Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scareware Infection... A call for assistance.


  • Please log in to reply
8 replies to this topic

#1 dampe

dampe

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 19 April 2011 - 04:36 PM

I apologize in advance for not being able to formally introduce myself in the welcome threads, but I have a rogue antivirus program on my computer, and am in dire need of some professional assistance.

I shall try to make this as concise as possible…

System Info
Windows Vista Home Premium, Version 6.0.6002 Service Pack 2 Build 6002
32 Bit System
-Using IE9 at time of infection-- had installed it about a week prior.

Symptoms-
Scareware begins at startup after screen flickers black for a brief moment and generic green shield icon replaces the red McAfee icon in the bottom right toolbar. Then the error messages below begin popping up.

Error 1: Virtually compromises every other program by opening a standard message box reading,
"Virus Alert!
Application can’t be started!
The file_______ is damaged.
Do you want to activate your antivirus software now?"

(______ is a variable that changes depending on the program. Some of the common ones displayed were cmd.exe, taskmgr.exe, mcagent.exe, and rundll32.)

Clicking no, will close it, but display it about 5 seconds later, clicking yes opens IE9 to the website, antispywareon.com.

Error 2: Popup balloon in the bottom right saying,
“Windows Security Alert
Virus Alert!
Application Can’t be started!
The file ______.exe is damaged.
Do you want to activate you antivirus software now?”

Error 3: A red pop up in the bottom right saying The computer is being attacked by an internet virus. And that it could be a password stealing attack, a Trojan, dropper, or similar. Then it goes on to list an attack on a random port.

What I have done thus far:

Booted in safe mode, full scanned on McAfee, found one instance of a trojan. Listed by McAfee as “Exploit-CVE-2010-0840.” McAfee quarantined it, then I deleted it. I don’t remember the specific path, but it was located in the Java folder.

I started in normal mode, but that did not help, I am still getting the same error messages.

So I basically have no control of anything in normal mode, as I will get Error message 1 when anything is opened, but safe mode seems to work fine.

I do not want to take any further actions before getting advisement from a pro. If there are any more details needed, I will gladly supply them. Please help me to rid my system of this.

Note: I apollogize again, in the event that a similar post has been made, and that I was not able to find it in the forum search.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 AM

Posted 19 April 2011 - 09:36 PM

Hello and welcome, you poted just fine.

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged

with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links

    below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as

    malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As

    Administrator)

  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or

eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click

    SUPERAntiSpyware.exe
    and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If

    you encounter any problems while downloading the updates, manually download them from here.

    Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.


    )
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.

    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the

SUPERAntiSpyware Portable Scanner
instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then

double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your

registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily

disable such programs or permit them to allow the changes.
  • Make

    sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use

    Malwarebytes' Anti-Malware Guide
    .
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from

    here
    and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your

    operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed

with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing

all the malware.


Troubleshoot Malwarebytes' Anti-Malware

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dampe

dampe
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 April 2011 - 10:16 PM

Though I am able to connect to the internet, I seem to be unable to use the web. I get the standard "Internet explorer can't display the webpage." I tried to diagnose the problem, but It can’t because it is in safe mode. I unplugged my router and modem, let some time pass and plugged em back in, but still no results. If I do type in a URL in the address bar it will say ieframe.dll in the loading bar, but nothing shows up…Thanks for the help so far, but what do I do now?

Note: Since this rogueware seems to be in startup (from the looks of it), is there a way I can use msconfig to keep it from starting in normal mode in the first place?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 AM

Posted 23 April 2011 - 09:45 AM

Scareware is a term fir many rogues
http://www.bleepingcomputer.com/virus-removal/

As I am unsure yet which I cannot say which item in startup to stop.


Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Go back to safe mode with networking run this then continue in post 2 at RKill


EXE HELPER
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
((((((((((((((((((((((((((((
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 dampe

dampe
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 24 April 2011 - 12:30 AM

Thanks for the help. Indeed this rogueware messed up the registry to make IE9 use a proxy directed right to the malicious site. In fact I was able to identify this rogueware as the "Antivirus Protection Trial" found on the bleepingcomputer facebook fan pages most recent post. I'm sorry but I strayed a bit from your directions. Running EXE HELPER completley slipped my mind, and I did a few things that were not instructed...Here is what I have done so far...

