Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Issues - Not Sure if Related


  • Please log in to reply
23 replies to this topic

#1 CMalone

CMalone

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 30 October 2011 - 10:14 PM

So my brother's computer seems to have a recurring malware infection. I have run MBAM the last few days and each day it comes up with 14 objects, all the same log. I have run tdsskiller and it found nothing. When the computer logs on to Windows (Vista) it gets an error message that the recyle bin is corrupt and do you want to empty the bin (yes or no).

Additonally windows messge popping up asking to allow or deny rundll32 from running. These problems are apparently all new; i have used smitfraud in the past for similiar problems but to no avail this time. the log from mbam is as follows:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8038

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

10/30/2011 23:01:19
mbam-log-2011-10-30 (23-01-19).txt

Scan type: Quick scan
Objects scanned: 221774
Time elapsed: 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\programdata\keyboardverifierpolicy.dll (Trojan.SHarpro.PGen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0FFFE48E-D342-4AD4-B9CF-9422B3D2BD8a} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FFFE48E-D342-4AD4-B9CF-9422B3D2BD8A} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FFFE48E-D342-4AD4-B9CF-9422B3D2BD8A} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FFFE48E-D342-4AD4-B9CF-9422B3D2BD8A} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyboardVerifierPolicy (Trojan.SHarpro.PGen) -> Value: KeyboardVerifierPolicy -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\keyboardverifierpolicy.dll (Trojan.SHarpro.PGen) -> Delete on reboot.
c:\Users\Dad\local settings\application data\shelladmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Dad\local settings\application data\trayadmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\shelladmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\trayadmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Dad\local settings\application data\explorerptr.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\explorerptr.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 AM

Posted 03 November 2011 - 08:31 PM

Hello.... I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.



We need to know exactly this message... windows messge popping up asking to allow or deny rundll32 from running.



When the computer logs on to Windows (Vista) it gets an error message that the recyle bin is corrupt and do you want to empty the bin (yes or no).

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 04 November 2011 - 07:35 PM

i am in the process of running the scans but am giving you more info on the Rundll32 message from my own laptop.

the message is from (what appears) windows

User account control

Windows needs your permission to continue
if you started this action, continue.

Windows host process (Rundll32)
Microsoft Windows

Continue or Cancel

The details tab states: "c: \windows\system32\rundll32.exe"
"c:\users\dad\appdata\loc...\viewer.dll",Dllregisterserver

#4 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 04 November 2011 - 09:42 PM

