system
November 20, 2008, 11:22pm
1
PLease help me - I have no idea what to do.
I keep getting the above warning mentioned in the subject line
The rest of the box says
File name: hXXp://protectionlive-scan.com/2009/1/e/_freescan.php?nu=77052
Malware name: JS: Agent-DE(Trj)
Malware type: Trojan horse
VPS Version: 0811 20-0, 20/11/2008
Other problems I am having are:
I am getting error 1058 - service cannot be started. This is when I and try and turn my windows automatic updates back on. They say they are on but the actually aren’t
Also getting heaps of pop ups
Any advice would be appreciated!!
Thanks
DavidR
November 20, 2008, 11:32pm
2
That is because it is a rogue site that will try to infect you.
Don’t visit the site, why are you visiting the site ?
I suspect because you are getting a pop-up saying your system is infected and should visit the site ?
If so this is a scan to get you to visit the site (they succeed there) and this could then infect your system properly had avast not blocked it, or they would try to get you to pay for a clean-up or the program for a non-existent problem.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe , right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
system
November 21, 2008, 12:50am
3
Hi thanks for your reply
It took a long time but here is the log (part 1)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/21/2008 at 11:41 AM
Application Version : 4.22.1014
Core Rules Database Version : 3645
Trace Rules Database Version: 1628
Scan type : Quick Scan
Total Scan Time : 00:55:50
Memory items scanned : 361
Memory threats detected : 2
Registry items scanned : 589
Registry threats detected : 155
File items scanned : 8842
File threats detected : 29
Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\PMNLLIYP.DLL
C:\WINDOWS\SYSTEM32\PMNLLIYP.DLL
C:\WINDOWS\SYSTEM32\GEBRQQNE.DLL
C:\WINDOWS\SYSTEM32\GEBRQQNE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0FB8FEF0-E503-4827-A92F-F67C24DF5C62}
HKCR\CLSID{0FB8FEF0-E503-4827-A92F-F67C24DF5C62}
HKCR\CLSID{0FB8FEF0-E503-4827-A92F-F67C24DF5C62}\InprocServer32
HKCR\CLSID{0FB8FEF0-E503-4827-A92F-F67C24DF5C62}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{54D9DFA0-2701-42E5-B29C-D3AECD98AD5A}
HKCR\CLSID{54D9DFA0-2701-42E5-B29C-D3AECD98AD5A}
HKCR\CLSID{54D9DFA0-2701-42E5-B29C-D3AECD98AD5A}\InprocServer32
HKCR\CLSID{54D9DFA0-2701-42E5-B29C-D3AECD98AD5A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{0FB8FEF0-E503-4827-A92F-F67C24DF5C62}
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{0FB8FEF0-E503-4827-A92F-F67C24DF5C62}
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{54D9DFA0-2701-42E5-B29C-D3AECD98AD5A}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnllIYP
Rogue.AntiVirus 2009
[14063469541489916108242275941506] C:\PROGRAM FILES\ANTIVIRUS 2009\AV2009.EXE
C:\PROGRAM FILES\ANTIVIRUS 2009\AV2009.EXE
C:\Program Files\Antivirus 2009\av2009.exe.tmp
C:\Program Files\Antivirus 2009
C:\Documents and Settings\Rebecca Leoniuk\Start Menu\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\Rebecca Leoniuk\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Documents and Settings\Rebecca Leoniuk\Start Menu\Antivirus 2009
C:\Documents and Settings\Rebecca Leoniuk\Desktop\Antivirus 2009.lnk
C:\Documents and Settings\Rebecca Leoniuk\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\WINDOWS\Prefetch\AV2009.EXE-1BF04CE5.pf
Adware.Vundo/Variant-Greek
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{e62acb89-bc1c-48cf-aa51-392d7956e5dc}
HKCR\CLSID{E62ACB89-BC1C-48CF-AA51-392D7956E5DC}
HKCR\CLSID{E62ACB89-BC1C-48CF-AA51-392D7956E5DC}\InprocServer32
HKCR\CLSID{E62ACB89-BC1C-48CF-AA51-392D7956E5DC}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\TRZTBP.DLL
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{E62ACB89-BC1C-48CF-AA51-392D7956E5DC}
C:\WINDOWS\SYSTEM32\BVTNDXAG.DLL
C:\WINDOWS\SYSTEM32\JDILXBRT.DLL
C:\WINDOWS\SYSTEM32\LNICSYQT.DLL
C:\WINDOWS\SYSTEM32\NDISWPDT.DLL
C:\WINDOWS\SYSTEM32\TWZHJZ.DLL
Adware.MyWebSearch
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
system
November 21, 2008, 12:52am
4
Part 2
Adware.Tracking Cookie
C:\Documents and Settings\Rebecca Leoniuk\Cookies\rebecca_leoniuk@ad.yieldmanager[2].txt
C:\Documents and Settings\Rebecca Leoniuk\Cookies\rebecca_leoniuk@ad.zanox[1].txt
C:\Documents and Settings\Rebecca Leoniuk\Cookies\rebecca_leoniuk@tribalfusion[1].txt
C:\Documents and Settings\Rebecca Leoniuk\Cookies\rebecca_leoniuk@mediatraffic[1].txt
C:\Documents and Settings\Rebecca Leoniuk\Cookies\rebecca_leoniuk@interclick[1].txt
C:\Documents and Settings\Rebecca Leoniuk\Cookies\rebecca_leoniuk@clickbank[2].txt
C:\Documents and Settings\Jarrod\Cookies\jarrod@bs.serving-sys[1].txt
