Tallcoolguy700

Hi CatByte. I am ready to continue to this.

CatByte

Hi,

Please give me an update on the status of your computer as it has been several days.

Were you able to run combofix?


Are you able to boot up normally and in safe mode?

Are you able to run the diagnostic programs?


Please advise?

If you have run any tools....please post the logs

Tallcoolguy700

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 3

10/18/2009 4:49:44 PM
mbam-log-2009-10-18 (16-49-44).txt

Scan type: Quick Scan
Objects scanned: 176443
Time elapsed: 31 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 10
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35069396-3567-9d8b-86e5-b3d3b89dd644} (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ExpertEnhancer (Adware.ExpertEnhancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Foxicle (Adware.Foxicle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Kerri Staller\Application Data\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kerri Staller\Application Data\FunWebProducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kerri Staller\Application Data\FunWebProducts\Data\Kerri Staller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\1075676762 (Rogue.SecurityTool) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Kerri Staller\Application Data\FunWebProducts\Data\Kerri Staller\avatar.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kerri Staller\Application Data\FunWebProducts\Data\Kerri Staller\register.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kerri Staller\Application Data\FunWebProducts\Data\Kerri Staller\zbucks.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Staller\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\1075676762\config.udb (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\1075676762\init.udb (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\1075676762\Langs.udb (Rogue.SecurityTool) -> Quarantined and deleted successfully.
Since Combofix can be known to kill computers if not used carefully, I took it for a rogue. MBAM was my next resort. I did find a trojan among other things, and I believe Im still not safe.

CatByte

Hi,

Please answer these questions?

Were you able to run combofix?


Are you able to boot up normally and in safe mode?

Are you able to run the diagnostic programs? (DDS and GMER)

I will give you the links and the directions for those programs again to save you searching for them:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



NEXT

Please advise how your computer is running and if there are any outstanding issues.

Please, if there is anything that you do not understand, then please ask.

thank-you

~CB

Tallcoolguy700

I'm able to download in safe mode with networking so I can use Combofix without problem. I dont think I have a rootkit looking back on the previous symptoms. I will use Combofix. And I will use the rootkit scanner just in case. I'm going to watch an old favorite cartoon of mine, Kablam! online before I do this, and I will tell you everything that occurs. (Log included.)

CatByte

Please, let's do this one step at a time.

Please run the DDS program and the GMER program and post the logs....let me see exactly what is on your system, we need a proper diagnosis first, then we can go from there.


Please don't do anything else other than what I ask.

Thank-you.

Just a thought and it is not my intention to be rude to you in anyway whatsoever, but is it not just a little bit more important to you to get your computer free from infection rather than watching a cartoon online?

Tallcoolguy700

Simple enough to understand.

Tallcoolguy700

Ive got all the time in in the world, I could watch the cartoon while Im getting scanned. And Ill be notified when its done.

Tallcoolguy700

I tried using the program, not sure which one. It scanned in a matter of seconds. But Im not sure how to get the log onto my desktop. Im pretty sure its the Rootkit one.

CatByte

If you downloaded GMER to your desktop, the log will be in the same folder.

Please do a search for GMER.txt with windows explorer and see if you can locate it.

tetonbob

Due to lack of response, this topic will now be closed.