Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Re-Direct/Fake Alert


  • Please log in to reply
18 replies to this topic

#1 Oskee

Oskee

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 01 August 2010 - 12:02 PM

Hi - new member here.

About a week ago - received a fake alert virus. Caused McAfee Anti-virus to go crazy but couldn't remove it. Called McAfee remote assistance and for a nice $90 fee they removed it. Normal runs of McAfee also detected several trojans (18 or so) and removed them. During the week it picked off a few more.

This week began to notice the google re-direct and googled it and found this forum. Ran Spy Bot (removed Win32 Fraud Pack) and Malware Bytes (removed over 15 different items). Computer seems to be running fine - however, in the start up log I still notice a few strange items (listed below)

bsqtdpwb
gpdyxxmt
nmctxth
ryumopepa
tfonavinaso

Computer seems to be working fine - however, want to make sure it is clean as possible. I have Vista, and run Explorer as browser.

Any suggestions if I should be concerned?

BC AdBot (Login to Remove)

 


#2 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 01 August 2010 - 01:59 PM

Here is my log from the initial scan - subsequent scans have returned no issues.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4375

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/31/2010 10:17:58 PM
mbam-log-2010-07-31 (22-17-58).txt

Scan type: Quick scan
Objects scanned: 130522
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfonavinasowovo (Trojan.Agent.U) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center\About.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center\Activate.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center\Buy.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center\Scan.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center\Settings.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Defense Center\Update.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Local\Temp\0.1868247091281804.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Schutte\AppData\Local\ogixehizajifo.dll (Trojan.Agent.U) -> Delete on reboot.

#3 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 01 August 2010 - 02:07 PM

So I enabled these items listed in my original post above (I had disabled them a few days ago as I thought they were suspicious) on the start up menu and then ran malware bytes again - it deleted four of them and the other appears to be legit.

Please see me log below and let me know if I should have anymore concerns.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4378

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/1/2010 2:05:13 PM
mbam-log-2010-08-01 (14-05-13).txt

Scan type: Quick scan
Objects scanned: 130327
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpdyxxmt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bsqtdpwb (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfonavinasowovo (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ryumopepa (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 02 August 2010 - 08:22 PM

Can anyone help? Should I be concerned that information may have been hacked or can I rest easily that my info is safe and my computer is now clean?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 AM

Posted 02 August 2010 - 09:50 PM

Hi, all the replies to yourself made it appear you were getting help.
So far nothing here is ID stealing,jiust Rogue apps to swindle you out of money by buying their crap.

So let's see what other junk may be left.



Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 02 August 2010 - 10:36 PM

Thanks - I also ran McAfee Stinger and it gave me this - I will run the others as you reccommend but wanted to make you aware of this as well.

cAfee® Stinger Version 10.0.1.972 built on Jul 23 2010

Copyright © 2010 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Jul 23 2010.

Ready to scan for 2816 viruses, trojans and variants.