C:\Documents and Settings\Jarrod\Cookies\jarrod@ad.yieldmanager[1].txt
C:\Documents and Settings\Jarrod\Cookies\jarrod@serving-sys[1].txt
C:\Documents and Settings\Jarrod\Cookies\jarrod@doubleclick[2].txt
.imrworldwide.com [ C:\Documents and Settings\Rebecca Leoniuk\Application Data\Mozilla\Firefox\Profiles\nqi244s7.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Rebecca Leoniuk\Application Data\Mozilla\Firefox\Profiles\nqi244s7.default\cookies.txt ]
Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\SOFTWARE\FunWebProducts
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\SOFTWARE\MyWebSearch
HKCR\ScreenSaverControl.ScreenSaverInstaller
HKCR\ScreenSaverControl.ScreenSaverInstaller\CurVer
HKCR\ScreenSaverControl.ScreenSaverInstaller.1
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Control
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus\1
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\ProgID
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\TypeLib
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Version
HKCR\CLSID{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories{00021493-0000-0000-C000-000000000046}
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32#ThreadingModel
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance#CLSID
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\InitPropertyBag
HKCR\CLSID{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\InitPropertyBag#Url
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32#ThreadingModel
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}\ProgID
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}\Programmable
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}\TypeLib
HKCR\CLSID{53CED2D0-5E9A-4761-9005-648404E6F7E5}\VersionIndependentProgID
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Control
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32#ThreadingModel
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib
HKCR\CLSID{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Version
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Control
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32#ThreadingModel
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\ProgID
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Version
HKCR\CLSID{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\VersionIndependentProgID
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Control
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32#ThreadingModel
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib
HKCR\CLSID{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Version
HKCR\CLSID{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs
HKCR\CLSID{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}
HKCR\CLSID{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32
HKCR\CLSID{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32#ThreadingModel
HKCR\CLSID{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\ProgID
HKCR\CLSID{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\Programmable
HKCR\CLSID{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\VersionIndependentProgID
Unclassified.SpywareBot (Not A Threat)
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\SpywareBot
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\avast
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\avast#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\avast#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\avast#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\MS Track System#Click1
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
Rogue.Component/Trace
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\14063469541489916108242275941506\Options
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\14063469541489916108242275941506\Options#Aff
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\14063469541489916108242275941506\Options#AdvancedScanType
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\14063469541489916108242275941506\Options#FirstRunUrl
HKU\S-1-5-21-2167921008-703662012-1290024084-1006\Software\14063469541489916108242275941506
HKLM\Software\Microsoft\28A512C1
HKLM\Software\Microsoft\28A512C1#28a512c1
HKLM\Software\Microsoft\28A512C1#Version
HKLM\Software\Microsoft\28A512C1#28a5bf41
HKLM\Software\Microsoft\28A512C1#28a5d6a4
DavidR
November 21, 2008, 1:47am
5
The Rogue.AntiVirus 2009 and Rogue.Component part is most likely what would have been trying to get you to that URL. On that subject, please modify your first post so the URL to the suspect site isn’t active to avoid accidental exposure. Change the http to hXXp that breaks the link, se example below.