-Booted in safe mode with networking and unchecked the "Use a proxy" box.
-Ran the "FixExe" Registration Entries.
-Ran RKill
-Downloaded and installed SUPER Anti Spyware. Ran oon the setting instructed. The log is below.
-Booted in normal mode, [though running sluggishly, things seem to be allright] downladed, installed, and ran Malware Bytes as instructed. Log is below.
-Installed the Java update 24, and un ininstalled Java update 5. (As I think this is where the exploitation came from)
-Installed Secunia PSI and installed the updates for iTunes and Adobe flashplayer.

To save space I made the tracking cookies small font.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/23/2011 at 06:12 PM

Application Version : 4.51.1000

Core Rules Database Version : 6905
Trace Rules Database Version: 4717

Scan type : Complete Scan
Total Scan Time : 01:56:09

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 9057
Registry threats detected : 1
File items scanned : 175308
File threats detected : 216

Trojan.Agent/Gen-FakeAlert
[mlcsblov] C:\USERS\BRENDON\APPDATA\LOCAL\TEMP\JUMIHCKEF\MNNXMCVXSIK.EXE
C:\USERS\BRENDON\APPDATA\LOCAL\TEMP\JUMIHCKEF\MNNXMCVXSIK.EXE
C:\USERS\BRENDON\APPDATA\LOCAL\TEMP\4HAEC936.EXE
C:\USERS\BRENDON\APPDATA\LOCALLOW\SUN\JAVA\DEPLOYMENT\CACHE\6.0\4\263A9144-586E959B
C:\Windows\Prefetch\4HAEC936.EXE-2AAB8039.pf
C:\Windows\Prefetch\MNNXMCVXSIK.EXE-93151986.pf

Adware.Tracking Cookie
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@pointroll[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@specificmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@serving-sys[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@ru4[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@ads.yoyogames[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@adbrite[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@user.lucidmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@apmebf[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@ad.yieldmanager[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@perf.overture[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@imrworldwide[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@advertising[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@ads.bleepingcomputer[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@questionmarket[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@atdmt[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@zedo[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@tribalfusion[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@fastclick[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@doubleclick[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@adlegend[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@ads.pointroll[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@beacon.dmsinsights[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@yieldmanager[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@r1-ads.ace.advertising[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@realmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@kontera[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@specificclick[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@mediaplex[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@collective-media[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@media6degrees[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@invitemedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\brendon@insightexpressai[2].txt
a.ads2.msads.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
ads1.msn.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
ads2.msads.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
b.ads2.msads.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
cache.specificmedia.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
cdn2.themis-media.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
cdn4.specificclick.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
cdn5.specificclick.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
convoad.technoratimedia.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
core.insightexpressai.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
ds.serving-sys.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
ec.atdmt.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
googleads.g.doubleclick.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
hs.interpolls.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
ia.media-imdb.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
interclick.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
m1.2mdn.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.azfamily.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.ign.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.kens5.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.monster.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.mtvnservices.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.nintendo.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.scanscout.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.socialvibe.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media.wktv.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
media1.break.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
mediaforgews.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
mediastore.verizonwireless.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
msnbcmedia.msn.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
msntest.serving-sys.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
objects.tremormedia.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
rmd.atdmt.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
s0.2mdn.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
secure-us.imrworldwide.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
serving-sys.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
spe.atdmt.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
speed.pointroll.com [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
udn.specificclick.net [ C:\Users\Brendon\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6SQX9WCV ]
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@2o7[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@7art-screensavers[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@a1.interclick[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@a1.interclick[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ad.adbull[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ad.adpredictive[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ad.ench.kyodonews[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ad.usingenglish[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ad.wsod[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ad.yieldmanager[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adbrite[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adbrite[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adecn[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adinterax[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.ad4game[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.allaccess.com[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.associatedcontent[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.belointeractive[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.bridgetrack[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.cnn[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.footar[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.hairboutique[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.intergi[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.pointroll[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.pubmatic[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.techweb[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.undertone[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ads.yoyogames[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adserver.adtechus[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adv.blogupp[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@advertising[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@adxpose[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@apmebf[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ar.atwola[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@associatedcontent.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@atdmt[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@atdmt[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@backbeatmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@beachstreetmedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@burstbeacon[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@burstnet[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@cengagelearning.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@citi.bridgetrack[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@clickboothlnk[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@clicksor[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@cmp.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@cnetasiapacific.122.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@collective-media[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@content.yieldmanager[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@counters.gigya[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@coxhsi.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@data.coremetrics[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@dc.tremormedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@dealtime[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@dmtracker[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@doubleclick[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@eas.apm.emediate[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@eyewonder[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@fastclick[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@find.galegroup.com.ezp.mc.maricopa[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@fortunecity[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@gotacha.rotator.hadj7.adjuggler[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@gotacha.rotator.hadj7.adjuggler[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@hpi.rotator.hadj7.adjuggler[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@imrworldwide[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@in.getclicky[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@insightexpressai[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@interclick[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@interclick[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@invitemedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@kantarmedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@kontera[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@leapfrogonline.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@legolas-media[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@lfstmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@liveperson[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@liveperson[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@lucidmedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@media.adfrontiers[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@media.adsvelocity[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@media6degrees[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@mediabrandsww[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@mediaconverter[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@mediafire[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@mediaplex[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@microsoftsto.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@mm.chitika[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@msnportal.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@myroitracking[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@nextag[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@overture[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ox.mediabistro[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@pointroll[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@pro-market[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@publishers.clickbooth[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@questionmarket[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@r1-ads.ace.advertising[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@realmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@revsci[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@rotator.hadj7.adjuggler[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@ru4[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@s.clickability[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@sales.liveperson[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@server.cpmstar[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@serving-sys[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@snapfish.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@socialmedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@solvemedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@specificclick[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@specificmedia[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@stat.dealtime[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@statcounter[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@stats.gamestop[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@statse.webtrendslive[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@steelhousemedia[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@texasinstrument.122.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@textbookscom.122.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@themis-media[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@trafficking.nabbr[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@trafficmp[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@tribalfusion[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@tribalfusion[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@usatoday1.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@viacom.adbureau[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@walmart.112.2o7[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.burstbeacon[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.googleadservices[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.googleadservices[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.googleadservices[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.mediaconverter[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.mediafire[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.qsstats[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.qsstats[3].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@www.salesgravyadservice[2].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@xiti[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@yadro[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@yieldmanager[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@zedo[1].txt
C:\Users\Brendon\AppData\Roaming\Microsoft\Windows\Cookies\Low\brendon@zedo[2].txt


