Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Corp autoprotect popped up out of nowhere and started blocking downloaded infections for period of one hour, then stopped by itself


  • Please log in to reply
35 replies to this topic

#1 J.Aza

J.Aza

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 28 May 2011 - 11:11 PM

Hello,

Last night, beginning at 12.24 AM till 1.23 AM, my Symantec Corporate AV autoprotect popped up, and started showing blocking Trojan.gen being d/l'd into a temp directory. Occasionally it showed Trojan Horse being blocked. This occurred for an hour (computer unattended) and then apparently stopped alone.

What caused the downloads to begin is a mystery and the fact that it was downloading trojans makes me pretty sure that something must be on my computer already.
Spybot Teatimer running on this machine constantly and scheduled weekly scans which have turned up nothing. Also SuperAntiSpyware and MBAM but not sure when they each ran last.

Not sure what else I can provide and don't want to do anything at this point since the infection is so mysterious.

Thanks in advance.

J.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:19 PM

Posted 28 May 2011 - 11:23 PM

Can you update Super Anti-Spyware and Mbam, and rerun any scans?

#3 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 28 May 2011 - 11:35 PM

Thanks for your help.

Run quick scans or complete scans?

Thx,
J.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:19 PM

Posted 28 May 2011 - 11:38 PM

Complete scans then post the logs.

#5 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 28 May 2011 - 11:56 PM

Complete scans then post the logs.

Ok, thx. Just stopped the quickscan and started MBAM complete. I expect these will each take a while so I'll be back when they're both done.

J.

#6 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 29 May 2011 - 10:26 AM

MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6708

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/29/2011 11:19:01 AM
mbam-log-2011-05-29 (11-18-13).txt

Scan type: Full scan (C:\|E:\|W:\|X:\|)
Objects scanned: 644894
Time elapsed: 8 hour(s), 35 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Users\Joe\AppData\Local\D9T4n\dk3guopr6.cpl (Trojan.CTRLRedir.Gen) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dk3GuOPr6 (Trojan.CTRLRedir.Gen) ->

Value: dk3GuOPr6 -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default)

(Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joe\AppData\Local\svg.exe" -a "C:\Program Files

\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default)

(Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joe\AppData\Local\svg.exe" -a "C:\Program Files

\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default)

(Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joe\AppData\Local\svg.exe" -a "iexplore.exe) Good:

(iexplore.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\$recycle.bin\s-1-5-21-2904340870-3673874416-1695913044-1000\$reve44c.exe (Trojan.FakeAlert) ->

No action taken.
c:\program files\snadboy's revelation v2\revelation.exe (HackTool.Snadboy) -> No action taken.
c:\program files\snadboy's revelation v2\revelationhelper.dll (PUP.PWSTool.SnadBoy) -> No action

taken.
e:\$RECYCLE.BIN\s-1-5-21-2904340870-3673874416-1695913044-1000\$RZ7DRI0.exe (RiskWare.Tool.HCK) ->

No action taken.
c:\Users\Joe\AppData\Local\D9T4n\dk3guopr6.cpl (Trojan.CTRLRedir.Gen) -> No action taken.


Should I allow it to clean?

J.

#7 Comp39

Comp39

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 29 May 2011 - 10:48 AM

The file is in Recycle bin, look at properties of file, WITHOUT taking out of your bin, if it is not Microsoft delete it.

Other one is Sandboys revelation, do you need Sandboy`s revelation? Here is what the program does.
"The SnadBoy's Revelation application was designed to be a tool that will let you see the actual password behind the asterisks! This feature is intended to protect your passwords; but sometimes this feature becomes more of a nuisance, rather than a benefit."

If not delete it.

BUT, always check these items are not Microsoft. If still unsure Google them, type into Google search bar something like this, ThinkThisIsNasty.exe malware. Thou place in the real name of the questionable item.

Malwarebytes is a great program, listen to what is says unless you are uncertain, Google any infection your not certain of. If further problems please do get back to us.

Edited by Comp39, 29 May 2011 - 11:02 AM.


#8 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 29 May 2011 - 11:07 AM

The file is in Recycle bin, look at properties of file, WITHOUT taking out of your bin, if it is not Microsoft delete it.

Other one is Sandboys revelation, do you need Sandboy`s revelation? Here is what the program does.
"The SnadBoy's Revelation application was designed to be a tool that will let you see the actual password behind the asterisks! This feature is intended to protect your passwords; but sometimes this feature becomes more of a nuisance, rather than a benefit."

If not delete it.

BUT, always check these items are not Microsoft. If still unsure Google them, type into Google search bar something like this, ThinkThisIsNasty.exe malware. Thou place in the real name of the questionable item.


Thank you Comp39.

Yes, Snadboy's is mine/needed and I'm aware of it being there.

I cannot check the recycle bin files.. they don't exist in recycle bin (assumedly because the filenames start with '$'). How can I check their properties or should I just delete them?

What about the other items, eg. the registry items and firefox items, in particular the one named 'dk3GuOPr6'?

Thanks much,
J.

#9 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 29 May 2011 - 12:49 PM

OK,

I couldn't wait any longer (my apologies) so I allowed MBAM to remove the threats (including the Recycle Bin ones but not SnadBoy Revelation, which I need/want).