Scan initiated on Mon Aug 02 20:01:53 2010

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- December.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- December.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- December.Not Saved to CD.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- December.Not Saved to CD.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- London & Paris.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- London & Paris.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- Nights Out.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- Nights Out.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- October-November.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2009- October-November.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2010- April Florida Trip.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2010- April Florida Trip.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2010-06 (Jun).lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2010-06 (Jun).lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2621 Sale & New Purchase Documents.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\2621 Sale & New Purchase Documents.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\April May 53 Checking.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\April May 53 Checking.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\April ML Account.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\April ML Account.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Christmas Card Address List & Tracking.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Christmas Card Address List & Tracking.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Cirque Dreams Tickets.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Cirque Dreams Tickets.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Contract - Noha.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Contract - Noha.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Country Risk Analysis_1.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Country Risk Analysis_1.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Econ 509 Midterm Answers.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Econ 509 Midterm Answers.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fidelity May-June Statement.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fidelity May-June Statement.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fin 513 Cheat Sheet.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fin 513 Cheat Sheet.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fin 513 Paper 1 - Interest Rates.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fin 513 Paper 1 - Interest Rates.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fin 513 TAYLOR RULE DATA 2010 - Schutte.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Fin 513 TAYLOR RULE DATA 2010 - Schutte.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance - 22 materials.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance - 22 materials.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance - 29 materials.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance - 29 materials.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance - Tomorrow's materials.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance - Tomorrow's materials.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance Session 1 & 2.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\FIN 798 Structured Finance Session 1 & 2.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Finance 557 AUD Forecast.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Finance 557 AUD Forecast.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\For Facebook.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\For Facebook.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\GSB 420 Survey.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\GSB 420 Survey.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\House Fix Up Items - Market Preparation.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\House Fix Up Items - Market Preparation.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC 1.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC 1.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC 2.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC 2.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC 3.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC 3.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC July 9.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\HSBC July 9.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Jamie 2007 review.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Jamie 2007 review.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\June ML Account.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\June ML Account.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\March April 53 Checking.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\March April 53 Checking.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\May June 53 Checking.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\May June 53 Checking.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\May ML Account.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\May ML Account.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Mom's Pics-Not Saved to CD.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Mom's Pics-Not Saved to CD.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\My Received Files.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\My Received Files.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\My Scans.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\My Scans.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Passwords[1].lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Passwords[1].lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\RBA Fed Funds 2009 Chart.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\RBA Fed Funds 2009 Chart.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Real Estate Mortgage Assumptions.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Real Estate Mortgage Assumptions.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Real Ex Post Int Rate with Inflation.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Real Ex Post Int Rate with Inflation.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Relay for Life $100 Donation May 2010.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Relay for Life $100 Donation May 2010.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Salvation Army Donations- 4.18.2010.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Salvation Army Donations- 4.18.2010.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Salvation_Army_Donations.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Salvation_Army_Donations.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\scan0001.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\scan0001.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\scan0003.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\scan0003.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Scott- Documents.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Scott- Documents.lnk has been deleted.

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Scott- School.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Recent\Scott- School.lnk has been deleted.

C:\Users\Schutte\Documents\Scott- School\Fed Does Not Need more powers - Shortcut.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Documents\Scott- School\Fed Does Not Need more powers - Shortcut.lnk has been deleted.

C:\Users\Schutte\Documents\Scott- School\Richard W Fisher - Depending Central Bank Independence0001 - Shortcut.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Documents\Scott- School\Richard W Fisher - Depending Central Bank Independence0001 - Shortcut.lnk has been deleted.

C:\Users\Schutte\Documents\Scott- School\We must safeguard the Fed - Zuckerman Financial Times - Shortcut.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Documents\Scott- School\We must safeguard the Fed - Zuckerman Financial Times - Shortcut.lnk has been deleted.

C:\Users\Schutte\Links\Documents.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Links\Documents.lnk has been deleted.

C:\Users\Schutte\Links\Music.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Links\Music.lnk has been deleted.

C:\Users\Schutte\Links\Pictures.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Links\Pictures.lnk has been deleted.

C:\Users\Schutte\Links\Recently Changed.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Links\Recently Changed.lnk has been deleted.

C:\Users\Schutte\Links\Searches.lnk

Found the Exploit-CVE-2010-2568 trojan !!!

C:\Users\Schutte\Links\Searches.lnk has been deleted.

Number of clean files: 325881

Number of Trojans: 58

Number of files deleted: 58

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 AM

Posted 02 August 2010 - 10:42 PM

OK, good, we'd have run that after SAS, but no problem. I'll look back tomorrow.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 August 2010 - 08:10 AM

Ok - ran SAS and ATF in safe mode. Below are the results of SAS. Also - the miscrosoft update for the issue caught by stinger ran last night when I logged on. Let me know next steps.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/03/2010 at 00:26 AM

Application Version : 4.41.1000

Core Rules Database Version : 5306
Trace Rules Database Version: 3118

Scan type : Complete Scan
Total Scan Time : 01:26:45

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 13397
Registry threats detected : 0
File items scanned : 172323
File threats detected : 88

