Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Antivirus aka AV Green


  • This topic is locked This topic is locked
29 replies to this topic

#1 Chazz12

Chazz12

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 22 June 2010 - 12:16 AM

Within two days both my wife and my computers have become infected with what I beleive to be AV Anitvirus aka AV Green. We both run XP. She has a lap top and I have a tower. We are both wireless. We both have to paid version for Avast and I have Stopzilla as well. Thus my surprise. I'm using my step son's lap top to post this appeal as neither my wife nor I have internet access in the wake of the infection. We both ran Avast scans. . .but on the log I noticed it only scanned half the files it usually does. And Stopzilla didn't find any virus either. Both computers have automatic updates for spyware, viruses, etc.

What originally happened on both computers was this AV Antivirus pop us that asked the reader to either sign up for protection or proceed. I clicked sign up for protection and before the virus took hold I was able to discover that is a scam. I also immediate ran scans both in Stopzilla and Avast. . .didn't help. My wife, at work, was able to find a six month old "fix" in Yahoo Groups but that didn't work either. I recommended doing a search and listed specific "exe"s to look for = none of those showed up on either computer. As the days progress. . .we are seeing more and more files contaminated.

My wife, who has countless music and photos on her computer tried to download them to an external hard drive thinking that if she could save those files she would reformat. Now I believe that exernal hard drive is infected too.

Neither of us are "real" computer savy - and I fearful this computer will be next and we will be out of the loop. IF there is a fix I'd love to have it. If not I'd be curious that if she or I reformat our computers is there anyway to scan the external hard drive for the virus. . .I don't want to create a loop of never ending viral infections.
Regards,
Chazz12

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 22 June 2010 - 10:02 AM

Hello Chazz and welcome... I think we can grt this by using this guide on both PC's.
We can do them one at a time or both. But will need the logs maked Tower and Lappy

You need to do all the steps as some pertain to your issue..
Please follow our Removal Guide here How to remove AV Security Suite
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 22 June 2010 - 08:36 PM

I much appreciate the very detailed help on the AV Antivirus issue I've been fighting with. Funny thing tho, I ran through the instructions and to my untrained mind everything appeared to go smoothly and I had my computer back. However, when I re-opened the email and clicked on the link to safely remove the AV virus. . .it was blocked! Does that mean I still have a problem?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 22 June 2010 - 08:51 PM

However, when I re-opened the email and clicked on the link to safely remove the AV virus


Hi this one has me a bit,, What email ??


Can you do these.
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 22 June 2010 - 10:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 24 June 2010 - 09:25 AM

Just to clear up one point, the email I was referring to was the first one I received from bleeping computer that contained the link to the response to my posted question. . .I should have been more specific.

Ok I've just ran Super Antispyware exe. and I'm posting the log. Curious, when I rebooted as instructed "nornally" they first thing that happened when I opened my browser was another pop up. The pop ups have been from yellowpages and other supposedly benign sites. I checked my Stopzilla, for the hundredth time, and pop blocker is on. My security is set for "high". Since the first effort to clean my computer via bleepingcomputer.com I have been able to function. However, the popups in the wake of all "cleaning" efforts are a new manifestation that I've never experienced prior to having the original problem I posted.

Two other notes that may be of interest. After my first scan using Malwarebythes after I had to ran the suggested remedies when I went back to the instruction and clicked on "How to remove AV Security Suite" - it was blocked. This morning as I prepared to launch after reading the email and still being in normal mode, when I clicked on ATF Cleaner. . .it was blocked. I was able to open it in Safe Mode. By-the-way the Boot Safe you sent was clever and very helpful.

Here is the log (by-the-way I don't know a "Joe":
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2010 at 08:38 AM

Application Version : 4.39.1002

Core Rules Database Version : 5113
Trace Rules Database Version: 2925

Scan type : Complete Scan
Total Scan Time : 00:52:31

Memory items scanned : 312
Memory threats detected : 0
Registry items scanned : 7611
Registry threats detected : 0
File items scanned : 42383
File threats detected : 302

Adware.Flash Tracking Cookie
C:\Documents and Settings\Chazz\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VMD2QNAZ\A.ADS2.MSADS.NET
C:\Documents and Settings\Chazz\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VMD2QNAZ\ADS2.MSADS.NET
C:\Documents and Settings\Chazz\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VMD2QNAZ\B.ADS2.MSADS.NET