hXXp://protectionlive-scan.com/2009/1/e/_freescan.php?nu=77052
Well the previously undetected vundo infection was no doubt responsible for the pop-ups, hopefully they will be history when you have SAS quarantine them.
Tracking cookies are a minor privacy issue and not a security issue, I normally disable this part of a scan in Preferences, Scanning Control tab. Periodically clear your cookies and have your browser only accept cookies from the site you are visiting and not third party cookies.
The MyWebSearch adware is a minor one but you should still get shot of it.
Once you have allowed SAS to deal with ‘all’ of those detected, reboot and scan with MalwareBytes AntiMalware and post the results.
system
November 21, 2008, 10:55am
6
Hi - thanks again.
This is the log from the malwarebytes…
PART 1
alwarebytes’ Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
21/11/2008 9:51:11 PM
mbam-log-2008-11-21 (21-51-01).txt
Scan type: Quick Scan
Objects scanned: 201426
Time elapsed: 1 hour(s), 40 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 50
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) → No action taken.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28a5004f (Trojan.Vundo) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt&Search\ (Adware.Hotbar) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) → No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Quarantine (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Registry Backups (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings (Rogue.SpywareBot) → No action taken.
system
November 21, 2008, 10:55am
7
Part 2
Files Infected:
C:\WINDOWS\SYSTEM32\f3PSSavr.scr (Adware.MyWebSearch) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log\2008 Nov 20 - 03_40_13 PM_828.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log\2008 Nov 20 - 03_40_31 PM_281.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log\2008 Nov 20 - 03_40_48 PM_671.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log\2008 Nov 21 - 09_06_27 AM_421.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log\2008 Nov 21 - 09_22_25 AM_703.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Log\2008 Nov 21 - 10_03_01 AM_156.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_08_20 PM_281.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_08_20 PM_343.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_08_23 PM_156.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_37_52 PM_734.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_37_52 PM_828.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_37_52 PM_875.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 15 - 07_37_52 PM_890.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 17 - 02_40_50 PM_406.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 17 - 02_40_50 PM_484.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 17 - 06_48_07 PM_296.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 17 - 06_48_07 PM_390.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 05_31_16 PM_250.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 05_31_16 PM_359.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 05_31_16 PM_406.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 09_30_10 PM_937.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 09_30_11 PM_250.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 09_30_11 PM_671.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 18 - 09_30_11 PM_718.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 19 - 05_53_56 PM_156.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 19 - 05_53_56 PM_281.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 19 - 05_53_56 PM_453.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 20 - 05_17_34 PM_828.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 20 - 05_17_35 PM_375.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 20 - 05_17_37 PM_234.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 20 - 05_17_37 PM_343.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 05_49_31 PM_937.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 05_49_32 PM_031.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 05_49_32 PM_125.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 05_49_32 PM_140.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 08_15_58 PM_531.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 08_15_58 PM_546.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 08_23_54 PM_859.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Log\2007 Jun 21 - 08_23_54 PM_953.log (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings\ScanResults.stg (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) → No action taken.
C:\Documents and Settings\Rebecca Leoniuk\Application Data\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) → No action taken.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) → No action taken.
DavidR
November 21, 2008, 3:22pm
8
Well this shows the benefit of using two program scans as the other may detect more or find things unhidden/revealed by the previous scan. Strange that mywebsearch is there since SAS also picked this up.
You will have to run MBAM again as the No action taken means they are still there (this report being generated after closing the scan). By default all those detected will have a check mark to the left of the entry (selected), if not select all the items and click the Remove Selected button. That puts a copy in quarantine and removes the original, see image.
Now reboot and do another scan with avast.