Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan BHO on Windows XP, among other things...


  • Please log in to reply
8 replies to this topic

#1 Kat91119

Kat91119

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:11 PM

Posted 03 June 2010 - 12:10 AM

I’m trying to help my friend fix her computer…to be honest she isn’t giving me the best descriptions…but she cannot access the internet on her home computer to ask for help.

SO…here is the problem.

Her computer is infected big time. She cannot do anything just about. She already had Malwarebytes on her PC, but she cannot update it. She can check her email (Through outlook express I’m assuming) and it will send and receive, but she cannot get to any website.

I requested she reboot into safe mode. She tried about 4 different times, but she would keep getting a keyboard error. Or her mouse and keyboard would just stop working.

I told her I couldn’t help her without some kind of log. So, she ran the version of Malwarebytes that she did have, and here is the log:

Here's the log w/the info...this was the 1st one i did and the only one that turned anything up.
Malwarebytes' Anti-Malware 1.41
Database version: 3179
Windows 5.1.2600 Service Pack 3
6/1/2010 9:09:11 PM
mbam-log-2010-06-01 (21-09-11).txt
Scan type: Quick Scan
Objects scanned: 119494
Time elapsed: 9 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.


She tried rebooting and attempting safe mode, connecting to the net, and updating Malwarebytes, but it won’t work. She said that she did a couple other things before talking to me. Such as finding some suspicious files and removing them herself. Don’t know what they are though. She tried scanning again with Malwarebytes and it cannot find anything…obviously if she were able to update it, it would probably find stuff.

The only thing she said to me, which isn’t very helpful is:

i did the detailed search, and it came up negative...so....here's a screen shot, not sure if it'll work: nope, it didn't, so.......it's bringing up this site: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome when i go....nd it says "internet explorer cannot display the website".....i did the test, says "windows cannot connect to the internet using http, https or ftp. this is probably caused by firewall settings on this computer"
check firewall settings for the blah....


Can anyone help me point her in the right direction? Let me know what other kind of info you might need and I’ll email her at work with directions.

Thanks!

Edited by Orange Blossom, 03 June 2010 - 07:34 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 03 June 2010 - 11:13 AM

Hello, let's see if we can get a foot in like this.

Hello and welcome... You need to do all the steps as some pertain to your issue..
Please follow our Removal Guide here Remove Antispyware Soft (Uninstall Guide)
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:11 PM

Posted 03 June 2010 - 11:48 AM

Ok, I will pass the directions, and programs onto her. Hopefully she'll be able to enter safe mode since she hasn't been able to before. Or I'll just try her to run something in reg. mode first, and then hopefully she'll be able to get into safe mode. I'll post her log here after.

#4 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:11 PM

Posted 05 June 2010 - 04:51 PM

Ran into a small email problem.. She says she did the Malwarebytes update and scan. Says it found 10 things, including the Rkill (she had to download the other versions cause none would work until she tried the last one). She checked it off to delete everything ...including Rkill...which of course said in the email I sent her with the steps you gave me...NOT to remove them lol.

So, she rebooted, and now her email doesn't work, but her internet does. I assume something must have gotten changed in there. So because her email isn't working, she cannot send me a log file.

She was getting this error in Outlook Express:

The connection to the server has failed. Account: 'mail.comcast.net', Server: 'smtp.comcast.net', Protocol: SMTP, Port: 25, Secure(SSL): No, Socket Error: 10060, Error Number: 0x800CCC0E

So I found these directions:
http://customer.comcast.com/Pages/FAQViewe...press-for-email

and told her to try it out. She then got this error:

The message could not be sent because the server rejected the sender's e-mail address. The sender's e-mail address was '*****@comcast.net'. Subject 'Fw: Virus Steps', Account: 'mail.comcast.net', Server: 'smtp.comcast.net', Protocol: SMTP, Server Response: '550 5.1.0 Authentication required', Port: 587, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC78

She rebooted, and it worked. So here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4170

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/5/2010 1:23:57 PM
mbam-log-2010-06-05 (13-23-57).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 217499
Time elapsed: 3 hour(s), 41 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsxydowq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsxydowq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Rae\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Edited by Kat91119, 05 June 2010 - 04:51 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 05 June 2010 - 07:51 PM

Hi, That was strange indeed. Butat least your passed it, Good work. We had some hits on it in that scan. As you guys are doing this apart. Iwant you to do these 3 steps. SAS will be at least an hour.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Now Do and Online scan with ESET:
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Please ask any needed questions,post SAS, MBAM and ESET logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:11 PM

Posted 07 June 2010 - 10:49 AM

Ok, I passed on the directions and she gave me the logs.

