588330970-775125930-1027\Dc12.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\APC-MGE\Applications\Malwarebytes.Anti-Malware.v1.33.Multilingual.Incl.Keygen-CRD- { www.Speed.cd }\crd.exe (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
D:\APC-MGE\Applications\Malwarebytes.Anti-Malware.v1.33.Multilingual.Incl.Keygen-CRD- { www.Speed.cd }\keygen\kg.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
D:\APC-MGE\Applications\Malwarebytes.Anti-Malware.v1.33.Multilingual.Incl.Keygen-CRD- { www.Speed.cd }\setup\mbam-setup.exe (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTiipsxmlmlk.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\H8SRTrqpxuwyrjb.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\wlani\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Edited by daguca6, 01 April 2010 - 02:05 PM.


#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:53 AM

Posted 01 April 2010 - 02:15 PM

You did reboot after running Malwarebytes to finish the cleaning process correct?

We're gonna run a few more things.

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
  • First

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start.(the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.

Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished

You posted your logs just right. Please post the logs from SAS and ESET when they are complete.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 02 April 2010 - 01:01 AM

QUOTE(techextreme @ Apr 1 2010, 12:15 PM) View Post
You did reboot after running Malwarebytes to finish the cleaning process correct?

We're gonna run a few more things.

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
  • First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start.(the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished

You posted your logs just right. Please post the logs from SAS and ESET when they are complete.



Thanks for the additional information and for letting me know I posted correctly. This is really my first forum I have ever posted to so your words helped. Anyway, I will post the SAS log first then the ESET log shortly after. I do want to let you know that after I ran the SAS scan and rebooted normally, nothing wanted to open when I asked it to. Firefox, Word, etc., gave me the "Open With" window. Now when I went to use IE, it opened and I was able to perform the ESET scan. I understand in you last post I was to use the IE browser to do the ESET but was unsure if the other happenings were normal. I just wanted to let you know. Thanks again and here you go.

SAS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2010 at 08:46 PM

Application Version : 4.35.1002

Core Rules Database Version : 4759
Trace Rules Database Version: 2571

Scan type : Complete Scan
Total Scan Time : 03:38:08

Memory items scanned : 268
Memory threats detected : 1
Registry items scanned : 7161
Registry threats detected : 0
File items scanned : 92459
File threats detected : 197

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\WLANI\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\AVE.EXE
C:\DOCUMENTS AND SETTINGS\WLANI\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\AVE.EXE
C:\WINDOWS\Prefetch\AVE.EXE-2254D62D.pf

Adware.Tracking Cookie
C:\Documents and Settings\wlani\Cookies\wlani@paypal.112.2o7[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@www.apartmentfinder[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@ad.wsod[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@serving-sys[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@at.atwola[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@adecn[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@questionmarket[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@specificclick[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@lucidmedia[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@media.mtvnservices[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@adserver.adtechus[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@tacoda[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@gemoneysusmb2.112.2o7[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@realmedia[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@ishowernaked2[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@tribalfusion[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@media6degrees[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@ads.bridgetrack[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@adbrite[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@247traffic[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@atdmt[3].txt
C:\Documents and Settings\wlani\Cookies\wlani@interclick[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@sales.liveperson[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@ads.pointroll[3].txt
C:\Documents and Settings\wlani\Cookies\wlani@nextag[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@sales.liveperson[3].txt
C:\Documents and Settings\wlani\Cookies\wlani@marriottinternational.122.2o7[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@bridge1.admarketplace[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@collective-media[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@cdn4.specificclick[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@specificmedia[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@bs.serving-sys[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@ads.meredithads[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@trackalyzer[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@pluckit.demandmedia[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@msnportal.112.2o7[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@247realmedia[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@pointroll[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@apartmentfinder[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@ad.yieldmanager[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@content.yieldmanager[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@admarketplace[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@stats.paypal[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@atdmt[4].txt
C:\Documents and Settings\wlani\Cookies\wlani@lucasarts.122.2o7[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@trafficmp[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@apmebf[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@dmtracker[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@doubleclick[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@google.lucidmedia[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@atdmt[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@fastclick[2].txt
.atwola.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.insightfirst.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Firefox\Profiles\mttgzb4z.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Firefox\Profiles\mttgzb4z.default\cookies.txt ]
.ehg-apcc.hitbox.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Firefox\Profiles\mttgzb4z.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\default user\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.insightfirst.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.atwola.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\Documents and Settings\default user\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
C:\Documents and Settings\NetworkService\Cookies\system@1046.clicksvalidate[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@1046.clicksvalidate[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adcloudmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.associatedcontent[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.bighealthtree[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.mail[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.mefeedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@affiliates.commissionaccount[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@associatedcontent.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atlas.entrepreneur[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atlas.entrepreneur[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@buycom.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@CADXKFX5.txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91408.asklots[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91419.blueseek[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz2.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz3.91419.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz3.91469.blueseek[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz5.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz7.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz7.91469.blueseek[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz8.91469.blueseek[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@counter.surfcounters[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@counter.surfcounters[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@counter.surfcounters[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@definitely-find[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dr.findlinks[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick.40531.asklots[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@finditquick.1046.asklots[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@homestore.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@icityfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracker.adcloudmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracking.realtor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@traffic.buyservices[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.findandcompare[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.icityfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.icityfind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.icityfind[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.justclicklocal[2].txt
.doubleclick.net [ C:\Documents and Settings\wlani\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.insightfirst.com [ C:\Documents and Settings\wlani\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.atwola.com [ C:\Documents and Settings\wlani\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\Documents and Settings\wlani\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\Documents and Settings\wlani\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
C:\Documents and Settings\wlani\Cookies\wlani@advertise[1].txt
C:\Documents and Settings\wlani\Cookies\wlani@invitemedia[2].txt
C:\Documents and Settings\wlani\Cookies\wlani@specificmedia[1].txt
.doubleclick.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.insightfirst.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
.atwola.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
ads.specificpop.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\bb4wg4jo.slt\cookies.txt ]
C:\WINDOWS\system32\config\systemprofile\Cookies\laptopadmin@insightfirst[1].txt