MBAM indicated that some files could not be deleted and to restart. I am about to reboot and then I will proceed to run Super Anti Spyware.

MBAM says it saved a log to the logs folder (after the cleaning) - do you need that log as well?

Thanks,
J.

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:19 PM

Posted 29 May 2011 - 02:04 PM

Yes please provide the log, and also please wait till someone else advices you what to do with the logs here.

#11 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 29 May 2011 - 03:08 PM

Ok, thank you.
SAS full scan's been running for an hour and forty minutes so hopefully will complete soon.

Where is the MBAM logs directory? I can't find it.
thanks,

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:19 PM

Posted 29 May 2011 - 04:00 PM

It will be in the logs tab on the application.

#13 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 29 May 2011 - 04:10 PM

Thank you CryptoDan.

Here is the end log from MBAM.
I did not realize this ran 8 hours so maybe SAS still has a long way to go (only at 2h 44m now..)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6708

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/29/2011 1:43:44 PM
mbam-log-2011-05-29 (13-43-44).txt

Scan type: Full scan (C:\|E:\|W:\|X:\|)
Objects scanned: 644894
Time elapsed: 8 hour(s), 35 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Users\Joe\AppData\Local\D9T4n\dk3guopr6.cpl (Trojan.CTRLRedir.Gen) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dk3GuOPr6 (Trojan.CTRLRedir.Gen) -> Value: dk3GuOPr6 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joe\AppData\Local\svg.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joe\AppData\Local\svg.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joe\AppData\Local\svg.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\$recycle.bin\s-1-5-21-2904340870-3673874416-1695913044-1000\$reve44c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\snadboy's revelation v2\revelation.exe (HackTool.Snadboy) -> Not selected for removal.
c:\program files\snadboy's revelation v2\revelationhelper.dll (PUP.PWSTool.SnadBoy) -> Not selected for removal.
e:\$RECYCLE.BIN\s-1-5-21-2904340870-3673874416-1695913044-1000\$RZ7DRI0.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
c:\Users\Joe\AppData\Local\D9T4n\dk3guopr6.cpl (Trojan.CTRLRedir.Gen) -> Delete on reboot.


I believe I had a similar situation a bit of a while back and cleaned w/ MBAM, SAS and Spybot. I'm wondering if there isn't something hiding underneath..

BTW, when SAS is done, should I allow it to clean the problems it finds?


Thanks for your time and help,
J.

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:19 PM

Posted 29 May 2011 - 04:29 PM

Please remove the following:

c:\program files\snadboy's revelation v2\revelation.exe (HackTool.Snadboy) -> Not selected for removal.
c:\program files\snadboy's revelation v2\revelationhelper.dll (PUP.PWSTool.SnadBoy) -> Not selected for removal

#15 J.Aza

J.Aza
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn, NY
  • Local time:04:19 PM

Posted 29 May 2011 - 04:50 PM

Should I delete those outright (or just uninstall the program) or do I have to rerun MBAM and let it remove them? Revelation is an app I installed on purpose - hopefully I can put it back after..

Below is the completed SAS log. I have not instructed it to remove anything as yet.
Thanks for all the help.
J.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/29/2011 at 05:38 PM

Application Version : 4.53.1000

Core Rules Database Version : 7162
Trace Rules Database Version: 4974

Scan type : Complete Scan
Total Scan Time : 03:14:29

Memory items scanned : 772
Memory threats detected : 0
Registry items scanned : 12176
Registry threats detected : 0
File items scanned : 123708
File threats detected : 229

Adware.Tracking Cookie
.atdmt.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
in.getclicky.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
segment-pixel.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adxpose.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media.adfrontiers.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.www.burstnet.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.stats.ilivid.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.adultzone.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sdctrack2.thomasnet.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sdctrack2.thomasnet.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adserver.adtechus.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media.adfrontiers.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adserver.adtechus.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.clickfuse.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.associatedcontent.112.2o7.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.statcounter.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.examinercom.122.2o7.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.googleadservices.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediabrandsww.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.yadro.ru [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media2.legacy.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.traveladvertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.traveladvertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.lfstmedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.googleadservices.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ia.media-imdb.com [ C:\Users\Joe\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6QK86SLA ]
media.kyte.tv [ C:\Users\Joe\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6QK86SLA ]
s0.2mdn.net [ C:\Users\Joe\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6QK86SLA ]
crackle.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JFJW3MKQ ]
secure-us.imrworldwide.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JFJW3MKQ ]
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediabrandsww[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@lucidmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adxpose[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@click.fastpartner[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cdn.jemamedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@kontera[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pointroll[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clicksor[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@theclickcheck[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clickthrough.kanoodle[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@247realmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tacoda.at.atwola[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@search.crackle[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.undertone[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@legolas-media[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@interclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@findology[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@questionmarket[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@track.clickpayz[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.crackle[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@specificclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.lycos[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.blogtalkradio[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adtechus[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.pubmatic[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.crackle[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ar.atwola[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ru4[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@businessfind[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.pointroll[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@educationcom.112.2o7[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mm.chitika[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@at.atwola[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atwola[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@a1.interclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adserver.adtechus[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pro-market[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@server.cpmstar[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@crackle[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@collective-media[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[1].txt

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX14\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX14\PROCS\EXPLORER.EXE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users