ESET LOG

C:\Documents and Settings\All Users\DisplayProfileProfile.dll Win32/TrojanDownloader.Tracur.I trojan cleaned by deleting - quarantined
C:\Documents and Settings\All Users\IntelNotifierVerifier.dll Win32/TrojanDownloader.Tracur.I trojan cleaned by deleting - quarantined
C:\Documents and Settings\All Users\MicrosoftOnlinePolicy.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\All Users\WindowsProfileManager.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\InternetUser.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\InternetWin32.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\SecurityUser.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\TCPIPPTR.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\TraySys32.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\2DBoy\2DBoyUpdate\2DBoyup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Adobe\AdobeUpdate\Adobeup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\AIM\AIMUpdate\AIMup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\AIM Toolbar\AIMUpdate\AIMup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\AOL\AOLUpdate\AOLup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Apple Computer\AppleUpdate\Appleup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\bf60bbd4\X Win32/Sirefef.DD trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Conduit\ConduitUpdate\Conduitup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\DataSafeOnline\DataSafeOnlineUpdate\DataSafeOnlineup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Dell\DellUpdate\Dellup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Microsoft\MicrosoftUpdate\Microsoftup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHZ8WMH9\PopularScreenSavers[1].exe a variant of Win32/AdInstaller application cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHZ8WMH9\PopularScreenSavers[2].exe a variant of Win32/AdInstaller application cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Oberon Media\OberonUpdate\Oberonup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\PowerDVD DX\PowerDVDUpdate\PowerDVDup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Stardock_Corporation\Stardock_CorporationUpdate\Stardock_Corporationup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD4BEE.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD519A.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD587D.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD5E39.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD5EFA.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD65DC.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD69AF.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD6DA5.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD6ECE.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD73DD.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD7747.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD7B7C.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NOD84DF.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NODD70B.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NODEAF9.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\NODF21C.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\ICReinstall\Facemoods[1].exe probably a variant of Win32/InstallCore.A application cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nsgD4C0.tmp\boenc.dll_ a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nsgD4C0.tmp\dfenc.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nsgD4C0.tmp\mvenc.dll Win32/TrojanDownloader.Tracur.I trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nsgD4C0.tmp\stats.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nst2C5F.tmp\image01.jpo a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nst2C5F.tmp\image02.jpo a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nst2C5F.tmp\image03.jpo a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\Temp\nst2C5F.tmp\viewer.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\Local\VirtualStore\VirtualStoreUpdate\VirtualStoreup.dll a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Retrogamer_2zEI\Installr\Cache\0AFE1666.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\750e1b8d-570ff0c6 a variant of Java/Agent.DW trojan deleted - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\3f1ba517-25dd94d9 multiple threats deleted - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\58ce481b-3896a107 a variant of Java/TrojanDownloader.Agent.ME trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\67fb2adb-70b10c19 Win32/Sirefef.DD trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\87444a4-7362074e multiple threats deleted - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\781d0d26-46ff9290 probably a variant of Java/TrojanDownloader.Agent.NCT trojan deleted - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\74a02227-2593f81e a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Documents and Settings\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\4839f1b9-48b72e47 multiple threats deleted - quarantined
C:\Documents and Settings\Dad\Desktop\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\Dad\Desktop\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\Program Files\DealPly\zugo-rj.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined
C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files\Retrogamer_2z\bar\1.bin\2zdatact.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\Program Files\Retrogamer_2z\bar\1.bin\2zhtml.dll probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\Program Files\Retrogamer_2z\bar\1.bin\2zPlugin.dll a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\Retrogamer_2z\bar\1.bin\2zskin.dll a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\Toolbar32.dll.vir a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Dad\AppData\Local\mgm.exe.vir a variant of Win32/Kryptik.MAX trojan cleaned by deleting - quarantined
C:\Users\Dad\AppData\Local\Temp\NOD7F21.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NOD93A0.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NOD9B2F.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODA0AC.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODA6F4.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODAE64.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODB4FA.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODBB80.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODC2A3.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODC9F4.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODD0F7.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODD7FA.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODDFB8.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODE6BB.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODEDED.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODF618.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Dad\AppData\Local\Temp\NODFE15.tmp a variant of Win32/Kryptik.UQZ trojan cleaned by deleting (after the next restart) - quarantined
Operating memory a variant of Win32/TrojanDownloader.Tracur.I trojan

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 AM

Posted 04 November 2011 - 09:54 PM

Hello,
RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. If there was a Cannot find or error loading error message usually occurs when the associated .dll has been removed. The file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up. Let's see if it goes away.



Those were some ugly infections.. We should look at these logs next.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Edited by boopme, 04 November 2011 - 09:56 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 04 November 2011 - 09:59 PM

here is the MBAM log - i am going to reboot and run the next logs

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8088

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

11/4/2011 22:54:57
mbam-log-2011-11-04 (22-54-57).txt

Scan type: Quick scan
Objects scanned: 216198
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 16
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Creative Update (Trojan.SHarpro.PGen) -> Value: Creative Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clients Update (Trojan.SHarpro.PGen) -> Value: Clients Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macromedia Update (Trojan.SHarpro.PGen) -> Value: Macromedia Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wow6432Node Update (Trojan.SHarpro.PGen) -> Value: Wow6432Node Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DealPly Update (Trojan.SHarpro.PGen) -> Value: DealPly Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ODBC Update (Trojan.SHarpro.PGen) -> Value: ODBC Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppDataLow Update (Trojan.SHarpro.PGen) -> Value: AppDataLow Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Update (Trojan.SHarpro.PGen) -> Value: Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Apple Update (Trojan.SHarpro.PGen) -> Value: Apple Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ooVoo Update (Trojan.SHarpro.PGen) -> Value: ooVoo Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Update (Trojan.SHarpro.PGen) -> Value: Local Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AIM Update (Trojan.SHarpro.PGen) -> Value: AIM Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDDB Update (Trojan.SHarpro.PGen) -> Value: CDDB Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftOnlinePolicy (Trojan.SHarpro.PGen) -> Value: MicrosoftOnlinePolicy -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla Update (Trojan.SHarpro.PGen) -> Value: Mozilla Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel Update (Trojan.SHarpro.PGen) -> Value: Intel Update -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 04 November 2011 - 10:05 PM

MiniToolBox by Farbar
Ran by Dad (administrator) on 04-11-2011 at 23:04:56
Windows Vista ™ Home Premium Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Dad-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
Physical Address. . . . . . . . . : 00-25-56-10-A9-1D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8981:785f:ee0f:5a7e%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, November 04, 2011 23:01:56
Lease Expires . . . . . . . . . . : Saturday, November 05, 2011 23:01:56
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 201336150
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-BD-90-0D-00-22-19-EE-F6-14
DNS Servers . . . . . . . . . . . : 167.206.254.1
167.206.254.2
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
Physical Address. . . . . . . . . : 00-22-19-EE-F6-14
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{A1C0DD70-3592-41F1-9CCB-38BAC00A1A53}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:18c5:aee:3f57:fe9a(Preferred)
Link-local IPv6 Address . . . . . : fe80::18c5:aee:3f57:fe9a%10(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{43E0FAB1-9030-458F-B5C4-D34C831FEAE0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: vdns1.srv.hcvlny.cv.net
Address: 167.206.254.1