Trojan.Agent/Gen-Cryptik
C:\DOCUMENTS AND SETTINGS\WLANI\LOCAL SETTINGS\APPLICATION DATA\VMA.EXE
C:\WINDOWS\Prefetch\VMA.EXE-20862B36.pf


ESET

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=5b5a01fbb2c9734d8bd3936a867bebcc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-02 05:29:10
# local_time=2010-04-01 10:29:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=93739
# found=3
# cleaned=3
# scan_time=4002
C:\Documents and Settings\wlani\Local Settings\Application Data\2350793896.dll Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\wlani\Local Settings\Temporary Internet Files\Content.IE5\CUHU2ZLV\n002106201r0409Xb42d6358Yff99d597Z0100f08030dP000301080[1] a variant of Win32/Kryptik.DLI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\wlani\Local Settings\Temporary Internet Files\Content.IE5\Z750GABN\n002106201r0409Rcc242ed5Xb42d77bdYff99d597Z0100f08030dP000301080[1] a variant of Win32/Kryptik.DLI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C



That's all I got. In advance, thanks again.

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:53 AM

Posted 02 April 2010 - 06:45 AM

Looks like we got a good bit of gook cleaned out. That's good.

I'd like you to clean out your temp files.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Please let me know if you are still receiving the "open with" dialog boxes when you try to run anything on your computer.


Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#7 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 02 April 2010 - 12:34 PM

QUOTE(techextreme @ Apr 2 2010, 04:45 AM) View Post
Looks like we got a good bit of gook cleaned out. That's good.

I'd like you to clean out your temp files.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Please let me know if you are still receiving the "open with" dialog boxes when you try to run anything on your computer.



It's not working

I can not open the TFC link. When I go to the website it tries to save as but then it gives me the "open with" dilogue box. I tried to flash drive it from the other laptop I have but it does the same thing. I can not open it, or do not know how to open with the items it has listed for me to select from. I am sure this is not the norm so I am requesting more help please. Thanks.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:53 AM

Posted 03 April 2010 - 02:26 PM

Hello there,

Techextreme is unavailable over the weekend, so I'm taking this over. Please let me know if you have this "open with" problem with many applications.

I see some signs of a rootkit and I would like to make sure first if its still there or not so we can take appropriate action.

If you are not able to run the scan for some reason, please let me know what prevents you from doing so and we'll find a work-around smile.gif

Please do not quote the posts, instead use the add reply button to answer to this topic.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 05 April 2010 - 10:09 PM

Still can't do a thing. I tried to load the gmer from both linls and nada. From the first download link, it still asks me to "open with" through the dialogue box. Then when I open the zip file, it says "Cannot execute 'D:\TEMP\Rar$EX01.750\gmer.exe'.

It still seems that I can not get around the "open with" box ever since the previous scan. I am sure that once this issue is resolved we will be able to move forward. The only issue is that I have no idea what to do next. So thanks you again for the instruction and the help. If worse really comes to worse I can reformat but I don't want to do that at all. Talk to you in a bit.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:53 AM

Posted 06 April 2010 - 04:57 AM

Please download fixexe.reg (right click on the file and select "save target as...") and save it to your desktop.

Double click on the file to run it and if asked if you want to merge the information with the registry click OK. You will receive a message the information is succesfully merged.

Let me know if the "open with " problem is fixed now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 08 April 2010 - 01:36 AM

You folks are awesome how you resolve issues that people give to you. I told you I couldn't open something, you told me to DL something, and the next thing you know the computer works. No more "open with" boxes. Thank you. What's next?

#12 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 08 April 2010 - 02:39 AM

I did the TFC cleaner as well. Thanks again and i await your response.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:53 AM

Posted 08 April 2010 - 04:42 AM

Happy to hear it worked smile.gif

Can you please rerun MBAM, update it and run a quick scan? Post me the results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 daguca6

daguca6
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 08 April 2010 - 11:51 PM

MBAM updated and the quick scan was run. Here is the information logged. Thanks.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3970

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/8/2010 9:49:27 PM
mbam-log-2010-04-08 (21-49-27).txt

Scan type: Quick scan
Objects scanned: 111023
Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\wlani\Local Settings\Application Data\vma.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:53 AM

Posted 09 April 2010 - 04:48 AM

To doublecheck things, lets do also a rootkit scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users