Malware Bytes Log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6429

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

4/23/2011 7:01:34 PM
mbam-log-2011-04-23 (19-01-34).txt

Scan type: Quick scan
Objects scanned: 159347
Time elapsed: 22 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



My system seem to be running fine, aside from windows explorer locking up occasionaly. I shall await for further instructions as to what I should do from here. Also if it helps for further research, indeed part of it was located in starup as mlcsblov. Whether stopping it in startup would have helped I do not know. Also a couple questions I wish to ask if its not a problem?

-Why is it that free spyware scanners were able to track the problem, yet McAfee was unable to detect them?
-Since there was a "Bad Proxy" in the registry should I be concerned of any personal info being compromised?
-And I have read some articles that even after ridding systems of viruses, worms, spyware, etc. there remains remnants of them in the system. Is this true, and if so should I be concenered about it?

Thanks.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 AM

Posted 24 April 2011 - 12:38 PM

Hello,reboot again. clear the Temp files.
Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Fortunately there are no backdoor infections found as these are the infections that I recommend reformatting to be free of. As they compromise your system. Your malware only wanted to lie and swindle you into purchasing their product. The reality here is that you had nothing actually wrong, but their Rogue running that told you, you had infections to remove. They even change Proxy settings to fool you. One only need read a few paragraphs from the many Tutorials written by our site founder to see ...eg... http://www.bleepingcomputer.com/virus-removal/remove-windowsfixdisk


This looks clean. Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
Personally I feel that McAffee's detection rates are low and it uses more resources than needed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dampe

dampe
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 25 April 2011 - 07:49 PM

-Ok, I installed and ran TFC by old Timer. The first time I ran it Windows said it encountered an error and had to close it and seeing as it terminates windows explorer ( I presume) I restarted the computer through task manager. Second time around there were no problems running it.
-Created a restore point.
-Read the tutorials and articles you posted. Thanks for that, they are really helpfull.
-Computer seems to be running fine, but is there any last things I should do to wrap things up?
Thanks.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 AM

Posted 25 April 2011 - 08:31 PM

You are good to go. The only other suggestion I have is Secunia PSI
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 dampe

dampe
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 26 April 2011 - 10:31 PM

Cool, I don't know what I would have done without Bleeping Computer. Thanks a million for all your help, it was much appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users