Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure if my machine is clean, but it may be.


  • Please log in to reply
9 replies to this topic

#1 Dragongirl

Dragongirl

  • Members
  • 209 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:12:35 AM

Posted 30 March 2013 - 12:21 AM

Hey all me again, I stopped by the chat earlier and chatted with some guys there and they recommended posting up the complete log here just to be safe.

 

First before I get to the log I want to say what prompted all of this. Two adware sites, Pricepeep and Getsavin, As far as I am aware I managed to get red of both, but I want to be sure. I got these two adware programs through cnets downloader most likely. I was downloading the Uxtheme Multi-Patcher for XP to use some themes I wanted to try. Something snuck in there with it. I noticed it all on my task manager, I have it running in the background in the case I need to kill a process or two. Two items popped in there that I never wanted. So I ran first rkill.scr, then right afterwards I ran MBAM which I recently updated at the same time. Log incoming

 

The Log

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.29.16

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Princess Awinita :: WINTER [administrator]

29-Mar-13 19:24:25
mbam-log-2013-03-29 (19-24-25).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Heuristics/Extra | P2P
Objects scanned: 153021
Time elapsed: 3 hour(s), 20 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PricePeep (Adware.Shopper) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\PricePeep\uninstall.exe (Adware.Shopper) -> Quarantined and deleted successfully.

(end)

 

So, hopefully it is all gone yes ? I went through further into the pricepeep thing and found an entire folder, including a chrome extension not from the chrome store in there. I deleted the folder directly from my C:/Windows directory. So far so good.

 

Should I run MBAM again ? Or am I clean ?


The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 30 March 2013 - 01:09 PM

Go ahead and re-run it.

 

Then...

 

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

p22002970.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 209 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:12:35 AM

Posted 30 March 2013 - 06:01 PM

OK, I downloaded both tools, but because I  was in the midst of something I ran first JRT, the log follows, one thing I must note however is that I use biadu, not their toolbar, but their site for picture storage and reading a friends blogging and such. So I do not know why its mentioned in here. but here is the JRT log.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.5 (03.30.2013:1)
OS: Microsoft Windows XP x86
Ran by Princess Awinita on 30-Mar-13 at 18:49:56.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{81017ea9-9aa8-4a6a-9734-7af40e7d593f} 
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{98889811-442d-49dd-99d7-dc866be87dbc} 
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] hkey_classes_root\esrv.babylonesrvc
Successfully deleted: [Registry Key] hkey_classes_root\esrv.babylonesrvc.1
Successfully deleted: [Registry Key] hkey_local_machine\software\babylon
Successfully deleted: [Registry Key] hkey_current_user\software\babylontoolbar
Successfully deleted: [Registry Key] hkey_local_machine\software\babylontoolbar
Successfully deleted: [Registry Key] hkey_current_user\software\baidu
Successfully deleted: [Registry Key] hkey_local_machine\software\baidu
Successfully deleted: [Registry Key] hkey_local_machine\software\freeze.com
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\pricepeep.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\b
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\babylon.dskbnd
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\babylon.dskbnd.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylnapp.appcore
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylnapp.appcore.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylntlbr.bbylntlbrhlpr
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylntlbr.bbylntlbrhlpr.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\escort.escrtbtn.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\pricepeep.pricepeepbho
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\pricepeep.pricepeepbho.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{291bccc1-6890-484a-89d3-318c928dac1b}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{2eecd738-5844-4a99-b4b6-146bf802613b}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{2eecd738-5844-4a99-b4b6-146bf802613b}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{95b7759c-8c7f-4bf1-b163-73684a933233}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{97f2ff5b-260c-4ccf-834a-2dda4e29e39e}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{98889811-442d-49dd-99d7-dc866be87dbc}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{b8276a94-891d-453c-9ff3-715c042a2575}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e46c8196-b634-44a1-af6e-957c64278ab1}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{fd6d90c0-e6ee-4bc6-b9f7-9ed319698007}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{fd6d90c0-e6ee-4bc6-b9f7-9ed319698007}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ffb9adcb-8c79-4c29-81d3-74d46a93d370}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\babylon"
Successfully deleted: [Folder] "C:\Documents and Settings\Value customer\Application Data\babylon"
Successfully deleted: [Folder] "C:\Documents and Settings\Value customer\Application Data\babylontoolbar"
Successfully deleted: [Folder] "C:\Documents and Settings\Value customer\Local Settings\Application Data\babylon"
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Documents and Settings\Value customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\licjnkifamhpbaefhdpacpmihicfbomb
Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\fdloijijlkoblmigdofommgnheckmaki
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 30-Mar-13 at 18:56:16.29
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
I'm about to run the AdwCleaner, since I was busy with something at the time it is all completed what I was doing, so now I need not worry of saving anything while it runs.
 
EDIT: Here is the AdwCleaner log
 
# AdwCleaner v2.115 - Logfile created 03/30/2013 at 19:02:26
# Updated 17/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Princess Awinita - WINTER
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Value customer\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END
File Deleted : C:\user.js
Folder Deleted : C:\DOCUME~1\VALUEC~1\LOCALS~1\Temp\BabylonToolbar

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{38A066B0-DD5F-4226-AC4F-6A27C1BFB892}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1B97A696-5576-43AC-A73B-E1D2C78F21E8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{75BF416E-4326-45B5-8A2D-AE32D05B930B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PricePeep
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Documents and Settings\Value customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Value customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Value customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4720 octets] - [30/03/2013 19:02:26]

########## EOF - C:\AdwCleaner[S1].txt - [4780 octets] ##########
 
And before anyone asks, yes I named my laptop after my favorite season :)

Edited by Dragongirl, 30 March 2013 - 06:12 PM.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 30 March 2013 - 06:58 PM

Eset?


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 209 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:12:35 AM

Posted 30 March 2013 - 08:20 PM

Eset?

Huh ? Eset ? What is Eset ?


The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 30 March 2013 - 09:37 PM

Ooops, sorry about it.

I meant MBAM, did you re-run it?


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 209 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:12:35 AM

Posted 31 March 2013 - 12:00 AM

Yes I have, the log came up completely empty.

 

That's a good sign right ?


The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 31 March 2013 - 10:06 AM

You should be good to go :)


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 209 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:12:35 AM

Posted 31 March 2013 - 10:29 AM

Oh good, thanks much!


The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 31 March 2013 - 10:37 AM

thumbsup-thumbs-up-approve-ok-smiley-emo


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users