Adware.Tracking Cookie
a.ads2.msads.net [ C:\Documents and Settings\Chazz\Application Data\Macromedia\Flash Player\#SharedObjects\VMD2QNAZ ]
ads2.msads.net [ C:\Documents and Settings\Chazz\Application Data\Macromedia\Flash Player\#SharedObjects\VMD2QNAZ ]
b.ads2.msads.net [ C:\Documents and Settings\Chazz\Application Data\Macromedia\Flash Player\#SharedObjects\VMD2QNAZ ]
convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EPNYRA5R ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EPNYRA5R ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EPNYRA5R ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EPNYRA5R ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EPNYRA5R ]
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn4.specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bluestreak[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn1.trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@wpni.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
D:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@counter5.sextracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@counter9.sextracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@counter7.sextracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-idg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-newegg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adultcheck[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-kodak.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-lexmark.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.clickmanage[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-medtronic.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adrevolver[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.revsci[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@nextag[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@revsci[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@coolsavings[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@advertising[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.realtechnetwork[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[4].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@revenue[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[6].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[5].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@server.iad.liveperson[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@server.iad.liveperson[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.hrsaccount[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@sextracker[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@sec1.liveperson[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@sec1.liveperson[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.xxxpower[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.xxxpower[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.pointroll[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-movielink.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.mediacenterspace[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@247realmedia[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@2o7[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@a.findarticles[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adopt.euroclick[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ad.yieldmanager[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adinterax[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adprofile[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adserving.autotrader[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@anad.tacoda[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@app.insightgrit[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@atdmt[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@casalemedia[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@bfast[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@bizrate.co[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@clickbank[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@coxhsi.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@cs.sexcounter[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@data.coremetrics[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@dillards.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@doubleclick[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@edge.ru4[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-ati.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-bestbuy.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-dillards.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-equifax.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ehg-lgusa.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@fortunecity[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@fastclick[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@findarticles[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@findtherightschool[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@insightexpressai[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@lenovo.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@itxt.vibrantmedia[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@kontera[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@media.adrevolver[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@media.fastclick[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@mediaplex[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@microsoftgamestudio.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@microsoftwga.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@msnportal.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@partner2profit[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@overture[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@qnsr[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@phg.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@questionmarket[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@realmedia[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@reduxads.valuead[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@roiservice[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@sales.liveperson[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@sales.liveperson[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@statcounter[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@stat.dealtime[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@statse.webtrendslive[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@statse.webtrendslive[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@tacoda[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@toplist[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@tribalfusion[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.3dstats[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@xxxpower[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@zedo[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-pharmacia.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-equifax.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@counter5.sextracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@counter9.sextracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@counter7.sextracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adtech[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-idg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adprofile[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-dillards.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-newegg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adultcheck[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adultcheck[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-linksys.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@counter.hitslink[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-kodak.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adopt.specificclick[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.clickmanage[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@statse.webtrendslive[4].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@statse.webtrendslive[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@statse.webtrendslive[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-medtronic.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-lexmark.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-lexmark.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adrevolver[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adrevolver[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.adbrite[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.revsci[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[10].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@nextag[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@nextag[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-ti.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adv.surinter[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@revsci[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@revsci[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[11].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@coolsavings[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@revenue[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adv.webmd[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@advertising[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[4].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@advertising[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@atwola[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sextracker[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[9].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[8].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[6].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[5].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@msnservices.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@server.iad.liveperson[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@server.iad.liveperson[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.hrsaccount[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.realtechnetwork[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.pointroll[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sec1.liveperson[4].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sec1.liveperson[5].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sec1.liveperson[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@casalemedia[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@casalemedia[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sec1.liveperson[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.xxxpower[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.xxxpower[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.pointroll[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adserver.aol[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adinterax[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@msnportal.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@microsoftwga.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-movielink.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-movielink.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.mediacenterspace[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adserver.easyad[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@247realmedia[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@2o7[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@2o7[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@a.findarticles[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@account.suddenlink[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ad.yieldmanager[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ad.yieldmanager[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ad3.bannerbank[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adbrite[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adopt.euroclick[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adserving.autotrader[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@app.insightgrit[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@anad.tacoda[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@apmebf[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@app.insightgrit[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@atdmt[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@bfast[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@azoogleads[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@bizrate.co[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@cbs.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@click.zoopartners[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@clickbank[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@coxhsi.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@cs.sexcounter[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@cs.sexcounter[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@data.coremetrics[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@diginet.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@dillards.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@doubleclick[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@e-2dj6wfk4cgczwao.stats.esomniture[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@edge.ru4[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-ati.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-ati.hitbox[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-bestbuy.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-bestbuy.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ehg-lgusa.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@fastclick[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@fastclick[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@findarticles[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@findtherightschool[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@findwhat[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@fortunecity[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@hitbox[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@imrworldwide[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@insightexpressai[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@kontera[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@itxt.vibrantmedia[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@kontera[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@lenovo.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@lynxtrack[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@media.adrevolver[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@media.adrevolver[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@media.fastclick[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@mediaplex[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@microsoftgamestudio.112.2o7[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@msnaccountservices.112.2o7[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@overture[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@overture[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@partner2profit[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@partner2profit[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@phg.hitbox[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@phg.hitbox[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@pro-market[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@qnsr[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@questionmarket[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@questionmarket[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@realmedia[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@realmedia[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@reduxads.valuead[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sales.liveperson[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@roiservice[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sales.liveperson[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sales.liveperson[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@sales.liveperson[4].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@statcounter[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@st.adultcheck[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@stat.dealtime[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@statcounter[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@tacoda[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@tacoda[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@tribalfusion[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@toplist[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@tribalfusion[3].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@versiontracker[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@weborama[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.3dstats[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@xxxpower[1].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@zedo[2].txt
D:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@zedo[3].txt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 24 June 2010 - 10:00 AM

