Jump to content

bcp-marc

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Boston, MA
  1. Well... yes and no. I no longer have the laptop to work on as it is a neighbors, and, it has been 5 weeks, so I'm sure things have changed with the machine anyway. But, I would still like to know what was happening with it, and why the pop-up was being thrown, and the files were unable to be removed by MBAM. Was this just a case of MBAM needing a definition update to remove it all? I ultimately just went through the registry and removed anything associated with 'seekdns' and the pop-ups stopped. The laptop seems to be working just fine, it has MBAM in auto-protect and does daily updates and scans. What can you tell me about this type of pop-up and what to do if it were to occur again in the future? Thank you. Marc
  2. Hi, I posted almost a week ago, can anyone offer some help about this one? I feel pretty sure there must be a file left behind from the removals somewhere, and would like to get rid of it, or at least rid the machine of the pop-ups if it might be a false positive (but I don't really think that's it). Thanks for any help that can be offered, it is appreciated.
  3. Hi everyone, I have a friends (upstairs neighbor) laptop that had a lot of infections on it, and can't quite seem to rid all of it. The O/S is Vista x64 SP1 and had not been updated to SP2, I did the update after the initial scans, not realizing right away that there was still something going on here. I have a restore point for right before I started the cleaning (SP1), so if reverting back and starting from scratch is best, let me know. I had done a SUPERAnti-Spyware complete scan, and then a Malwarebyte quick scan. Everything seemed fine, but then I got an MBAM pop up: Limewire and frostwire are on it, and I disable (exit) them every time Windows starts up, as well as the IM programs, so that none of them are running. They can be uninstalled (I literally just called him), and I think I'm just going to go ahead and do that now. I'm going to use the Add/Remove Programs to uninstall them. If there is a better way, please let me know. Here are the logs requested: First scan was SAS: ************************************************ SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 07/23/2010 at 05:55 PM Application Version : 4.41.1000 Core Rules Database Version : 5258 Trace Rules Database Version: 3070 Scan type : Complete Scan Total Scan Time : 01:51:58 Memory items scanned : 686 Memory threats detected : 0 Registry items scanned : 12644 Registry threats detected : 96 File items scanned : 51952 File threats detected : 0 Adware.MyWebSearch (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (x86) HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D} (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (x86) HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (x86) HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} Adware.HotBar/ShopperReports (Low Risk) (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (x86) HKCR\CLSID\{100EB1FD-D03E-47FD-81F3-EE91287F9465} Adware.Gamevance (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (x86) HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} Adware.Zango/ShoppingReport (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2} (x86) HKCR\CLSID\{C5428486-50A0-4A02-9D20-520B59A9F9B2} (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3} (x86) HKCR\CLSID\{C5428486-50A0-4A02-9D20-520B59A9F9B3} Trojan.Agent/Gen (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\NeoChronos (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Margotte Adware.MyWebSearch/FunWebProducts (x86) HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (x86) HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs (x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E} (x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0 (x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0 (x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32 (x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS (x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32 (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32 (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version (x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid (x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32 (x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib (x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version Adware.180solutions/Seekmo (x86) HKCR\HostIE.Bho (x86) HKCR\HostIE.Bho\CLSID (x86) HKCR\HostIE.Bho\CurVer (x86) HKCR\HostIE.Bho.1 (x86) HKCR\HostIE.Bho.1\CLSID Adware.Zango Toolbar/Hb (x86) HKCR\HBMain.CommBand (x86) HKCR\HBMain.CommBand\CLSID (x86) HKCR\HBMain.CommBand\CurVer (x86) HKCR\HBMain.CommBand.1 (x86) HKCR\HBMain.CommBand.1\CLSID (x86) HKCR\hbr.HbMain (x86) HKCR\hbr.HbMain\CLSID (x86) HKCR\hbr.HbMain\CurVer (x86) HKCR\hbr.HbMain.1 (x86) HKCR\hbr.HbMain.1\CLSID Rogue.Agent/Gen (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#aazalirt (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#skaaanret (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jungertab (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#zibaglertz (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#iddqdops (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ronitfst (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#tobmygers (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jikglond (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#tobykke (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#klopnidret (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jiklagka (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#salrtybek (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#seeukluba (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jrjakdsd (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krkdkdkee (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#dkewiizkjdks (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#dkekkrkska (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#rkaskssd (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#kuruhccdsdd (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krujmmwlrra (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#kkwknrbsggeg (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ktknamwerr (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#iqmcnoeqz (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ienotas (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krkmahejdk (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#otpeppggq (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krtawefg (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#oranerkka (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#kitiiwhaas (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#otowjdseww (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#otnnbektre (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#oropbbsee (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#irprokwks (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ooorjaas (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#id (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ready Rogue.AntivirusSoft (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\avsoft Malware.Trace (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\XML (x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSUITE (x86) HKLM\SOFTWARE\AVSUITE (x86) HKLM\SOFTWARE\AVSOFT ************************************************ Second scan was MBAM: ************************************************ Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4342 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 7/23/2010 6:21:48 PM mbam-log-2010-07-23 (18-21-48).txt Scan type: Quick scan Objects scanned: 150372 Time elapsed: 5 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 18 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekdns Service (Adware.Zwangi) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Users\Eric\Localdir\winlogo.exe (Worm.Archive) -> Quarantined and deleted successfully. ************************************************ GMER won't run on x64, or at least it only runs a couple of the scans - so I didn't bother with it. Here is the DDS: ************************************************ DDS (Ver_10-03-17.01) - NTFSX64 Run by Eric at 11:37:28.56 on Sat 07/24/2010 Internet Explorer: 7.0.6002.18005 Microsoft Attach.zip
  4. Thank you for the reply. I will post in the other forum.
  5. Thought I'd grab a screen capture image of the pop up window so you could see exactly what it is. It won't let me quarantine it, because of error 3 which I understand to mean the file path doesn't exist, and the folder in fact does not exist as far as I can tell (regardless of spelling/capitalization). What it says exactly in the log file is this: "ERROR Quarantine failed: UtilityReadFile failed with error code 3" Thanks for any help with this.
  6. Sorry, I said I have all files hidden, I meant un-hidden, shown, whatever.
  7. Hi everyone, My first time on this forum. I have a laptop with Vista x64 that had quite a few infections on it, and one of them was the Adware.Zwangi. It appears I have been able to clean the system, with one exception, MBAM in auto-protect mode will randomly throw a pop up to the screen saying it has blocked a process, c:\Program Files (x86)\SEEKDNS\SEEKDNS.DLL (Adware.Zwangi), asking to choose ignore, quarantine, or something else, I forget the other option. First couple times I selected quarantine, but it keeps coming back. I think I selected ignore last time I saw it. I have manually searched the registry and all entries are gone, the file path does not exist, and I have all files hidden. I have even gone through a DOS prompt to see if I could uncover the folder, but it has eluded me if it exists anywhere. I would really like to get rid of this pop up, it's quite annoying. Any suggestions on this? Thanks for the help!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.