Name: google.com
Addresses: 74.125.226.147
74.125.226.144
74.125.226.145
74.125.226.146
74.125.226.148



Pinging google.com [74.125.226.145] with 32 bytes of data:

Reply from 74.125.226.145: bytes=32 time=32ms TTL=55

Reply from 74.125.226.145: bytes=32 time=32ms TTL=55



Ping statistics for 74.125.226.145:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 32ms, Maximum = 32ms, Average = 32ms

Server: vdns1.srv.hcvlny.cv.net
Address: 167.206.254.1

Name: yahoo.com
Addresses: 98.137.149.56
98.139.180.149
209.191.122.70
67.195.160.76
72.30.2.43



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=97ms TTL=52

Reply from 209.191.122.70: bytes=32 time=90ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 97ms, Average = 93ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
12 ...00 25 56 10 a9 1d ...... Dell Wireless 1397 WLAN Mini-Card
11 ...00 22 19 ee f6 14 ...... Broadcom NetLink ™ Gigabit Ethernet
1 ........................... Software Loopback Interface 1
14 ...00 00 00 00 00 00 00 e0 isatap.{A1C0DD70-3592-41F1-9CCB-38BAC00A1A53}
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 isatap.{43E0FAB1-9030-458F-B5C4-D34C831FEAE0}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.101 281
192.168.1.101 255.255.255.255 On-link 192.168.1.101 281
192.168.1.255 255.255.255.255 On-link 192.168.1.101 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.101 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.101 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 18 ::/0 On-link
1 306 ::1/128 On-link
10 18 2001::/32 On-link
10 266 2001:0:4137:9e76:18c5:aee:3f57:fe9a/128
On-link
12 281 fe80::/64 On-link
10 266 fe80::/64 On-link
10 266 fe80::18c5:aee:3f57:fe9a/128
On-link
12 281 fe80::8981:785f:ee0f:5a7e/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
12 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/04/2011 11:02:20 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/04/2011 11:00:13 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (11/04/2011 10:42:58 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.19154, time stamp 0x4e8634f0, faulting module IEFRAME.dll, version 8.0.6001.19154, time stamp 0x4e864a70, exception code 0xc0000005, fault offset 0x000b7911,
process id 0x2750, application start time 0xiexplore.exe0.

Error: (11/04/2011 08:32:56 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/04/2011 08:27:09 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/04/2011 10:23:00 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (11/04/2011 10:14:14 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/04/2011 09:05:27 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/03/2011 06:15:56 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/03/2011 09:49:43 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\DAD\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\MACROMEDIA.COM\SUPPORT\FLASHPLAYER\SYS\#CACHE.BTRLL.COM> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (11/04/2011 08:32:12 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 8:29:20 PM on 11/4/2011 was unexpected.

Error: (11/04/2011 08:32:02 PM) (Source: ACPI) (User: )
Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

Error: (11/04/2011 10:13:30 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 9:06:52 AM on 11/4/2011 was unexpected.

Error: (11/03/2011 09:44:42 PM) (Source: DCOM) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}

Error: (11/03/2011 09:44:33 PM) (Source: DCOM) (User: )
Description: {28778B62-8481-400D-8E8A-A4C81ED3F65C}

Error: (11/03/2011 09:46:58 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 9:34:11 PM on 11/2/2011 was unexpected.

Error: (11/02/2011 10:02:03 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:49:32 PM on 11/1/2011 was unexpected.

Error: (11/01/2011 04:58:38 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 2:19:20 PM on 11/1/2011 was unexpected.

Error: (11/01/2011 02:15:25 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 7:08:24 PM on 10/31/2011 was unexpected.

