Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange ad showed up on thread


  • This topic is locked This topic is locked
23 replies to this topic

#1 woodsman345

woodsman345

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 08:52 AM

I think I should have posted elsewhere instead of general forum but still learning the ropes here.
Cannot figure out how to delete it and move it.

Was looking at a thread I was involved with and instead of a normal ad next to my first post there was a lady with big knockers telling me to meet me now. Click yes or ignore. I clicked neither and went about my business and when I scrolled back up it was gone. I have learned that if I would have clicked either, it would have been all downhill from there, one way or another LOL
In my mind there is little doubt that was a way to infect the PC and was wondering how they can put those up on this site? Or maybe it is not this site?
Someone please explain how those can be made to happen.
I scan my pc with SAS and MB and always shows clean, However the other day I knew better but clicked on a link in yahoo mail and said damn, I should not have done that, and a day later yahoo messenger would not connect and asking me to enable proxy server. I never saw that before. Odd things have happened and I am not sure
if my machine is causing it or not.
Thanks
woodsman

Edited by hamluis, 24 July 2011 - 10:02 AM.
Moved from Gen Chat to Am I Infected.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 09:03 AM

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

#3 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 09:09 AM

Tell me about this file crypto, my antivirus protection had a stroke over it.
Thanks

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 09:16 AM

Its 100% completely safe to use, if your AV detects it as something then I would change your AV there is nothing malicious about it.

#5 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 09:55 AM

Another concern crypto, sorry for the questions but this has my physical address and IP and such info within it and I am not sure it is wise to post it, maybe email it.
Dont let me do anything that is not in my interest...thanks

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 09:58 AM

you can edit that our but if its 192.168.0.0/16, 10.0.0.0/8, or 172.16-31.0.0/16 then its okay to publish as they are private.

#7 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 10:24 AM

This is a new machine, I don't know what programs I need or do not need on this, yet.

I notice yahoo and google are mentioned as far as pinging and I did not have email or any web browser open.
Nothing concerning them is checked in startup but maybe services had something going? I was on yahoo earlier.

MiniToolBox by Farbar
Ran by (administrator) on 24-07-2011 at 10:35:19
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gha.xxxxx.net

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : xxxxxxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : xxxxxxxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® WiFi Link 1000 BGN
Physical Address. . . . . . . . . : xxxxxxxxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gha.xxxxxxxx.net
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : xxxxxxxxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : xxxxxxxxxxxx(Preferred)
IPv4 Address. . . . . . . . . . . : xxxxxxxxx(Preferred)
Subnet Mask . . . . . . . . . . . : xxxxxxxxx
Lease Obtained. . . . . . . . . . : Sunday, July 24, 2011 6:40:47 AM
Lease Expires . . . . . . . . . . : Sunday, July 31, 2011 10:32:14 AM
Default Gateway . . . . . . . . . : xxxxxxxxxx
DHCP Server . . . . . . . . . . . : xxxxxxxxxx
DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxxx
DHCPv6 Client DUID. . . . . . . . : xxxxxxxxxxxxxxx
DNS Servers . . . . . . . . . . . : xxxxxxxxxxx
xxxxxxxxxx
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{xxxxxxxxxxxxx}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : xxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{xxxxxxxxxxxxxxxxxxxxxxxxx}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:xxxxxxxxxxxxxxx(Preferred)
Link-local IPv6 Address . . . . . : fe80::xxxxxxxxxxxxxxxx(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.gha.chartermi.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gha.xxxxxxxxxx.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{xxxxxxxxxxxxxxxxxxxxxxxxxx}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: vip01bycymi.bycy.xxxxxxxxxx.com
Address: xxxxxxxxxxxxxx

Name: google.com
Addresses: 74.125.93.105
74.125.93.104
74.125.93.103
74.125.93.99
74.125.93.106
74.125.93.147