I've edited a part only because it contained her first and last name. I also told her that some cookies store passwords for some sites, so she may not have removed them with AFT and thats why they show up there.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/06/2010 at 06:56 PM

Application Version : 4.38.1004

Core Rules Database Version : 4951
Trace Rules Database Version: 2763

Scan type : Complete Scan
Total Scan Time : 01:29:33

Memory items scanned : 242
Memory threats detected : 0
Registry items scanned : 4110
Registry threats detected : 0
File items scanned : 27387
File threats detected : 265

Adware.Tracking Cookie
C:\Documents and Settings\Rae\Cookies\rae@questionmarket[6].txt
C:\Documents and Settings\Rae\Cookies\rae@casalemedia[2].txt
C:\Documents and Settings\Rae\Cookies\rae@cdn4.specificclick[3].txt
C:\Documents and Settings\Rae\Cookies\rae@fastclick[8].txt
C:\Documents and Settings\Rae\Cookies\rae@adbrite[1].txt
C:\Documents and Settings\Rae\Cookies\rae@oasn04.247realmedia[3].txt
C:\Documents and Settings\Rae\Cookies\rae@bs.serving-sys[2].txt
C:\Documents and Settings\Rae\Cookies\rae@apmebf[5].txt
C:\Documents and Settings\Rae\Cookies\rae@ad.wsod[3].txt
C:\Documents and Settings\Rae\Cookies\rae@trafficmp[3].txt
C:\Documents and Settings\Rae\Cookies\rae@insightexpressai[2].txt
C:\Documents and Settings\Rae\Cookies\rae@fastclick[4].txt
C:\Documents and Settings\Rae\Cookies\rae@a1.interclick[5].txt
C:\Documents and Settings\Rae\Cookies\rae@oasn04.247realmedia[2].txt
C:\Documents and Settings\Rae\Cookies\rae@pointroll[1].txt
C:\Documents and Settings\Rae\Cookies\rae@fastclick[2].txt
C:\Documents and Settings\Rae\Cookies\rae@zedo[2].txt
C:\Documents and Settings\Rae\Cookies\rae@ad.yieldmanager[6].txt
C:\Documents and Settings\Rae\Cookies\rae@247realmedia[1].txt
C:\Documents and Settings\Rae\Cookies\rae@trafficmp[4].txt
C:\Documents and Settings\Rae\Cookies\rae@ads.pointroll[9].txt
C:\Documents and Settings\Rae\Cookies\rae@invitemedia[6].txt
C:\Documents and Settings\Rae\Cookies\rae@ad.yieldmanager[8].txt
C:\Documents and Settings\Rae\Cookies\rae@content.yieldmanager[7].txt
C:\Documents and Settings\Rae\Cookies\rae@media6degrees[5].txt
C:\Documents and Settings\Rae\Cookies\rae@specificclick[2].txt
C:\Documents and Settings\Rae\Cookies\rae@apmebf[3].txt
C:\Documents and Settings\Rae\Cookies\rae@tribalfusion[5].txt
C:\Documents and Settings\Rae\Cookies\rae@serving-sys[6].txt
C:\Documents and Settings\Rae\Cookies\rae@ads.raasnet[1].txt
C:\Documents and Settings\Rae\Cookies\rae@ads.pointroll[5].txt
C:\Documents and Settings\Rae\Cookies\rae@traveladvertising[1].txt
C:\Documents and Settings\Rae\Cookies\rae@pointroll[7].txt
C:\Documents and Settings\Rae\Cookies\rae@specificmedia[8].txt
C:\Documents and Settings\Rae\Cookies\rae@invitemedia[9].txt
C:\Documents and Settings\Rae\Cookies\rae@adxpose[2].txt
C:\Documents and Settings\Rae\Cookies\rae@rotator.hadj7.adjuggler[1].txt
D:\Documents and Settings\*****\Cookies\*****@realmedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@apmebf[1].txt
D:\Documents and Settings\*****\Cookies\*****@street.presidiomedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@partners.tattomedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@stats2.clicktracks[2].txt
D:\Documents and Settings\*****\Cookies\*****@overture[2].txt
D:\Documents and Settings\*****\Cookies\*****@microsoftwlcashback.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@ratemyfaceadult[1].txt
D:\Documents and Settings\*****\Cookies\*****@valueclick[1].txt
D:\Documents and Settings\*****\Cookies\*****@sales.liveperson[2].txt
D:\Documents and Settings\*****\Cookies\*****@cdn4.specificclick[2].txt
D:\Documents and Settings\*****\Cookies\*****@ad.text.tbn[1].txt
D:\Documents and Settings\*****\Cookies\*****@celeb-free-porn-vids[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.mjoelkbar[1].txt
D:\Documents and Settings\*****\Cookies\*****@content.yieldmanager[2].txt
D:\Documents and Settings\*****\Cookies\*****@commission-junction[2].txt
D:\Documents and Settings\*****\Cookies\*****@peoplefinders[1].txt
D:\Documents and Settings\*****\Cookies\*****@foxinteractivemedia.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@cbs.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@atwola[2].txt
D:\Documents and Settings\*****\Cookies\*****@maxserving[2].txt
D:\Documents and Settings\*****\Cookies\*****@tripod[1].txt