Hi, Did you get an MBAM log?? Did it remove items?

It appears that someone may be piggybagging your wireless. Check your security and change router passwaord..
But I'd like to see the MBAM log and this first

Part 1 of S!Ri's SmitfraudFix


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 24 June 2010 - 05:20 PM

Just ran SmithFraudFix. . .here are the results:
SmitFraudFix v2.424

Scan done at 17:10:33.43, Thu 06/24/2010
Run from C:\Documents and Settings\Chazz\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chazz\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Chazz


C:\DOCUME~1\Chazz\LOCALS~1\Temp


C:\Documents and Settings\Chazz\Application Data


Start Menu


C:\DOCUME~1\Chazz\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Instant Wireless PCI Card V2.7 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4BCBC467-C03E-474D-BFE0-984C6F9EC0A1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4BCBC467-C03E-474D-BFE0-984C6F9EC0A1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4BCBC467-C03E-474D-BFE0-984C6F9EC0A1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End

Also, in normal mode, since noon, I attempted to run both Windows and Microsoft updates and both were blocked. Tried to launch Malware. . .got Run-time 'error' 440 as well as Automation error. When I first logged on normal after being in safemode I had two messages vb Accelerator sGrid II Control and Bonjour could not be loaded? I don't even know what those are and have not been to normal mode since.

#8 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 24 June 2010 - 05:29 PM

Just checked security. I can't seem to get a page shot but here is what it said:
The Security Center is currently unavailable becase the "Security Center" service has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service, then open the Security Center again.

Manager security settings for:
then there are three icons: Windows Firewall, Internet Options and Automatic Updates.

I'll search for security center and see if I can turn it on?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 24 June 2010 - 09:32 PM

To start the "Security Center" service, use these steps:

Click Start, Run and type Services.msc

Double-click "Security Center" service from the listing

Set the startup type of the service to "Automatic"

Start the service by clicking the "Start" button in that applet.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 25 June 2010 - 08:32 AM

Double checked Services msc. . .it was already set up the way you suggested. Re-did it and saved. Thanks! What is your assessment on the SmithFaud log? Good - right?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 25 June 2010 - 10:30 AM

Yes, No problem in the SFix log.. Things good here now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 25 June 2010 - 05:22 PM

I'm not sure things are good. I cannot launch Malware, Stopzilla or Avast scans from Safe Mode. Isn't that a sign of a problem? Still getting popups too. . . .weird.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 25 June 2010 - 10:10 PM

Yes,that's why I asked.. I think we have a protected malware and should get a deeper look.
. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Chazz12

Chazz12
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 26 June 2010 - 02:43 PM

I can't get Preparation Guide to open. . .it looks like a window is opening and then it dissappears. . . .

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:58 AM

Posted 26 June 2010 - 03:44 PM

Rats!! Use OTL instead of DDS.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users