Pinging google.com [74.125.93.103] with 32 bytes of data:
Reply from 74.125.93.103: bytes=32 time=47ms TTL=51
Reply from 74.125.93.103: bytes=32 time=48ms TTL=51

Ping statistics for 74.125.93.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 48ms, Average = 47ms
Server: vip01bycymi.bycy.xxxxxxxxxxxxx.com
Address: 24.247.24.53

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65


Pinging yahoo.com [67.195.160.76] with 32 bytes of data:
Reply from 67.195.160.76: bytes=32 time=46ms TTL=51
Reply from 67.195.160.76: bytes=32 time=48ms TTL=51

Ping statistics for 67.195.160.76:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 46ms, Maximum = 48ms, Average = 47ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
15...xxxxxxxxxxxxxxxxx ......Microsoft Virtual WiFi Miniport Adapter #2
14...xxxxxxxxxxxxxxxxx ......Microsoft Virtual WiFi Miniport Adapter
13...xxxxxxxxxxxxxxxxx ......Intel® WiFi Link 1000 BGN
11...xxxxxxxxxxxxxxxxx ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.166 20
xxxxxxxxxx 255.0.0.0 On-link 127.0.0.1 306
xxxxxxxxxx 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.166 276
192.168.0.166 255.255.255.255 On-link 192.168.0.166 276
192.168.0.255 255.255.255.255 On-link 192.168.0.166 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.166 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.166 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 58 ::/0 On-link
1 306 ::1/128 On-link
16 58 2001::/32 On-link
16 306 2001:xxxxxxxxxxx/128
On-link
11 276 fe80::/64 On-link
16 306 fe80::/64 On-link
11 276 fe80::xxxxxxxxxxx/128
On-link
16 306 fe80::xxxxxxxxxxx/128
On-link
1 306 ff00::/8 On-link
16 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/24/2011 06:43:24 AM) (Source: CVHSVC) (User: )
Description: Information only.
Error: Failed to make the SOAP Call HResult: 0x800c0005. Exception caught while trying to report the Update Event

Error: (07/24/2011 06:43:24 AM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (07/24/2011 06:33:20 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/24/2011 06:32:22 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU failed to post message to CCC

Error: (07/24/2011 06:32:22 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU failed to post message to CCC

Error: (07/24/2011 05:45:38 AM) (Source: CVHSVC) (User: )
Description: Information only.
Error: Failed to make the SOAP Call HResult: 0x800c0005. Exception caught while trying to report the Update Event

Error: (07/24/2011 05:45:37 AM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (07/24/2011 05:35:34 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/24/2011 04:09:23 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU failed to post message to CCC

Error: (07/24/2011 04:09:23 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU failed to post message to CCC


System errors:
=============
Error: (07/21/2011 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:10 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (07/21/2011 07:50:10 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (07/21/2011 07:50:04 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (07/21/2011 07:50:04 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (07/24/2011 06:43:24 AM) (Source: CVHSVC)(User: )
Description: Error: Failed to make the SOAP Call HResult: 0x800c0005. Exception caught while trying to report the Update Event

Error: (07/24/2011 06:43:24 AM) (Source: CVHSVC)(User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (07/24/2011 06:33:20 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/24/2011 06:32:22 AM) (Source: ATIeRecord)(User: )
Description:

Error: (07/24/2011 06:32:22 AM) (Source: ATIeRecord)(User: )
Description:

Error: (07/24/2011 05:45:38 AM) (Source: CVHSVC)(User: )
Description: Error: Failed to make the SOAP Call HResult: 0x800c0005. Exception caught while trying to report the Update Event

Error: (07/24/2011 05:45:37 AM) (Source: CVHSVC)(User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (07/24/2011 05:35:34 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/24/2011 04:09:23 AM) (Source: ATIeRecord)(User: )
Description:

Error: (07/24/2011 04:09:23 AM) (Source: ATIeRecord)(User: )
Description:


