Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sirefef.al


  • Please log in to reply
15 replies to this topic

#1 vacant80

vacant80

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 08 July 2012 - 04:02 PM

Hi

Excuse me because I know very little about computers but MSE is popping up evert 4 minutes with a message saying 'detected threats are being cleaned' and that I do not need to do anything.
Looking at the history it is a sirefef.al trojan that is being quarantined every 4 minutes.

I have run a full scan and MSE detected the trojan which it removed. After rebooting the system, the same pop up keeps returning every 4 minutes.

Also if this helps, this is the location.. AppData\Local\{02e75f7e-5240-70f1-a96d-aeb12f59bea7}\U\800000cb.@

Im not sure if this means the PC is infected or if MSE is doing its job?? Either way how can I stop this virus or get rid of it??

Thank you

Edited by vacant80, 08 July 2012 - 04:25 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 AM

Posted 08 July 2012 - 04:39 PM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can. If you have performed any of the scans below post the logs for those scans, and then perform the ones you have not done.

Please download and run Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are unchecked (leave all others checked):
    • Ignore files larger then 4mb
    • Ignore non-executable files

    Now Perform the scan with SUPERAntiSpyware as follows:
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

SAS Portable
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#3 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 08 July 2012 - 05:41 PM

just finished the malwarebytes one.... system is slow so will try the others tomorrow if possible but hopefully this will help you start??? it has detected 5 items

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.08.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Alistair :: ALISTAIR-PC [administrator]

Protection: Enabled

08/07/2012 20:57:26
mbam-log-2012-07-08 (20-57-26).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 409934
Time elapsed: 2 hour(s), 40 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Alistair\AppData\Local\{02e75f7e-5240-70f1-a96d-aeb12f59bea7}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Alistair\AppData\Local\Temp\30412316.exe (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\Alistair\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\Alistair\AppData\Local\{02e75f7e-5240-70f1-a96d-aeb12f59bea7}\n (Trojan.Dropper.PE4) -> Delete on reboot.

(end)

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 AM

Posted 08 July 2012 - 06:52 PM

Okay will wait for other scans.

#5 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 09 July 2012 - 09:09 AM

security check results...

Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
JavaFX 2.1.1
Java™ 7 Update 5
Java™ SE Runtime Environment 6
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.7 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader X KB403742.. Adobe Reader out of Date!
Mozilla Firefox (13.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
TOSHIBA Toshiba Online Product Information TOPI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 26 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````

#6 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 09 July 2012 - 11:17 AM

SAS log.... almost there!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/09/2012 at 05:00 PM

Application Version : 5.5.1006

Core Rules Database Version : 8864
Trace Rules Database Version: 6676

Scan type : Complete Scan
Total Scan Time : 01:47:14

Operating System Information
Windows Vista Home Basic 32-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User (Administrator User)

Memory items scanned : 736
Memory threats detected : 0
Registry items scanned : 65730
Registry threats detected : 0
File items scanned : 48782
File threats detected : 176