Error: (11/01/2011 02:15:15 PM) (Source: ACPI) (User: )
Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 2.1.5)
6200 (Version: 82.0.242.000)
6200_Help (Version: 82.0.242.000)
6200Trb (Version: 82.0.242.000)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe AIR (Version: 2.6.0.19140)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.34)
Adobe Reader X (10.0.1) (Version: 10.0.1)
Advanced Audio FX Engine (Version: 1.12.05)
AIM 7
AIM Toolbar
AIO_CDB_ProductContext (Version: 82.0.242.000)
AIO_CDB_Software (Version: 82.0.242.000)
AIO_Scan (Version: 82.0.173.000)
Apple Application Support (Version: 1.2.1)
Apple Mobile Device Support (Version: 2.6.0.32)
Apple Software Update (Version: 2.1.1.116)
Ask Toolbar (Version: 1.13.1.0)
Bonjour (Version: 1.0.106)
BufferChm (Version: 82.0.173.000)
Choice Guard (Version: 1.2.87.0)
Cisco EAP-FAST Module (Version: 2.1.6)
Cisco LEAP Module (Version: 1.0.12)
Cisco PEAP Module (Version: 1.0.13)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Copy (Version: 82.0.188.000)
Creative MediaSource 5 (Version: 5.00)
CustomerResearchQFolder (Version: 1.00.0000)
Dell-eBay (Version: 1.00.0000)
Dell DataSafe Local Backup - Support Software (Version: 2.16)
Dell DataSafe Local Backup (Version: Dell DataSafe Local Backup 2.75 x86)
Dell DataSafe Online (Version: 1.2.0009)
Dell Dock (Version: 1.0.0)
Dell Edoc Viewer (Version: 1.0.0)
Dell Getting Started Guide (Version: 1.00.0000)
Dell Remote Access (Version: 1.0.0.0)
Dell Support Center (Support Software) (Version: 2.2.09085)
Dell Touchpad (Version: 7.2.101.211)
Dell Video Chat (Version: 6.0 (6567))
Dell Webcam Central (Version: 1.20.10)
Dell Wireless WLAN Card Utility (Version: 5.10.38.30)
DELL0703 (Version: 1.0.0)
Destinations (Version: 82.0.173.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 8.1.0.0)
DocProcQFolder (Version: 1.00.0000)
ESET Online Scanner v3
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 82.0.188.000)
Free Ride Games Player
GoToAssist 8.0.0.514
HP Customer Participation Program 8.0 (Version: 8.0)
HP Imaging Device Functions 8.0 (Version: 8.0)
HP OCR Software 8.0 (Version: 8.0)
HP Photosmart Essential (Version: 1.12.0.46)
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B (Version: 8.0)
HP Product Assistant (Version: 100.000.001.000)
HP Solution Center 8.0 (Version: 8.0)
HP Update (Version: 5.002.005.003)
HPProductAssistant (Version: 82.0.173.000)
HPSSupply (Version: 2.1.3.0000)
Integrated Webcam Driver (1.06.03.0309) (Version: 1.06.03.0309)
Intel® Graphics Media Accelerator Driver
ITECIR (Version: 1.9)
Java™ 6 Update 11 (Version: 6.0.110)
Junk Mail filter update (Version: 14.0.8050.1202)
Live! Cam Avatar Creator (Version: 4.6.2303.1)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
MarketResearch (Version: 82.0.174.000)
McAfee Virtual Technician (Version: 5.0.1.0)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Suite Activation Assistant (Version: 1.2.1)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office XP Media Content (Version: 10.0.2619.0)
Microsoft Office XP Professional (Version: 10.0.6626.0)
Microsoft Search Enhancement Pack (Version: 3.0.127.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 9.7.0621)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
ooVoo (Version: 3.0.7008)
PowerDVD DX (Version: 8.2.5024)
QuickSet (Version: 9.2.8)
QuickTime (Version: 7.66.71.0)
Roxio Creator Audio (Version: 3.7.0)
Roxio Creator Copy (Version: 3.7.0)
Roxio Creator Data (Version: 3.7.0)
Roxio Creator DE (Version: 10.1)
Roxio Creator DE (Version: 3.7.0)
Roxio Creator Tools (Version: 3.7.0)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
Scan (Version: 8.1.0.0)
SolutionCenter (Version: 82.0.188.000)
Sound Blaster Audigy ADVANCED MB (Version: 1.0)
Status (Version: 82.0.173.000)
Toolbox (Version: 82.0.173.000)
TrayApp (Version: 82.0.188.000)
UnloadSupport (Version: 1.00.0000)
WebReg (Version: 82.0.173.000)
Windows Live Call (Version: 14.0.8050.1202)
Windows Live Communications Platform (Version: 14.0.8050.1202)
Windows Live Essentials (Version: 14.0.8050.1202)
Windows Live Mail (Version: 14.0.8050.1202)
Windows Live Messenger (Version: 14.0.8050.1202)
Windows Live Photo Gallery (Version: 14.0.8051.1204)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Sync (Version: 14.0.8050.1202)
Windows Live Toolbar (Version: 14.0.8052.1208)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8050.1202)