=========================== Installed Programs ============================

ActiveCheck component for HP Active Support Library (Version: 3.0.0.3)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.26)
Adobe Flash Player 10 Plugin (Version: 10.3.181.34)
Adobe Reader X (10.1.0) MUI (Version: 10.1.0)
Adobe Shockwave Player 11.5 (Version: 11.5.9.620)
Agatha Christie - Peril at End House (Version: 2.2.0.95)
ArcSoft PhotoImpression 5
ATI Catalyst Install Manager (Version: 3.0.816.0)
AuthenTec TrueAPI (Version: 1.2.1.33)
Bejeweled 2 Deluxe (Version: 2.2.0.95)
Bejeweled 3 (Version: 2.2.0.95)
Blackhawk Striker 2 (Version: 2.2.0.95)
Blasterball 3 (Version: 2.2.0.95)
Bounce Symphony (Version: 2.2.0.95)
Build-a-lot 2 (Version: 2.2.0.95)
Cake Mania (Version: 2.2.0.95)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2011.0315.958.16016)
Catalyst Control Center Graphics Previews Common (Version: 2011.0315.958.16016)
Catalyst Control Center InstallProxy (Version: 2011.0315.958.16016)
Catalyst Control Center Localization All (Version: 2011.0315.958.16016)
Catalyst Control Center Profiles Mobile (Version: 2011.0315.958.16016)
ccc-utility64 (Version: 2011.0315.958.16016)
CCC Help Chinese Standard (Version: 2011.0315.0957.16016)
CCC Help Chinese Traditional (Version: 2011.0315.0957.16016)
CCC Help Czech (Version: 2011.0315.0957.16016)
CCC Help Danish (Version: 2011.0315.0957.16016)
CCC Help Dutch (Version: 2011.0315.0957.16016)
CCC Help English (Version: 2011.0315.0957.16016)
CCC Help Finnish (Version: 2011.0315.0957.16016)
CCC Help French (Version: 2011.0315.0957.16016)
CCC Help German (Version: 2011.0315.0957.16016)
CCC Help Greek (Version: 2011.0315.0957.16016)
CCC Help Hungarian (Version: 2011.0315.0957.16016)
CCC Help Italian (Version: 2011.0315.0957.16016)
CCC Help Japanese (Version: 2011.0315.0957.16016)
CCC Help Korean (Version: 2011.0315.0957.16016)
CCC Help Norwegian (Version: 2011.0315.0957.16016)
CCC Help Polish (Version: 2011.0315.0957.16016)
CCC Help Portuguese (Version: 2011.0315.0957.16016)
CCC Help Russian (Version: 2011.0315.0957.16016)
CCC Help Spanish (Version: 2011.0315.0957.16016)
CCC Help Swedish (Version: 2011.0315.0957.16016)
CCC Help Thai (Version: 2011.0315.0957.16016)
CCC Help Turkish (Version: 2011.0315.0957.16016)
Chuzzle Deluxe (Version: 2.2.0.95)
CyberLink PowerDVD 10 (Version: 10.0.3.2714)
CyberLink YouCam (Version: 3.5.1.3922)
D3DX10 (Version: 15.4.2368.0902)
Diner Dash 2 Restaurant Rescue (Version: 2.2.0.95)
Dora's World Adventure (Version: 2.2.0.95)
Emsisoft Anti-Malware 5.1 (Version: 5.1)
Energy Star Digital Logo (Version: 1.0.1)
ESU for Microsoft Windows 7 (Version: 1.0.0)
Evernote v. 4.2.2 (Version: 4.2.2.3979)
Farm Frenzy (Version: 2.2.0.95)
FATE - The Traitor Soul (Version: 2.2.0.95)
HP 3D DriveGuard (Version: 4.1.5.1)
HP Auto (Version: 1.0.12935.3667)
