Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE HELP !!! VIRUSES,GOOGLE REDIRECT,EXPLORERE PROBLEM


  • This topic is locked This topic is locked
53 replies to this topic

#1 luv4mypc

luv4mypc

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 07 May 2010 - 10:05 AM

HELLO,
Hope Someone can help me,
it started with messages of infection ALL Over my screen, I have AVG but they did not come from AVG OR resident shield I can not remember where they came from it looked like resident shield but had a different name. and so I thought they were a "Fake" to scare me into buying Antivirus. I restored my Pc back to an earlier time , (I had a similar problem before and it had worked ) BUT NOT THIS TIME. It got worse ,I have Resident shield showing it's blocking Threats continuesly and Internet Explorer has a mind of its own now. I had much trouble getting here since it redirected me to other sites also GOOGLE Search when I click on a link within google I get redirected UGH..I also have messages of programs encountering problem and need to close , send or don't send to microsoft option. and Virtual memory too low.
I ran AVG a couple of time which found a couple of trojans and I ran CCleaner also, but the problems persist.
I have a 2005 eMachine with win XP
Help with this is so appriciated ..as I was thinking of restoring my PC completely, but have hundreds of pictures of my grandbabies on here don't want to loose them, and don't want to go through the trouble of having to start from the beginning.
Thank you,
Liane


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 PM

Posted 07 May 2010 - 10:56 AM

Hello and welcome Liane, please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 07 May 2010 - 12:24 PM

Thank you boopme :thumbsup: for your FAST response and help ..I did as you said and here is the Malwarebytes Log :

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4075

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/7/2010 10:17:02 AM
mbam-log-2010-05-07 (10-17-02).txt

Scan type: Quick scan
Objects scanned: 126773
Time elapsed: 18 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RealTime Gaming Software\Gold VIP Club Casino (Adware.Casino) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 07 May 2010 - 12:41 PM

UGH.. :thumbsup:
Google is still redirecting and I get an additional
"Explorer can not display the webpage" window.
What do I do next ?

#5 eastonch

eastonch

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 07 May 2010 - 12:54 PM

BY the looks of the infections found. im using this info from experiance and not random knowledge. although i am not an expert.

IT appears you downloaded MyWebSearch Toolbar? This Toolbar is usually bad. Aswell as its 'Followers' Such as kiwee toolbar, HotBar, or any other rubbish for MSN.

Cant remember the name of it, but im sure there is a host file cleaner / resetter. although i dont know its name or how to use it...

Basically whats the matter with the PC now is that Your pc is just about clean from infections, although you are infected with some sort of Browser Hijack which is preventing you from accessing certain sites, eg, try AVG website and you will find that is redirected somewhere nasty.
Usually that is.

But since the pc is cleaned?
Some hijacks still remain and have nowhere to go correctly and will just result in a error. therefore the 'Explorer Can Not Display The Webpage' is a valid error.

Await further help from boopme.

good luck with the cleaning :thumbsup:

May i also offer some type of advice of downloading,
WOT - Web of Trust.
Its a simple traffic light system which tells you if the site is safe, neutral or bad.
It also stops you from going on certain pages or displays a warning screen before accessing servre sites such that will infect the pc or offer a misleading download, such as, My WebSearch.

I was in the same boat as you, my moms lappy' was attacked by MyWebSearch after she foolishly clicked a ad and downloaded it..
4 Hours it took me to remove that.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 PM

Posted 07 May 2010 - 01:07 PM

Helo, yep still some baddies on here.. So go into your Control Panel,then Add /Remove programs and uninstall the Toolbars listed there.

Next we'll run a Safe Mode scan. We are pretty close to being clean.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 07 May 2010 - 06:24 PM

Question :
•Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
◦Close browsers before scanning.◦Scan for tracking cookies.◦Terminate memory threats before quarantining.

When you say leave all others unchecked do you mean all those that have no checkmarks OR UNCHECK all the rest? Because all of the rest are checked except for the restore

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 PM

Posted 07 May 2010 - 06:31 PM

OR UNCHECK all the rest
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 08 May 2010 - 01:34 AM

Hi boopme,
:flowers: It has gotten even worse, explorer hardly responds and google still redirects !
I kept getting the program is not responding error in explorer.
I did the Scan 5 1/2 hours of scanning and here is the Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2010 at 10:36 PM

Application Version : 4.37.1000

Core Rules Database Version : 4904
Trace Rules Database Version: 2716

Scan type : Complete Scan
Total Scan Time : 05:23:20

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 5707
Registry threats detected : 2
File items scanned : 164993
File threats detected : 70

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bizzclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.wsod[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertise[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\Owner\Cookies\owner@data.coremetrics[1].txt
C:\Documents and Settings\Owner\Cookies\owner@dmtracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[3].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.gossipcenter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@oasn04.247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@oasn04.247realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@toseeka[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.finditquick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.happytofind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt

Rogue.AntivirusSoft
HKU\.DEFAULT\Software\avsoft
HKU\S-1-5-18\Software\avsoft

So whats next? :thumbsup:

#10 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 08 May 2010 - 01:54 AM

Hello eastonch,
Thank you for the WOT tip , I will certainly check it out when my PC is all fixed.
I can't remember downloading the web search toolbar , I had google yahoo and ebay toolbars thats about it, but I do remember checking out some cute smilyes on a website some time back, I love smileys and the name kiwee sounds familiar, OH I just remember I downloaded a couple of screensavers and backgrounds which cause me problems so I uninstalled them.
But the problem started a week ago when my Daughter listend to and downloaded some music files.
I so appriciate your input and all the help I am getting here. And Yes ,I am carefully following all of boopme's advise and keep praying it will all be well. This is a nightmare.
Waving Hello at you from southern California :thumbsup:



BY the looks of the infections found. im using this info from experiance and not random knowledge. although i am not an expert.