========================= Memory info: ===================================

Percentage of memory in use: 37%
Total physical RAM: 3030.17 MB
Available physical RAM: 1888.19 MB
Total Pagefile: 6260.64 MB
Available Pagefile: 4891.1 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.84 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:283.01 GB) (Free:208.88 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.43 GB) NTFS

========================= Users: ========================================

User accounts for \\DAD-PC

Administrator Dad Guest
RA Media Server

========================= Minidump Files ==================================


**** End of log ****

#8 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 04 November 2011 - 10:10 PM

i am unable to dl ATF Cleaner - it says the id does not exist - when i click the link

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 AM

Posted 04 November 2011 - 10:16 PM

Just run SAS then for now
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 06 November 2011 - 04:51 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2011 at 04:45 PM

Application Version : 5.0.1134

Core Rules Database Version : 7904
Trace Rules Database Version: 5716

Scan type : Quick Scan
Total Scan Time : 00:07:53

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned : 281
Memory threats detected : 0
Registry items scanned : 30263
Registry threats detected : 8
File items scanned : 15250
File threats detected : 110

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Trojan.Agent/Gen
HKU\S-1-5-21-3632143483-220950307-188394216-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#1085984108

Adware.Tracking Cookie
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@85playgames.media-toolbar[2].txt [ /85playgames.media-toolbar ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ad.yieldmanager[1].txt [ /ad.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ad.yieldmanager[2].txt [ /ad.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ad.yieldmanager[3].txt [ /ad.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ad.yieldmanager[4].txt [ /ad.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ad.yieldmanager[5].txt [ /ad.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ad.yieldmanager[6].txt [ /ad.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@adcentriconline[1].txt [ /adcentriconline ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@adlegend[2].txt [ /adlegend ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ads.freearcade[1].txt [ /ads.freearcade ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ads.pointroll[1].txt [ /ads.pointroll ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ads.tdbank[2].txt [ /ads.tdbank ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@adserver.adtechus[1].txt [ /adserver.adtechus ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@advertising[1].txt [ /advertising ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@advertising[2].txt [ /advertising ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@advertising[3].txt [ /advertising ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@advertising[5].txt [ /advertising ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@adxpose[1].txt [ /adxpose ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@apmebf[1].txt [ /apmebf ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@apmebf[2].txt [ /apmebf ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@apmebf[3].txt [ /apmebf ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@at.atwola[1].txt [ /at.atwola ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@at.atwola[2].txt [ /at.atwola ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[10].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[1].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[2].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[3].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[4].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[5].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[6].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[8].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@atdmt[9].txt [ /atdmt ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@bs.serving-sys[1].txt [ /bs.serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@bs.serving-sys[2].txt [ /bs.serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@bs.serving-sys[3].txt [ /bs.serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@burstnet[1].txt [ /burstnet ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@casalemedia[2].txt [ /casalemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@content.yieldmanager[1].txt [ /content.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@content.yieldmanager[2].txt [ /content.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@content.yieldmanager[3].txt [ /content.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@content.yieldmanager[4].txt [ /content.yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@dc.tremormedia[1].txt [ /dc.tremormedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@dc.tremormedia[2].txt [ /dc.tremormedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[10].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[11].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[1].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[2].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[3].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[4].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[5].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[6].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[7].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[8].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@doubleclick[9].txt [ /doubleclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@fastclick[1].txt [ /fastclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@fastclick[2].txt [ /fastclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@fastclick[4].txt [ /fastclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@imrworldwide[2].txt [ /imrworldwide ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@imrworldwide[3].txt [ /imrworldwide ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@imrworldwide[4].txt [ /imrworldwide ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@imrworldwide[5].txt [ /imrworldwide ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@imrworldwide[6].txt [ /imrworldwide ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@insightexpressai[1].txt [ /insightexpressai ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@invitemedia[1].txt [ /invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@invitemedia[2].txt [ /invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@invitemedia[3].txt [ /invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@invitemedia[4].txt [ /invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@invitemedia[5].txt [ /invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@liveperson[1].txt [ /liveperson ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@liveperson[2].txt [ /liveperson ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@lucidmedia[2].txt [ /lucidmedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@media6degrees[2].txt [ /media6degrees ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@mediaplex[2].txt [ /mediaplex ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@mediaplex[3].txt [ /mediaplex ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@mmotraffic[2].txt [ /mmotraffic ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@network.realmedia[1].txt [ /network.realmedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@pointroll[2].txt [ /pointroll ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@questionmarket[1].txt [ /questionmarket ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@questionmarket[3].txt [ /questionmarket ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@r1-ads.ace.advertising[2].txt [ /r1-ads.ace.advertising ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@realmedia[1].txt [ /realmedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@realmedia[2].txt [ /realmedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@revsci[1].txt [ /revsci ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@richmedia.yahoo[2].txt [ /richmedia.yahoo ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@ru4[1].txt [ /ru4 ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@segment-pixel.invitemedia[1].txt [ /segment-pixel.invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@segment-pixel.invitemedia[2].txt [ /segment-pixel.invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@server.iad.liveperson[2].txt [ /server.iad.liveperson ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@serving-sys[1].txt [ /serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@serving-sys[2].txt [ /serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@serving-sys[3].txt [ /serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@serving-sys[4].txt [ /serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@serving-sys[5].txt [ /serving-sys ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@specificclick[1].txt [ /specificclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@specificclick[2].txt [ /specificclick ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@statcounter[2].txt [ /statcounter ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@t.invitemedia[1].txt [ /t.invitemedia ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@trafficmp[1].txt [ /trafficmp ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@trafficmp[3].txt [ /trafficmp ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@tribalfusion[2].txt [ /tribalfusion ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@tribalfusion[3].txt [ /tribalfusion ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@tribalfusion[4].txt [ /tribalfusion ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@wdig.112.2o7[2].txt [ /wdig.112.2o7 ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@www.burstnet[1].txt [ /www.burstnet ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@yieldmanager[1].txt [ /yieldmanager ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\dad@zedo[1].txt [ /zedo ]
C:\USERS\GUEST\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@doubleclick[1].txt [ Cookie:guest@doubleclick.net/ ]
C:\USERS\GUEST\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@imrworldwide[2].txt [ Cookie:guest@imrworldwide.com/cgi-bin ]
C:\USERS\GUEST\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@2o7[2].txt [ Cookie:guest@2o7.net/ ]