HP Client Services (Version: 1.1.12938.3539)
HP Connection Manager (Version: 4.0.45.1)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP Documentation (Version: 1.1.0.0)
HP Games (Version: 1.0.2.4)
HP MovieStore (Version: 1.0.047)
HP MovieStore (Version: 2.0)
HP On Screen Display (Version: 1.1.2)
HP Power Manager (Version: 1.2.3)
HP Quick Launch (Version: 2.3.6)
HP Setup (Version: 8.6.4530.3651)
HP Setup Manager (Version: 1.1.13231.3673)
HP SimplePass 2011 (Version: 5.1.0.495)
HP Software Framework (Version: 4.0.110.1)
HP Support Assistant (Version: 5.2.9.2)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
IDT Audio (Version: 1.0.6329.0)
Intel PROSet Wireless
Intel® Display Audio Driver (Version: 6.14.00.3074)
Intel® Management Engine Components (Version: 7.0.0.1144)
Intel® PROSet/Wireless WiFi Software (Version: 14.0.2000)
Intel® Rapid Storage Technology (Version: 10.1.2.1004)
Intel® Wireless Display
Intel® Wireless Display (Version: 2.0.30.0)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 24 (64-bit) (Version: 6.0.240)
Java™ 6 Update 26 (Version: 6.0.260)
Junk Mail filter update (Version: 15.4.3502.0922)
Magic Desktop (Version: 3.0)
Mah Jong Medley (Version: 2.2.0.95)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000)
Microsoft Office Starter 2010 - English (Version: 14.0.5131.5000)
Microsoft Office XP Professional (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mozilla Firefox 5.0 (x86 en-US) (Version: 5.0)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Mystery P.I. - Stolen in San Francisco (Version: 2.2.0.95)
Namco All-Stars PAC-MAN (Version: 2.2.0.95)
Norton Internet Security (Version: 18.6.0.29)
Penguins! (Version: 2.2.0.95)
PhotoMAX Pro 2.0
PhotoPrinter 2.0
PL-2303 USB-to-Serial (Version: 1.2.10)
Plants vs. Zombies - Game of the Year (Version: 2.2.0.95)
PlayReady PC Runtime x86 (Version: 1.3.0)
Poker Superstars III (Version: 2.2.0.95)
Polar Bowler (Version: 2.2.0.95)
Polar Golfer (Version: 2.2.0.95)
Print Server
PX Profile Update (Version: 1.00.1.)
Realtek Ethernet Controller Driver (Version: 7.41.216.2011)
Realtek PCIE Card Reader (Version: 6.1.7600.74)
Recovery Manager (Version: 2.0.0)
Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.0.32.0)
RoxioNow Player (Version: 1.9.5.103)
S4WinDriver 2.17
Slingo Supreme (Version: 2.2.0.95)
SUPERAntiSpyware (Version: 4.55.1000)
Synaptics Pointing Device Driver (Version: 15.2.4.4)
The Ultimate Troubleshooter
Update Installer for WildTangent Games App
Validity WBF DDK (Version: 4.3.118.0)
VGA USB Camera
Virtual Villagers 4 - The Tree of Life (Version: 2.2.0.95)
Wheel of Fortune 2 (Version: 2.2.0.95)
WildTangent Games App (HP Games) (Version: 4.0.5.2)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows XP Mode (Version: 1.3.7600.16423)
Yahoo! Messenger
Yahoo! Software Update
Zuma Deluxe (Version: 2.2.0.95)