IT appears you downloaded MyWebSearch Toolbar? This Toolbar is usually bad. Aswell as its 'Followers' Such as kiwee toolbar, HotBar, or any other rubbish for MSN.

Cant remember the name of it, but im sure there is a host file cleaner / resetter. although i dont know its name or how to use it...

Basically whats the matter with the PC now is that Your pc is just about clean from infections, although you are infected with some sort of Browser Hijack which is preventing you from accessing certain sites, eg, try AVG website and you will find that is redirected somewhere nasty.
Usually that is.

But since the pc is cleaned?
Some hijacks still remain and have nowhere to go correctly and will just result in a error. therefore the 'Explorer Can Not Display The Webpage' is a valid error.

Await further help from boopme.

good luck with the cleaning :flowers:

May i also offer some type of advice of downloading,
WOT - Web of Trust.
Its a simple traffic light system which tells you if the site is safe, neutral or bad.
It also stops you from going on certain pages or displays a warning screen before accessing servre sites such that will infect the pc or offer a misleading download, such as, My WebSearch.

I was in the same boat as you, my moms lappy' was attacked by MyWebSearch after she foolishly clicked a ad and downloaded it..
4 Hours it took me to remove that.



#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 PM

Posted 08 May 2010 - 08:30 AM

Hello, hopefully we'll have your PC as pretty as your weather soon.
This AV soft infection has truly evolved into a horror and is long in removing.
Many apps you install now carry toolbars and you need to uncheck that box before installing.

Let's do a Full MBam and an online scan.. Make sure all browsers and mail apps are closed.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 08 May 2010 - 11:50 AM

Hello, hopefully we'll have your PC as pretty as your weather soon.
This AV soft infection has truly evolved into a horror and is long in removing.
Many apps you install now carry toolbars and you need to uncheck that box before installing.

Let's do a Full MBam and an online scan.. Make sure all browsers and mail apps are closed.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.






boopme, what do I do?
I am in the middle of running the MBAM ( had to pause it ) I keep getting a Security Warning message : Application can not be executed The File Googleupdater.exe is infected, rbroker.exe is infected ,and avgmgr.exe is infected . Do you want to activate your Antivirus software now? Do I click yes or no ?
BTW :So Far Mbam found 50 infections ...

#13 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 08 May 2010 - 03:46 PM

OK Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4078

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/8/2010 1:25:01 PM
mbam-log-2010-05-08 (13-25-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 258174
Time elapsed: 3 hour(s), 35 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 58

Memory Processes Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lwrgblqhn\elokjcwtssd.exe (Rogue.AntiSpywareSoft) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Adware.Casino) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fomyplqb (Rogue.AntiSpywareSoft) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fomyplqb (Rogue.AntiSpywareSoft) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Cirrus Casino\auslots.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\bj.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\directsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\extgame.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\Install.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\keno.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\lbyinst.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\miniprocess.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\plibc32.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Cirrus Casino\winsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\auslots.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\bj.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\directsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\keno.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\lbyinst.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\miniprocess.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\plibc32.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\winsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Club World Casinos\_patch\Slots - Common\slots.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\bj.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\directsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\extgame.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\Install.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\lbyinst.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\miniprocess.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\plibc32.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Slots of Vegas\winsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\bj.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\directsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\extgame.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\lbyinst.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\miniprocess.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\plibc32.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\winsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Keno - Common\keno.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Lobby\casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Lobby\directsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Lobby\lbyinst.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Lobby\miniprocess.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Lobby\plibc32.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Sun Palace Casino\_patch\Lobby\winsound.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lwrgblqhn\elokjcwtssd.exe (Rogue.AntiSpywareSoft) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114564.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114565.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114567.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114570.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114571.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114590.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114591.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114595.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114601.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP963\A0114603.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP965\A0115321.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4.212747163333422E8.exe (Rogue.AntiSpywareSoft) -> Quarantined and deleted successfully.

Edited by boopme, 08 May 2010 - 08:05 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 PM

Posted 08 May 2010 - 08:04 PM

Sorry, couldn't be back here sooner but you did the right thing. They were fake warnings by the Rogue and fake malwares.

Good progress ...Run ESET and tell me how it is after that.

Edited by boopme, 08 May 2010 - 08:06 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 luv4mypc

luv4mypc
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:california
  • Local time:05:21 PM

Posted 08 May 2010 - 08:33 PM

Sorry, couldn't be back here sooner but you did the right thing. They were fake warnings by the Rogue and fake malwares.

Good progress ...Run ESET and tell me how it is after that.




Oh Hi boopme , Gosh I missed ya, had me sweating lol..It is Saturday and i did not expect for you to be answering any posts, but So glad you are here :thumbsup: I already ran the other scan and after it was finished it had found 10 problems BUT when I tried to open( as you instructed ) I got an error message : Windows can not find C:\Program ( it does not show the rest of the path ) please check the path and file name etc etc...I did this I checked and and tried again but then I closed the scan result by accident and now I can't find any such file within the program files ...so I will disable AVG and run the scan Again. will post as soon as I have results ... and will be careful NOT to close the scan window ..just in case.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users