Adware.HBHelper
HKU\S-1-5-21-3632143483-220950307-188394216-1000_Classes\Software\Microsoft\Internet Explorer\URLSearchHooks#{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}

Trojan.Agent/Gen-ImageDocFake
C:\USERS\DAD\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\8OXWDCBA\30E2BEBD65BFDE232C1D8B9C94646357[1].GIF

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 AM

Posted 06 November 2011 - 07:03 PM

Ok run a Full scan and tell me how it is now.

Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 November 2011 - 08:10 PM

have not done this yet as there were apparently new issues that came up after the SAS clenaing. A program called privacy protection popped onto the desktop and i had rerun SAS and MBAM in safe mode because that program was preventing them from running. I finally got that issue off of the fcomputer, but now there is a website that keeps generating i am going to post the logs after this post and then run this new scanner

#13 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 November 2011 - 08:11 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8127

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

11/9/2011 17:52:44
mbam-log-2011-11-09 (17-52-44).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 352949
Time elapsed: 55 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{731b0dfb-a6d2-456d-a8cf-8f8f9428c2a5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c7566a44-80ea-4c12-adc9-209a58d82860} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29395D3E-0A99-401B-B3EF-778107B5FCCD} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.XMLSessionPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.XMLSessionPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{731B0DFB-A6D2-456D-A8CF-8F8F9428C2A5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fee58fba-ccdb-42e0-b0bd-a37812509763} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.DynamicBarButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.DynamicBarButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2062a63c-7fea-4d06-ab19-5223bac659da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{5f1bde62-fc1b-4661-abf8-984b997aeda2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{46DCD470-A8B1-482C-B638-272F3491CC04} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7e3c3521-5504-492a-a99d-3cdc1b795ea5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.Radio.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.Radio (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fd34eacb-53f5-4965-94bd-cc503b0ec292} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7815cd7b-4477-4d83-b66c-97e5eb483a05} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5A67CFE6-ED34-4114-8A3B-08E9F5E2EE39} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD34EACB-53F5-4965-94BD-CC503B0EC292} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6a9882b5-0181-40c1-ae99-98f2274aa5c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.UrlAlertButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Retrogamer_2z.UrlAlertButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\retrogamer_2z\bar\1.bin\2zmsg.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\ (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\retrogamer_2z\bar\1.bin\2zdyn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zhighin.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zhttpct.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zidle.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zimpipe.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zradio.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zregfft.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zregiet.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zskplay.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2ztpinst.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\2zuabtn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\NP2zStub.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\retrogamer_2z\bar\1.bin\T8RES.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\startnow toolbar\startnowtoolbaruninstall.exe.vir (PUP.Zugo) -> Not selected for removal.
c:\Users\Dad\AppData\Local\bf60bbd4\U\80000000.@ (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\bf60bbd4\U\800000cb.@ (Backdoor.0Access) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\bf60bbd4\U\800000cf.@ (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\Temp\ms1cfg32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\Temp\nsx1363.tmp\msintl1a.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\Temp\nsx1363.tmp\msintl1c.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\Temp\nsx1363.tmp\msintl1e.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Local\Temp\nsx1363.tmp\msintl2a.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#14 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 November 2011 - 08:12 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/09/2011 at 03:39 PM