Adware.Tracking Cookie
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\ACEDRCJE.txt [ /microsoftwllivemkt.112.2o7.net ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\Q8UDL924.txt [ /doubleclick.net ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\L8TL2UF1.txt [ /media6degrees.com ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\QUJKQEO0.txt [ /lucidmedia.com ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\5GKL3R1A.txt [ /invitemedia.com ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\JIODHEKT.txt [ /ru4.com ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\YCDXT93Q.txt [ /atdmt.com ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\2ZTKWDZM.txt [ /serving-sys.com ]
C:\Users\Alistair\AppData\Roaming\Microsoft\Windows\Cookies\OR9I5BVU.txt [ /c.atdmt.com ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\SUHDQZIY.txt [ Cookie:alistair@apmebf.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\OHHLC82G.txt [ Cookie:alistair@media6degrees.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\IBO8C0JB.txt [ Cookie:alistair@invitemedia.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\WYL4761V.txt [ Cookie:alistair@virginmedia.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\CY25DVT1.txt [ Cookie:alistair@mediaplex.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\LACL12NP.txt [ Cookie:alistair@ad.yieldmanager.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\PGMCA86O.txt [ Cookie:alistair@atdmt.com/ ]
C:\USERS\ALISTAIR\AppData\Roaming\Microsoft\Windows\Cookies\Low\AC7QKWON.txt [ Cookie:alistair@serving-sys.com/ ]
C:\USERS\ALISTAIR\Cookies\ACEDRCJE.txt [ Cookie:alistair@microsoftwllivemkt.112.2o7.net/ ]
C:\USERS\ALISTAIR\Cookies\L8TL2UF1.txt [ Cookie:alistair@media6degrees.com/ ]
C:\USERS\ALISTAIR\Cookies\5GKL3R1A.txt [ Cookie:alistair@invitemedia.com/ ]
C:\USERS\ALISTAIR\Cookies\YCDXT93Q.txt [ Cookie:alistair@atdmt.com/ ]
C:\USERS\ALISTAIR\Cookies\2ZTKWDZM.txt [ Cookie:alistair@serving-sys.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ad1.emediate[1].txt [ Cookie:michael@ad1.emediate.dk/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@statse.webtrendslive[2].txt [ Cookie:michael@statse.webtrendslive.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@server.lon.liveperson[3].txt [ Cookie:michael@server.lon.liveperson.net/hc/13486764 ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@mediaplex[2].txt [ Cookie:michael@mediaplex.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@valueclick[2].txt [ Cookie:michael@valueclick.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@msnportal.112.2o7[1].txt [ Cookie:michael@msnportal.112.2o7.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@fastclick[2].txt [ Cookie:michael@fastclick.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@uk.sitestat[1].txt [ Cookie:michael@uk.sitestat.com/liverpool/liverpool/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@media.adrevolver[1].txt [ Cookie:michael@media.adrevolver.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@zedo[1].txt [ Cookie:michael@zedo.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@google[3].txt [ Cookie:michael@google.com/accounts/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@google[6].txt [ Cookie:michael@google.com/accounts ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@amznmothercare.122.2o7[1].txt [ Cookie:michael@amznmothercare.122.2o7.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@doubleclick[1].txt [ Cookie:michael@doubleclick.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@xiti[1].txt [ Cookie:michael@xiti.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@atoc.112.2o7[1].txt [ Cookie:michael@atoc.112.2o7.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@server.iad.liveperson[2].txt [ Cookie:michael@server.iad.liveperson.net/hc/53583468 ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ehg-debenhams.hitbox[2].txt [ Cookie:michael@ehg-debenhams.hitbox.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ehg-fifa.hitbox[1].txt [ Cookie:michael@ehg-fifa.hitbox.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@data.coremetrics[1].txt [ Cookie:michael@data.coremetrics.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@bluestreak[1].txt [ Cookie:michael@bluestreak.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@hitbox[2].txt [ Cookie:michael@hitbox.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adopt.euroclick[2].txt [ Cookie:michael@adopt.euroclick.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@stats.ina4[1].txt [ Cookie:michael@stats.ina4.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@serving-sys[1].txt [ Cookie:michael@serving-sys.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ads.pointroll[1].txt [ Cookie:michael@ads.pointroll.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.googleadservices[3].txt [ Cookie:michael@www.googleadservices.com/pagead/conversion/1069545572/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@statcounter[2].txt [ Cookie:michael@statcounter.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ehg-deltatre.hitbox[2].txt [ Cookie:michael@ehg-deltatre.hitbox.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@apmebf[2].txt [ Cookie:michael@apmebf.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@uk.sitestat[4].txt [ Cookie:michael@uk.sitestat.com/virginretail/virginmega/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@uk.sitestat[3].txt [ Cookie:michael@uk.sitestat.com/manairport/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@advertising[1].txt [ Cookie:michael@advertising.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@tradedoubler[2].txt [ Cookie:michael@tradedoubler.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adviva[2].txt [ Cookie:michael@adviva.net/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@atdmt[1].txt [ Cookie:michael@atdmt.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@bs.serving-sys[1].txt [ Cookie:michael@bs.serving-sys.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@overture[1].txt [ Cookie:michael@overture.com/ ]
C:\USERS\MICHAEL\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@trinitymirror.112.2o7[1].txt [ Cookie:michael@trinitymirror.112.2o7.net/ ]
core.saymedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VC7YNZ6T ]
.liveperson.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
ads.audience2media.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
ads.audience2media.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
ads.audience2media.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.mediaplex.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.ar.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
track.adform.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
track.adform.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.adform.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
ads.saymedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.adserver.adtechus.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.saymedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.saymedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
track.prd1.netshelter.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.mediaplex.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.uk.at.atwola.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.2o7.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.c1.atdmt.com [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
.microsoftsto.112.2o7.net [ C:\USERS\ALISTAIR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F0QAAW1X.DEFAULT\COOKIES.SQLITE ]
atdmt.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S7NUT3EA ]
ec.atdmt.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S7NUT3EA ]
m.uk.2mdn.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S7NUT3EA ]
m1.2mdn.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S7NUT3EA ]
uk.2mdn.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S7NUT3EA ]
C:\USERS\MICHAEL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\MICHAEL@AD.UK.TANGOZEBRA[1].TXT [ /AD.UK.TANGOZEBRA ]
C:\USERS\MICHAEL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\MICHAEL@ADS.ANM.CO[1].TXT [ /ADS.ANM.CO ]
C:\USERS\MICHAEL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\MICHAEL@EHG-MGNLIMITED.HITBOX[1].TXT [ /EHG-MGNLIMITED.HITBOX ]
.atdmt.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
server.iad.liveperson.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.hitbox.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.ehg-firstchoice.hitbox.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.adtech.de [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.euroclick.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.adviva.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.bs.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.msnportal.112.2o7.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.tradedoubler.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.tradedoubler.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.tradedoubler.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CSJAKI07.DEFAULT\COOKIES.SQLITE ]