D:\Documents and Settings\*****\Cookies\*****@a1.interclick[2].txt
D:\Documents and Settings\*****\Cookies\*****@fastclick[1].txt
D:\Documents and Settings\*****\Cookies\*****@pro-market[2].txt
D:\Documents and Settings\*****\Cookies\*****@shopping.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@server.cpmstar[2].txt
D:\Documents and Settings\*****\Cookies\*****@videoegg.adbureau[1].txt
D:\Documents and Settings\*****\Cookies\*****@questionmarket[1].txt
D:\Documents and Settings\*****\Cookies\*****@stilemedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@anad.tacoda[2].txt
D:\Documents and Settings\*****\Cookies\*****@insightexpressai[2].txt
D:\Documents and Settings\*****\Cookies\*****@dist.belnk[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.bridgetrack[1].txt
D:\Documents and Settings\*****\Cookies\*****@ehg.hitbox[2].txt
D:\Documents and Settings\*****\Cookies\*****@clickbank[2].txt
D:\Documents and Settings\*****\Cookies\*****@server.iad.liveperson[2].txt
D:\Documents and Settings\*****\Cookies\*****@www.peoplefinders[2].txt
D:\Documents and Settings\*****\Cookies\*****@icc.intellisrv[2].txt
D:\Documents and Settings\*****\Cookies\*****@chitika[1].txt
D:\Documents and Settings\*****\Cookies\*****@evergladesdirect.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@trafficmp[2].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-samsungusa.hitbox[1].txt
D:\Documents and Settings\*****\Cookies\*****@indextools[2].txt
D:\Documents and Settings\*****\Cookies\*****@kanoodle[1].txt
D:\Documents and Settings\*****\Cookies\*****@cz6.clickzs[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.adgoto[2].txt
D:\Documents and Settings\*****\Cookies\*****@at.atwola[2].txt
D:\Documents and Settings\*****\Cookies\*****@gettyimages.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@media.ntsserve[2].txt
D:\Documents and Settings\*****\Cookies\*****@specificclick[2].txt
D:\Documents and Settings\*****\Cookies\*****@partypoker[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.nebuadserving[2].txt
D:\Documents and Settings\*****\Cookies\*****@casalemedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@burstnet[2].txt
D:\Documents and Settings\*****\Cookies\*****@screensavers.us.intellitxt[1].txt
D:\Documents and Settings\*****\Cookies\*****@cdn.at.atwola[1].txt
D:\Documents and Settings\*****\Cookies\*****@adbrite[1].txt
D:\Documents and Settings\*****\Cookies\*****@as-us.falkag[1].txt
D:\Documents and Settings\*****\Cookies\*****@zedo[2].txt
D:\Documents and Settings\*****\Cookies\*****@video.ratemyfaceadult[2].txt
D:\Documents and Settings\*****\Cookies\*****@msnaccountservices.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@bankaccountz[1].txt
D:\Documents and Settings\*****\Cookies\*****@ad.yieldmanager[2].txt
D:\Documents and Settings\*****\Cookies\*****@z1.adserver[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.cnn[1].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-comcast.hitbox[1].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-bestbuy.hitbox[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.addesktop[2].txt
D:\Documents and Settings\*****\Cookies\*****@sextracker[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.nba[1].txt
D:\Documents and Settings\*****\Cookies\*****@warnerbros.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@adopt.specificclick[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.ez-tracks[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.addynamix[2].txt
D:\Documents and Settings\*****\Cookies\*****@statse.webtrendslive[2].txt
D:\Documents and Settings\*****\Cookies\*****@adv.dmv[1].txt
D:\Documents and Settings\*****\Cookies\*****@xiti[1].txt
D:\Documents and Settings\*****\Cookies\*****@honda.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@twci.coremetrics[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.burstbeacon[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.as4x.tmcs[1].txt
D:\Documents and Settings\*****\Cookies\*****@tremor.adbureau[2].txt
D:\Documents and Settings\*****\Cookies\*****@adfi.adbureau[1].txt
D:\Documents and Settings\*****\Cookies\*****@screensavers[2].txt
D:\Documents and Settings\*****\Cookies\*****@adserver.adtechus[1].txt
D:\Documents and Settings\*****\Cookies\*****@ad.zanox[1].txt
D:\Documents and Settings\*****\Cookies\*****@media.vlzserver[2].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-dig.hitbox[1].txt
D:\Documents and Settings\*****\Cookies\*****@adserver.easyad[1].txt