Application Version : 5.0.1134

Core Rules Database Version : 7904
Trace Rules Database Version: 5716

Scan type : Quick Scan
Total Scan Time : 00:12:54

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User (Administrator User)

Memory items scanned : 693
Memory threats detected : 0
Registry items scanned : 32244
Registry threats detected : 4
File items scanned : 15553
File threats detected : 92

Trojan.Agent/Gen
HKU\S-1-5-21-3632143483-220950307-188394216-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#1085984108

Malware.Trace
HKU\S-1-5-21-3632143483-220950307-188394216-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\9NLJH71P.txt [ /media6degrees.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\V5BOBKKB.txt [ /questionmarket.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\I500Y2H1.txt [ /a1.interclick.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\LJASUB3X.txt [ /zedo.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\L03MM1X6.txt [ /pro-market.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\38THE7C1.txt [ /invitemedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\VWF2Q4O3.txt [ /adserver.leanmarket.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\47GC922T.txt [ /mediaplex.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\K2P6YLK5.txt [ /marchex.bafind.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\WWXWKIFY.txt [ /casalemedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\3YA5QV0G.txt [ /revsci.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\6NRBL51A.txt [ /akamai.interclickproxy.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\PDHYH6NX.txt [ /doubleclick.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\FSSGY6T9.txt [ /filter.plusfind.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\1K0LW4ZV.txt [ /gotacha.rotator.hadj7.adjuggler.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\KZGC3KHM.txt [ /yieldmanager.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\6ZYEKKG9.txt [ /adbrite.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\O8RD7BBP.txt [ /network.realmedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\3FXS4CFD.txt [ /lucidmedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\J50ZZ5WY.txt [ /trafficmp.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\EJIIPGS4.txt [ /amazon-adsystem.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\FOADE4YG.txt [ /realmedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\SH4DHOT8.txt [ /discountinsurers.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\J6AFMFZI.txt [ /adserver.adtechus.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\OAINIHKU.txt [ /pointroll.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\75BOHYWH.txt [ /interclick.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\FKTAEP8O.txt [ /imrworldwide.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\4180D2JQ.txt [ /ads.undertone.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\UJJ79HWC.txt [ /ads.pubmatic.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\N71T6QE4.txt [ /statcounter.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\OA232YNZ.txt [ /bizzclick.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\P6ZSXFN2.txt [ /vidasco.rotator.hadj7.adjuggler.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\R83RTXEH.txt [ /burstnet.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\P3GXDMH2.txt [ /collective-media.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\9JTJP2R3.txt [ /ads.pointroll.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\IOW5AKC2.txt [ /serving-sys.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\EWHAS533.txt [ /r1-ads.ace.advertising.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\K7Q9ZMU8.txt [ /ad.yieldmanager.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\M7NEELEK.txt [ /fastclick.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\0VD8VB84.txt [ /adjuggler.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\YS3CU15Q.txt [ /enhance.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\VNVLBPP9.txt [ /ads.adk2.