========================= Memory info: ===================================

Percentage of memory in use: 35%
Total physical RAM: 6091.86 MB
Available physical RAM: 3952.01 MB
Total Pagefile: 12181.91 MB
Available Pagefile: 9751.34 MB
Total Virtual: 4095.88 MB
Available Virtual: 3985.74 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:683.96 GB) (Free:628.35 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.38 GB) (Free:1.6 GB) NTFS

========================= Users: ========================================

User accounts for \\

Administrator Guest

========================= Minidump Files ==================================

No minidump file found

== End of log ==

Edited by woodsman345, 24 July 2011 - 10:29 AM.


#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 10:27 AM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.

      Scan with SUPERAntiSpyware as follows:[list]
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#9 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 10:51 AM

I did these scans this morning after thinking I had better do something. The strange ad came up last evening.
I stand corrected from my first post, I did not scan this machine with sas till this morning...I have 2 others that I used it on.

Malware bytes showed 0
SAS picked up cookies plus 7 items described as trojans and were all to do with Rkill download for another machine. I deleted them.
GMER does not work in 64 bit mode as stated above, not sure how to make it run.
That's where we are at, at the moment.
Thanks.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2011 at 06:22 AM

Application Version : 4.55.1000

Core Rules Database Version : 7451
Trace Rules Database Version: 5263

Scan type : Complete Scan
Total Scan Time : 00:41:48

Memory items scanned : 793
Memory threats detected : 0
Registry items scanned : 14414
Registry threats detected : 0
File items scanned : 36531
File threats detected : 37

Adware.Tracking Cookie
C:\Users\Joe\AppData\Local\Temp\Cookies\joe@ad.yieldmanager[2].txt
C:\Users\Joe\AppData\Local\Temp\Cookies\joe@content.yieldmanager[2].txt
C:\Users\Joe\AppData\Local\Temp\Cookies\joe@content.yieldmanager[3].txt
C:\Users\Joe\AppData\Local\Temp\Cookies\joe@doubleclick[1].txt
ads2.msads.net [ C:\Users\Joe\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DA4CZL3M ]
b.ads2.msads.net [ C:\Users\Joe\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DA4CZL3M ]
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.favbrowser[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@invitemedia[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.undertone[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ads.bleepingcomputer[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@collective-media[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.googleadservices[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adbrite[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@www.myaccount.comcast[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ad.yieldmanager[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@adxpose[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@a1.interclick[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@ad.wsod[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@dealtime[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@doubleclick[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@interclick[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@imrworldwide[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@legolas-media[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@lucidmedia[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@media6degrees[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@mediabrandsww[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@myaccount.comcast[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@pointroll[2].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@segment-pixel.invitemedia[1].txt
C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\Low\joe@tracking.godatafeed[1].txt

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX0\NIRD\IEXPLORE.EXE
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX1\NIRD\IEXPLORE.EXE
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX2\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\EXPLORER.EXE
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX1\PROCS\EXPLORER.EXE
C:\USERS\JOE\APPDATA\LOCAL\TEMP\RARSFX2\PROCS\EXPLORER.EXE

Trojan.Agent/Gen-WinLogon[Fake]
C:\USERS\JOE\DOWNLOADS\WINLOGON.EXE

Edited by woodsman345, 24 July 2011 - 11:09 AM.


#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 10:54 AM

can you post the logs please?

#11 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 11:11 AM

SAS is in my above post and here is malwarebytes.
Still not sure how to make GMER work on a 64 bit machine.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7260

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/24/2011 7:14:14 AM
mbam-log-2011-07-24 (07-14-14).txt

Scan type: Full scan (C:\|)
Objects scanned: 304915
Time elapsed: 32 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by woodsman345, 24 July 2011 - 11:17 AM.


#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 11:12 AM

Perform a complete scan with Malwarebytes.

#13 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 11:31 AM

I did. I posted the incorrect scan and edited it. New one is there now.
I have the link from yahoo mail I clicked on a week ago or so, that was a mistake on my part , is there any way to analyze that?

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 24 July 2011 - 11:34 AM

With the fake Winlogin above, Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.

#15 woodsman345

woodsman345
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 July 2011 - 11:51 AM

That winlogon was downloaded off from one on grinlers posts, below. I opened the folder and it had Rkill in it.
I remember that he said that some of this may be interpeted as malware but it is safe.
Thanks


Grinler:
RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.

RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
iExplore.exe Download Link
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link


When RKill is run it will display a console screen similar to the one below:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users