Adware.Tracking Cookie
a.ads2.msads.net [ C:\Users\Schutte\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CTWCBF88 ]
cdn4.specificclick.net [ C:\Users\Schutte\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CTWCBF88 ]
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@247realmedia[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@a1.interclick[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@accountmanager.att[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ad.blockshopper[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ad.wsod[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ad.yieldmanager[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@adbrite[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@adecn[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@adinterax[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@adlegend[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ads.bleepingcomputer[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ads.netrition[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ads.news-gazette[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ads.pointroll[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ads.undertone[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ads.youporn[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@adserver.adtechus[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@advertise[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@adxpose[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@at.atwola[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@bs.serving-sys[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@burstnet[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@caloriecount.about[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@cdn4.specificclick[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@chitika[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@citi.bridgetrack[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@collective-media[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@content.yieldmanager[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@content.yieldmanager[3].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@da-tracking[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@dailyheraldpaddockpublication.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@data.coremetrics[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@dmtracker[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ehg-findlaw.hitbox[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@eyewonder[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@findlaw[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ge.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@healthgrades.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@hearstmagazines.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@imrworldwide[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@in.getclicky[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@insightexpressai[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@interclick[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@invitemedia[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@jigsaw.122.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@kaspersky.122.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@kontera[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@liveperson[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@liveperson[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@liveperson[3].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@liveperson[4].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@lockedonmedia[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@lucidmedia[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@media6degrees[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@microsoftsto.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@msnbc.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@network.realmedia[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@overture[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@pcstats[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@pointroll[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@pview.findlaw[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@questionmarket[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@realmedia[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@revsci[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@roiservice[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@ru4[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@sales.liveperson[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@sales.liveperson[3].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@serving-sys[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@smartadserver[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@specificclick[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@specificmedia[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@statse.webtrendslive[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@tacoda[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@tracking.gajmp[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@traffic[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@tribalfusion[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@tribuneinteractive.122.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@tripod[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@waterfrontmedia.112.2o7[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@www.clicks[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@www.gotrackthis[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@www.pcstats[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@xiti[1].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@yieldmanager[2].txt
C:\Users\Schutte\AppData\Roaming\Microsoft\Windows\Cookies\Low\schutte@youporn[1].txt

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 AM

Posted 03 August 2010 - 08:57 AM

Looks real good here.
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 August 2010 - 09:51 AM

Perfect Thanks! Any reasons to be worried about the Microsoft Exploit issue that stinger caught?

#11 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 August 2010 - 08:49 PM

Done with all the above - computer seems to be running ok. Should I be concerned about the Microsoft Exlpoit that stinger caught?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 AM

Posted 04 August 2010 - 12:01 PM

Hello,See this article Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution

I think you should open a Tech Support ticket as instructed under Resources.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 05 August 2010 - 11:43 AM

Went to Microsoft - basically told me not to worry about the infection and to run one care and get back to them if any issues. Ran one care - no major issues - however, it did screw up Mcaffee. Had to completely re-install Mcafee. When I did re-install while connected to the internet - it popped up that i was connected to a new network. I assume this is normal as it was a completely new verison of McAfee and did not "know" my prior network? I

Please confirm - otherwise computer is working great!

Thanks!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 AM

Posted 05 August 2010 - 04:11 PM

Let's run System INvestigator by Olrik

Please download SINO by Artellos from here
  • Save SINO to a place you can remember and run SINO.exe.
  • Then please check the following checkboxes:

    System Info
    Services
    Boot Check
    Tasklist
    Startup Items
    Ipconfig
    Ping
    Netstat
    Hosts file
    Shares
    Routing Table


  • Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  • A notepad file will pop up, Please copy and paste the content of the notepad into your next reply.
Note: If you try to interact with the program once it's started scanning it might appear to hang. The scan however will continue.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 05 August 2010 - 04:58 PM

hi - those links say page not found.

I clicked on my network on the computer and it was the same gateway and mask that McAfee recognzied earlier. Should I be ok?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users