Software > Computer viruses and spyware
Help reqd with DownloaderTiny.BB infection please
SuperDave:
--- Quote ---Question One) SuperAntiSpyware automatically checked the boxes for both the C drive, and my G drive, External HD.
Should I run the scan including the G drive?
--- End quote ---
Yes. It's possible it could be infected also. Might as well make sure.
--- Quote ---Should I run the 'SAS' and new 'HiJack this' scans when the machine is connected to the net or disconnected?
--- End quote ---
You can run it disconnected at first and once we start to get rid of some of the malware, you can run it again connected. Please get me the logs.
MrSpiggot:
Dave,
Please see the logs as requested.
This page wont display the full (huge) SAS log for some reason, so I've kicked off with the HiJack this & 2nd Malwarebytes log.
I will post the SAS log, in parts if I have to.
Note: I wonder if the original Malwarebytes log in my first post is more accurate than the new one in this post.
The first post identified and quarantined many issues but the PC remains/remained infected.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4298
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
14/07/2010 23:46:35
mbam-log-2010-07-14 (23-46-35).txt
Scan type: Full scan (C:\|)
Objects scanned: 247731
Time elapsed: 2 hour(s), 39 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi-Jack This:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:59:05, on 14/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EasyOffice\EasySpeller.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Phil\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\EASYOF~1\EasyWord.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\QUICKT~1\PictureViewer.exe
C:\PROGRA~1\QUICKT~1\PictureViewer.exe
C:\PROGRA~1\QUICKT~1\PictureViewer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EasySpeller] C:\Program Files\EasyOffice\EasySpeller.exe -n
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_1_0_1.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155410998109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4820/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
MrSpiggot:
Dave,
Please see the SAS log.
Many thanks for your assistance.
Note! The SAS scan for the External HD showed zero infections.
NB! I pasted this log in the smallest text size available, and Ive tried to tidy it up wherever possible.
Please Note! For this post Ive omitted the hundreds of tracking cookie entries as I couldnt fit them on the page.
If you require them please advise and I will post them in parts.
If i've missed something, please let me know.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/14/2010 at 03:29 PM
Application Version : 4.40.1002
Core Rules Database Version : 5182
Trace Rules Database Version: 2994
Scan type : Complete Scan
Total Scan Time : 02:50:20
Memory items scanned : 534
Memory threats detected : 0
Registry items scanned : 6694
Registry threats detected : 35
File items scanned : 107027
File threats detected : 637
Trojan.Homepage
HKU\S-1-5-21-4007899603-1780725563-2726152928-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A932ED2-1737-4AB8-B84D-C71779958551}HKCR\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}
Application.Oreans32
HKLM\System\ControlSet002\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\ControlSet003\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet004\Services\oreans32
HKLM\System\ControlSet004\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
Trojan.Homepage/Puper
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#wininet.dll
Unclassified.Oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance
Trojan.Fake-Alert/Trace
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\fbk.sts
Adware.Flash Tracking Cookie
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\DS.SERVING-SYS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\SERVING-SYS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\MSNTEST.SERVING-SYS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\SERVING-SYS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\BC.YOUPORN.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\PORNOTUBE.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\STATIC.YOUPORN.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\WWWSTATIC.MEGAPORN.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\WWWSTATIC.MEGAPORN.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\BROADCAST.PIXIMEDIA.FR
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\CLOUDFRONT.MEDIAMATTERS.ORG
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\IA.MEDIA-IMDB.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\MEDIA1.BREAK.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\OBJECTS.TREMORMEDIA.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\VIRGINMEDIA.A.MMS.MAVENAPPS.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\VITAMINE.NETWORLDMEDIA.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\ACVS.MEDIAONENETWORK.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\MEDIA.MTVNSERVICES.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\MEDIA.SCANSCOUT.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\MEDIA1.BREAK.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\OBJECTS.TREMORMEDIA.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\WWW.ANGELLONGXXX.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\UDN.SPECIFICCLICK.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\UDN.SPECIFICCLICK.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\EC.ATDMT.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\EC.ATDMT.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\SPE.ATDMT.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\NAIADSYSTEMS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\WWW.NAIADSYSTEMS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\NAIADSYSTEMS.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\M1.EMEA.2MDN.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\S0.2MDN.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\M1.2MDN.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\M1.EMEA.2MDN.NET
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A2JREZPP\SECURE-US.IMRWORLDWIDE.COM
C:\Documents and Settings\Phil\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AZFJPQ6S\SECURE-US.IMRWORLDWIDE.COM
SuperDave:
--- Quote ---Note: I wonder if the original Malwarebytes log in my first post is more accurate than the new one in this post.
The first post identified and quarantined many issues but the PC remains/remained infected.
--- End quote ---
They're both the same. MBAM did it's part. Now we have to get rid of the other stuff.
P2P - I see you have P2P software installed on your machine. (Ares) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
===============================
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
===================================
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
R3 - URLSearchHook: (no name) - *{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
================================
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1
Link # 2
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
MrSpiggot:
Hi Dave,
A prompt reply as always, I'll go through it in the morning.
Many thanks.
With regards Ares, I haven't used this software in a couple of years and always press 'exit' as the PC boots up.
However it's now deleted.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version