Trojan.Agent/Gen-Cryptor[Virut]
C:\TOSHIBA\EBAY\ADDTOOLBARBUTTON.EXE

Trojan.Agent/Gen-Virut
C:\WINDOWS\INSTALLER\{91120409-6000-11D3-8CFE-0150048383C9}\MISC.EXE
C:\WINDOWS\INSTALLER\{90110409-6000-11D3-8CFE-0150048383C9}\MISC.EXE

#7 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 09 July 2012 - 12:18 PM

Hello, are these sufficient? I have tried running gmer but it crashes, even in safe mode with the 'devices' box unchecked..

Also, what can I do with the quarantined items from MWB ??

The MSE pop-up has stopped after I ran the MWB program yesterday.
I seem also to have lost a fair chunk of disk space.. can I now delete any of these installed programs? Thanks, sorry for all the questions.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 AM

Posted 09 July 2012 - 12:51 PM

When I get home from work I will reply back.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:07 PM

Posted 09 July 2012 - 02:58 PM

Hello, looking at these ....
Trojan.Agent/Gen-Cryptor[Virut]
C:\TOSHIBA\EBAY\ADDTOOLBARBUTTON.EXE

Trojan.Agent/Gen-Virut
C:\WINDOWS\INSTALLER\{91120409-6000-11D3-8CFE-0150048383C9}\MISC.EXE
C:\WINDOWS\INSTALLER\{90110409-6000-11D3-8CFE-0150048383C9}\MISC.EXE




I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 09 July 2012 - 03:17 PM

Thanks for the reply.

When you say very bad news, how bad??

At the moment the computer is running fine and not having any problems. Both of the files you mentioned were removed during the SAS scan.

I really don't know much about these things at all and a lot of it is jargon that goes over my head, so apologies for that!

Is a reformat and reinstall absolutely critical then? I have no idea how to go about that or what it involves.
If I have to back up files, would they be infected already??

Thanks for your help

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:07 PM

Posted 09 July 2012 - 10:57 PM

Hello you also had a ZEroAccess rootkit, a backdoor infection. That combined with the Virut would complel me to reformat.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed.
Keygen and Crack Sites distributing VIRUX and FakeAV are the most common cause followed by Torrent downloads and porn codecs.




Caution: If you are considering backing up data and reformatting, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 10 July 2012 - 05:51 AM

Hi thanks for the reply

It sounds quite serious then. I have looked at the reformatting and reinstallation process for vista.. it looks very simple.

The only important files are photos which are backed up on an external hard drive, so hopefully this will be ok.

So if I reinstall windows, turn on a firewall, reconnect to the internet to download updates and MSE before transferring back over any files to the new system.. this should be ok???

Can you reformat an external hard drive?? Would this solve the problem of that being potentially compromised also?

Thanks again for your help on this!!

#13 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 10 July 2012 - 05:44 PM

hello again

i have reformatted and reinstalled windows and have now reinstalled MSE and ran updates.

Please can you advise me how to check my system is now clean?? Should I re-run any particular scans and post the reports ??

Thanks in advance

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:07 PM

Posted 10 July 2012 - 08:22 PM

I would run a full MBAM scan with the external connected. Probably take a long time.

I would also scan both with ESET.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.





Your photos are probably OK those files are rarely infected.

These two infections are common when using torrent downloads and file sharing,if you use them I recommend stopping.



Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

Edited by boopme, 10 July 2012 - 08:24 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 vacant80

vacant80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 11 July 2012 - 10:24 AM

I have only run the scans on the PC not the external drive so far but ESET produced no threats and no log

MBAM results are below

Hopefully it's all clear ???


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.11.05

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.16982
Alistair :: ALISTAIR-PC [administrator]

11/07/2012 14:20:12
mbam-log-2012-07-11 (14-20-12).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 266146
Time elapsed: 1 hour(s), 41 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users