D:\Documents and Settings\*****\Cookies\*****@citi.bridgetrack[2].txt
D:\Documents and Settings\*****\Cookies\*****@adrevolver[1].txt
D:\Documents and Settings\*****\Cookies\*****@yadro[2].txt
D:\Documents and Settings\*****\Cookies\*****@msnportal.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@snapfish.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@naked[2].txt
D:\Documents and Settings\*****\Cookies\*****@adrevolver[2].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-brcmarketing.hitbox[1].txt
D:\Documents and Settings\*****\Cookies\*****@pointroll[1].txt
D:\Documents and Settings\*****\Cookies\*****@traffic.jostens[1].txt
D:\Documents and Settings\*****\Cookies\*****@login.tracking101[2].txt
D:\Documents and Settings\*****\Cookies\*****@click4kids[1].txt
D:\Documents and Settings\*****\Cookies\*****@tribalfusion[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.pointroll[1].txt
D:\Documents and Settings\*****\Cookies\*****@test.coremetrics[1].txt
D:\Documents and Settings\*****\Cookies\*****@humornsex[1].txt
D:\Documents and Settings\*****\Cookies\*****@people-finders[1].txt
D:\Documents and Settings\*****\Cookies\*****@adv.webmd[1].txt
D:\Documents and Settings\*****\Cookies\*****@serving-sys[2].txt
D:\Documents and Settings\*****\Cookies\*****@adopt.hbmediapro[2].txt
D:\Documents and Settings\*****\Cookies\*****@qksrv[1].txt
D:\Documents and Settings\*****\Cookies\*****@stat.onestat[2].txt
D:\Documents and Settings\*****\Cookies\*****@brightcove.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@adknowledge[2].txt
D:\Documents and Settings\*****\Cookies\*****@bizrate[2].txt
D:\Documents and Settings\*****\Cookies\*****@iacas.adbureau[2].txt
D:\Documents and Settings\*****\Cookies\*****@eas.apm.emediate[2].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-drleonardshealthcare.hitbox[2].txt
D:\Documents and Settings\*****\Cookies\*****@keywordmax[2].txt
D:\Documents and Settings\*****\Cookies\*****@lucidmedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@media.adrevolver[2].txt
D:\Documents and Settings\*****\Cookies\*****@adinterax[1].txt
D:\Documents and Settings\*****\Cookies\*****@scrippsfoodnet.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@rotator.adjuggler[2].txt
D:\Documents and Settings\*****\Cookies\*****@videos.ratemyfaceadult[1].txt
D:\Documents and Settings\*****\Cookies\*****@tacoda[2].txt
D:\Documents and Settings\*****\Cookies\*****@i.screensavers[2].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-myspaceinc.hitbox[2].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-bizjournals.hitbox[1].txt
D:\Documents and Settings\*****\Cookies\*****@counter.hitslink[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.people-finders[2].txt
D:\Documents and Settings\*****\Cookies\*****@partner2profit[2].txt
D:\Documents and Settings\*****\Cookies\*****@stat.dealtime[2].txt
D:\Documents and Settings\*****\Cookies\*****@tradedoubler[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.jolinko[2].txt
D:\Documents and Settings\*****\Cookies\*****@hitbox[1].txt
D:\Documents and Settings\*****\Cookies\*****@revsci[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.ratemyfaceadult[2].txt
D:\Documents and Settings\*****\Cookies\*****@coolsavings[1].txt
D:\Documents and Settings\*****\Cookies\*****@nextag[2].txt
D:\Documents and Settings\*****\Cookies\*****@linkto.mediafire[2].txt
D:\Documents and Settings\*****\Cookies\*****@adopt.euroclick[2].txt
D:\Documents and Settings\*****\Cookies\*****@perf.overture[1].txt
D:\Documents and Settings\*****\Cookies\*****@collective-media[1].txt
D:\Documents and Settings\*****\Cookies\*****@interclick[1].txt
D:\Documents and Settings\*****\Cookies\*****@windows-media-player.en.softonic[1].txt
D:\Documents and Settings\*****\Cookies\*****@sexinyourcity[1].txt
D:\Documents and Settings\*****\Cookies\*****@stats2.fullpond[2].txt
D:\Documents and Settings\*****\Cookies\*****@dynamic.media.adrevolver[2].txt
D:\Documents and Settings\*****\Cookies\*****@sportsad.adbureau[1].txt
D:\Documents and Settings\*****\Cookies\*****@network.realmedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@dmtracker[1].txt
D:\Documents and Settings\*****\Cookies\*****@partygaming.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@specificmedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@reduxads.valuead[2].txt
D:\Documents and Settings\*****\Cookies\*****@www.screensavers[1].txt