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\6J7HSQJD.txt [ /www.burstnet.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\DF3HK7VX.txt [ /apmebf.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\XC8J6NKM.txt [ /cdn.jemamedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\L6U38A4X.txt [ /at.atwola.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\LP7D8O71.txt [ /atdmt.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\V8OYI4VJ.txt [ /adup.rotator.hadj7.adjuggler.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\G1OT2ZYI.txt [ /dc.tremormedia.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\E8FQ1OEF.txt [ /trafficno.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\SQESAN0S.txt [ /adxpose.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\3USW5VOH.txt [ /viewablemedia.net ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\UWFERBF4.txt [ /ru4.com ]
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Cookies\KWR5MHDQ.txt [ /tribalfusion.com ]
C:\USERS\DAD\AppData\Roaming\Microsoft\Windows\Cookies\0R7WCPTV.txt [ Cookie:dad@advertising.com/ ]
C:\USERS\DAD\Cookies\9NLJH71P.txt [ Cookie:dad@media6degrees.com/ ]
C:\USERS\DAD\Cookies\I500Y2H1.txt [ Cookie:dad@a1.interclick.com/ ]
C:\USERS\DAD\Cookies\LJASUB3X.txt [ Cookie:dad@zedo.com/ ]
C:\USERS\DAD\Cookies\L03MM1X6.txt [ Cookie:dad@pro-market.net/ ]
C:\USERS\DAD\Cookies\0R7WCPTV.txt [ Cookie:dad@advertising.com/ ]
C:\USERS\DAD\Cookies\38THE7C1.txt [ Cookie:dad@invitemedia.com/ ]
C:\USERS\DAD\Cookies\VWF2Q4O3.txt [ Cookie:dad@adserver.leanmarket.com/ ]
C:\USERS\DAD\Cookies\K2P6YLK5.txt [ Cookie:dad@marchex.bafind.com/ ]
C:\USERS\DAD\Cookies\WWXWKIFY.txt [ Cookie:dad@casalemedia.com/ ]
C:\USERS\DAD\Cookies\3YA5QV0G.txt [ Cookie:dad@revsci.net/ ]
C:\USERS\DAD\Cookies\6NRBL51A.txt [ Cookie:dad@akamai.interclickproxy.com/ ]
C:\USERS\DAD\Cookies\FSSGY6T9.txt [ Cookie:dad@filter.plusfind.net/ ]
C:\USERS\DAD\Cookies\6ZYEKKG9.txt [ Cookie:dad@adbrite.com/ ]
C:\USERS\DAD\Cookies\3FXS4CFD.txt [ Cookie:dad@lucidmedia.com/ ]
C:\USERS\DAD\Cookies\J50ZZ5WY.txt [ Cookie:dad@trafficmp.com/ ]
C:\USERS\DAD\Cookies\EJIIPGS4.txt [ Cookie:dad@amazon-adsystem.com/ ]
C:\USERS\DAD\Cookies\SH4DHOT8.txt [ Cookie:dad@discountinsurers.com/ ]
C:\USERS\DAD\Cookies\OAINIHKU.txt [ Cookie:dad@pointroll.com/ ]
C:\USERS\DAD\Cookies\75BOHYWH.txt [ Cookie:dad@interclick.com/ ]
C:\USERS\DAD\Cookies\FKTAEP8O.txt [ Cookie:dad@imrworldwide.com/cgi-bin ]
C:\USERS\DAD\Cookies\N71T6QE4.txt [ Cookie:dad@statcounter.com/ ]
C:\USERS\DAD\Cookies\P6ZSXFN2.txt [ Cookie:dad@vidasco.rotator.hadj7.adjuggler.net/ ]
C:\USERS\DAD\Cookies\R83RTXEH.txt [ Cookie:dad@burstnet.com/ ]
C:\USERS\DAD\Cookies\P3GXDMH2.txt [ Cookie:dad@collective-media.net/ ]
C:\USERS\DAD\Cookies\EWHAS533.txt [ Cookie:dad@r1-ads.ace.advertising.com/ ]
C:\USERS\DAD\Cookies\K7Q9ZMU8.txt [ Cookie:dad@ad.yieldmanager.com/ ]
C:\USERS\DAD\Cookies\M7NEELEK.txt [ Cookie:dad@fastclick.net/ ]
C:\USERS\DAD\Cookies\0VD8VB84.txt [ Cookie:dad@adjuggler.net/ ]
C:\USERS\DAD\Cookies\XC8J6NKM.txt [ Cookie:dad@cdn.jemamedia.com/ ]
C:\USERS\DAD\Cookies\L6U38A4X.txt [ Cookie:dad@at.atwola.com/ ]
C:\USERS\DAD\Cookies\LP7D8O71.txt [ Cookie:dad@atdmt.com/ ]
C:\USERS\DAD\Cookies\V8OYI4VJ.txt [ Cookie:dad@adup.rotator.hadj7.adjuggler.net/ ]
C:\USERS\DAD\Cookies\E8FQ1OEF.txt [ Cookie:dad@trafficno.com/ ]
C:\USERS\DAD\Cookies\SQESAN0S.txt [ Cookie:dad@adxpose.com/ ]
C:\USERS\DAD\Cookies\3USW5VOH.txt [ Cookie:dad@viewablemedia.net/ ]
C:\USERS\DAD\Cookies\UWFERBF4.txt [ Cookie:dad@ru4.com/ ]
C:\USERS\DAD\Cookies\KWR5MHDQ.txt [ Cookie:dad@tribalfusion.com/ ]

Adware.HBHelper
HKU\S-1-5-21-3632143483-220950307-188394216-1001_Classes\Software\Microsoft\Internet Explorer\URLSearchHooks#{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}

#15 CMalone

CMalone
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 November 2011 - 08:56 PM

okay i ran TFC and now the computer will not restart - i clicked ok and the computer began to restart went black and has not restarted, it has been about 30 minutes now - i am writing this from a different laptop




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users