D:\Documents and Settings\*****\Cookies\*****@ez-tracks[1].txt
D:\Documents and Settings\*****\Cookies\*****@vhost.oddcast[2].txt
D:\Documents and Settings\*****\Cookies\*****@media6degrees[2].txt
D:\Documents and Settings\*****\Cookies\*****@data.coremetrics[1].txt
D:\Documents and Settings\*****\Cookies\*****@247realmedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@advertising[1].txt
D:\Documents and Settings\*****\Cookies\*****@gemoneysuscarecredit.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@richmedia.yahoo[2].txt
D:\Documents and Settings\*****\Cookies\*****@sixapart.adbureau[1].txt
D:\Documents and Settings\*****\Cookies\*****@adserv01[2].txt
D:\Documents and Settings\*****\Cookies\*****@doubleclick[1].txt
D:\Documents and Settings\*****\Cookies\*****@media.mtvnservices[2].txt
D:\Documents and Settings\*****\Cookies\*****@nike.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@aff.primaryads[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.stilemedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@riptownmedia.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@eztracks.aavalue[1].txt
D:\Documents and Settings\*****\Cookies\*****@track.bestbuy[2].txt
D:\Documents and Settings\*****\Cookies\*****@2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@roiservice[2].txt
D:\Documents and Settings\*****\Cookies\*****@yieldmanager[1].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-groupernetworks.hitbox[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.stileproject[2].txt
D:\Documents and Settings\*****\Cookies\*****@5.go.globaladsales[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.financialcontent[1].txt
D:\Documents and Settings\*****\Cookies\*****@ad.600.tbn[2].txt
D:\Documents and Settings\*****\Cookies\*****@ad.tbn[2].txt
D:\Documents and Settings\*****\Cookies\*****@adecn[1].txt
D:\Documents and Settings\*****\Cookies\*****@adlegend[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads2.drivelinemedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.e-planning[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.imarketservices[1].txt
D:\Documents and Settings\*****\Cookies\*****@ads.realtechnetwork[2].txt
D:\Documents and Settings\*****\Cookies\*****@ads.vlaze[1].txt
D:\Documents and Settings\*****\Cookies\*****@atdmt[2].txt
D:\Documents and Settings\*****\Cookies\*****@azjmp[1].txt
D:\Documents and Settings\*****\Cookies\*****@b5media[1].txt
D:\Documents and Settings\*****\Cookies\*****@belnk[1].txt
D:\Documents and Settings\*****\Cookies\*****@bfast[1].txt
D:\Documents and Settings\*****\Cookies\*****@bluestreak[1].txt
D:\Documents and Settings\*****\Cookies\*****@bs.serving-sys[2].txt
D:\Documents and Settings\*****\Cookies\*****@clicksense[1].txt
D:\Documents and Settings\*****\Cookies\*****@clicksor[2].txt
D:\Documents and Settings\*****\Cookies\*****@counter7.sextracker[2].txt
D:\Documents and Settings\*****\Cookies\*****@devart.adbureau[2].txt
D:\Documents and Settings\*****\Cookies\*****@edge.ru4[1].txt
D:\Documents and Settings\*****\Cookies\*****@ehg-foxsports.hitbox[2].txt
D:\Documents and Settings\*****\Cookies\*****@extrovert.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@eyewonder[2].txt
D:\Documents and Settings\*****\Cookies\*****@fortunecity[2].txt
D:\Documents and Settings\*****\Cookies\*****@home.ez-tracks[1].txt
D:\Documents and Settings\*****\Cookies\*****@http-mw.edge.ru4[1].txt
D:\Documents and Settings\*****\Cookies\*****@intermundomedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@mediafire[2].txt
D:\Documents and Settings\*****\Cookies\*****@mediaplex[2].txt
D:\Documents and Settings\*****\Cookies\*****@metacafe.122.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@nbads[2].txt
D:\Documents and Settings\*****\Cookies\*****@myroitracking[1].txt
D:\Documents and Settings\*****\Cookies\*****@sec1.liveperson[2].txt
D:\Documents and Settings\*****\Cookies\*****@socialmedia[2].txt
D:\Documents and Settings\*****\Cookies\*****@statcounter[1].txt
D:\Documents and Settings\*****\Cookies\*****@stats.sellmosoft[1].txt
D:\Documents and Settings\*****\Cookies\*****@viavh1video.112.2o7[1].txt
D:\Documents and Settings\*****\Cookies\*****@windowsmedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.clickmanage[2].txt
D:\Documents and Settings\*****\Cookies\*****@www.macromedia[1].txt
D:\Documents and Settings\*****\Cookies\*****@www.naked[1].txt

Trojan.Zufyxe
D:\PROGRAM FILES\JAVIP\NPF.SYS
D:\PROGRAM FILES\XERTPAGE\NPF.SYS
D:\WINDOWS\SYSTEM32\DRIVERS\AUDXGTHK9.SYS

Unclassified.Unknown Origin/System
D:\WINDOWS\SYSTEM32\OQACAXY.EXE
D:\WINDOWS\SYSTEM32\WOXMSF.EXE


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4173

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2010 7:35:02 PM
mbam-log-2010-06-06 (19-35-02).txt

Scan type: Quick scan
Objects scanned: 123000
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6abc9b1eff0a3a42b76c1156808d0ea4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-07 02:24:34
# local_time=2010-06-06 10:24:34 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 16557584 16557584 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=58883
# found=2
# cleaned=2
# scan_time=8983
D:\Program Files\MySpace\IM\MySpaceIM.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


She didn't give me any info on how the computer was running now. I'll ask her and see what info she passes on. She doesn't use her PC all that much, her boyfriend does, and everytime he gets on and visits one of "those" sites lol, there is a new virus. So I'm not sure if she'll notice it running too much differently other then no popups. We shall see.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 07 June 2010 - 01:39 PM

Ok, she should delete those cookies shown. As those sites are always going to bring junk. they will have to start scanning after updating almost daily.They should only surf from a user account and not an Admin account. This will help prevent executables from being allowed and instant onfection.

They should onstall Spywareblaster - prevents spyware from being installed on your PC.

If she says things are good now then ...Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:11 PM

Posted 07 June 2010 - 02:02 PM

Thank you for your help. Thankfully she understood everything through me haha. She's going to go ahead and do everything in the last post, she says its running super fast now and having no issues.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 07 June 2010 - 02:16 PM

You're welcome from all of us here at BC. We are glad to have helped.
You both did GREAT :thumbsup:
Please take a few minutes to read our quietman7's excellent Tips to protect yourself against malware and reduce the potential for re-infection:,in post 17. :flowers:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users