Author Topic: reditty.com and other popups  (Read 16830 times)

0 Members and 1 Guest are viewing this topic.

Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #15 on: April 14, 2008, 01:44:41 AM »
iiffebbC.dll.vir



AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - Trojan.Virtumod.based
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Virtumonde.G.gen!Eldorado
F-Secure - - Packed.Win32.Monder.gen
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - Packed.Win32.Monder.gen
McAfee - - -
Microsoft - - Trojan:Win32/Vundo.gen!D
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - Mal/Cazpac-A
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #16 on: April 14, 2008, 01:58:25 AM »
ComboFix 08-04-12.10 - mJv 2008-04-13 19:47:37.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1598 [GMT -4:00]
Running from: C:\Documents and Settings\mJv\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\mJv\Desktop\CFscript.txt
 * Created a new restore point
 * Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMc3e81fdd.xml
C:\WINDOWS\system32\tnwdnxjv.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mJv\Application Data\inst.exe
C:\WINDOWS\BMc3e81fdd.xml
C:\WINDOWS\system32\tnwdnxjv.dll

.
(((((((((((((((((((((((((   Files Created from 2008-03-13 to 2008-04-13  )))))))))))))))))))))))))))))))
.

2008-04-13 18:16 . 2008-02-22 02:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-04-13 17:12 . 2004-08-04 00:56   159,232   --a------   C:\WINDOWS\system32\ptpusd.dll
2008-04-13 17:12 . 2004-08-03 22:58   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-13 17:12 . 2004-08-03 22:58   15,104   --a------   C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-13 17:12 . 2001-08-17 22:36   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2008-04-13 11:57 . 2008-04-13 11:57   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-13 11:41 . 2008-04-13 11:41   <DIR>   d--------   C:\VundoFix Backups
2008-04-13 01:37 . 2008-04-13 01:37   <DIR>   d--------   C:\Program Files\Lavasoft
2008-04-13 01:37 . 2008-04-13 01:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-13 01:36 . 2008-04-13 01:36   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 01:19 . 2008-04-13 01:19   <DIR>   d--------   C:\WINDOWS\Sun
2008-04-13 00:02 . 2008-04-13 00:11   17,408   --a------   C:\psapi.dll
2008-04-12 15:06 . 2008-04-12 15:06   0   --a------   C:\WINDOWS\nsreg.dat
2008-04-12 15:00 . 2008-04-12 15:00   <DIR>   d--------   C:\Programas
2008-04-12 14:59 . 2008-04-12 14:59   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\ESET
2008-04-11 15:13 . 2008-04-11 15:13   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-11 14:30 . 2008-04-11 14:30   34,308   --a------   C:\WINDOWS\system32\Chip.dll
2008-04-11 14:30 . 2008-04-11 14:30   18,152   --a------   C:\WINDOWS\system32\Pvt.tmp
2008-04-11 14:29 . 2008-04-11 14:29   <DIR>   d--------   C:\Program Files\VSO
2008-04-11 14:29 . 2008-04-11 15:29   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\Vso
2008-04-11 14:29 . 2004-05-04 11:53   1,645,320   --a------   C:\WINDOWS\gdiplus.dll
2008-04-11 14:29 . 2006-05-20 16:16   1,184,984   --a------   C:\WINDOWS\system32\wvc1dmod.dll
2008-04-11 14:29 . 2006-05-11 19:21   626,688   --a------   C:\WINDOWS\system32\vp7vfw.dll
2008-04-11 14:29 . 2006-09-29 12:24   217,127   --a------   C:\WINDOWS\system32\drv43260.dll
2008-04-11 14:29 . 2006-09-29 12:25   208,935   --a------   C:\WINDOWS\system32\drv33260.dll
2008-04-11 14:29 . 2006-09-29 12:26   176,165   --a------   C:\WINDOWS\system32\drv23260.dll
2008-04-11 14:29 . 2007-03-18 20:37   65,602   --a------   C:\WINDOWS\system32\cook3260.dll
2008-04-11 14:29 . 2008-04-11 14:29   47,360   --a------   C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-11 14:29 . 2008-04-11 14:29   47,360   --a------   C:\Documents and Settings\mJv\Application Data\pcouffin.sys
2008-04-11 14:29 . 2008-04-11 14:29   36,864   --a------   C:\WINDOWS\system32\iiffebbC.dll.vir
2008-04-10 23:21 . 2008-04-10 23:21   <DIR>   d--------   C:\Program Files\uTorrent
2008-04-10 23:21 . 2008-04-12 23:57   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\uTorrent
2008-04-10 13:43 . 2008-04-10 13:43   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\CyberLink
2008-04-10 11:14 . 2008-04-10 11:16   <DIR>   d--------   C:\Program Files\QLU
2008-04-10 11:14 . 2008-04-10 11:16   <DIR>   d--------   C:\Program Files\Drug Guide 10E
2008-04-10 11:14 . 2008-04-10 11:14   737,280   --a------   C:\WINDOWS\iun6002.exe
2008-04-09 17:43 . 2007-02-09 07:10   574,464   ---------   C:\WINDOWS\system32\dllcache\ntfs.sys
2008-04-08 23:08 . 2006-10-26 19:56   32,592   --a------   C:\WINDOWS\system32\msonpmon.dll
2008-04-08 23:07 . 2008-04-08 23:07   <DIR>   d--------   C:\Program Files\MSBuild
2008-04-08 23:07 . 2008-04-08 23:07   <DIR>   d--------   C:\Program Files\Microsoft Works
2008-04-08 23:06 . 2008-04-08 23:06   <DIR>   d--------   C:\Program Files\Microsoft.NET

Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #17 on: April 14, 2008, 01:58:54 AM »
2008-04-08 23:03 . 2008-04-08 23:03   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-04-08 23:03 . 2008-04-08 23:08   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 23:02 . 2008-04-08 23:02   <DIR>   dr-h-----   C:\MSOCache
2008-04-08 20:39 . 2008-04-12 15:00   <DIR>   d--------   C:\Program Files\ESET
2008-04-08 20:39 . 2008-04-12 14:53   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ESET
2008-04-08 20:28 . 2008-04-12 01:05   <DIR>   d--------   C:\Program Files\Winamp
2008-04-08 20:28 . 2008-04-12 01:06   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\Winamp
2008-04-08 19:24 . 2008-04-08 19:24   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-08 19:21 . 2008-04-08 20:41   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\Azureus
2008-04-08 19:21 . 2008-04-08 19:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-08 19:18 . 2008-04-13 01:51   <DIR>   d--------   C:\Program Files\PeerGuardian2
2008-04-08 19:03 . 2001-08-17 13:48   12,160   --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-08 19:03 . 2001-08-17 13:48   12,160   --a------   C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-08 19:03 . 2001-08-17 14:02   9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-08 19:03 . 2001-08-17 14:02   9,600   --a------   C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-08 19:03 . 2008-04-08 19:03   4,128   --a------   C:\INFCACHE.1
2008-04-08 16:34 . 2008-04-08 16:34   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\Roxio
2008-04-08 16:21 . 2008-04-08 16:21   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-04-08 15:45 . 2008-04-04 22:37   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\Intel
2008-04-08 15:45 . 2008-04-04 22:37   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\InstallShield
2008-04-08 15:45 . 2008-04-08 15:45   <DIR>   d--------   C:\Documents and Settings\mJv\Application Data\Dell
2008-04-08 15:44 . 2008-04-04 22:37   <DIR>   d--------   C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2008-04-08 15:39 . 2008-04-08 15:39   8,192   --a------   C:\WINDOWS\REGLOCS.OLD
2008-04-04 22:48 . 2008-04-08 19:04   <DIR>   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 22:48 . 2008-04-04 22:48   61   --a------   C:\WINDOWS\smscfg.ini
2008-04-04 22:46 . 2008-04-04 22:46   <DIR>   d--------   C:\Program Files\MSECache
2008-04-04 22:46 . 2008-04-04 22:46   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Dell
2008-04-04 22:45 . 2008-04-04 22:45   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-04 22:45 . 2007-10-30 12:21   198,144   --a------   C:\WINDOWS\system32\_psisdecd.dll
2008-04-04 22:44 . 2008-04-04 22:44   <DIR>   d--------   C:\Program Files\CyberLink
2008-04-04 22:44 . 2008-04-08 19:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-04-04 22:44 . 2007-10-30 12:21   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2008-04-04 22:44 . 2007-10-30 12:21   1,047,552   --a------   C:\WINDOWS\system32\MFC71u.dll
2008-04-04 22:44 . 2007-10-30 12:21   499,712   --a------   C:\WINDOWS\system32\msvcp71.dll
2008-04-04 22:44 . 2007-10-30 12:21   348,160   --a------   C:\WINDOWS\system32\msvcr71.dll
2008-04-04 22:44 . 2007-10-30 12:21   89,088   --a------   C:\WINDOWS\system32\atl71.dll
2008-04-04 22:43 . 2008-04-08 19:04   <DIR>   d--------   C:\Program Files\Dell Network Assistant
2008-04-04 22:43 . 2008-04-04 22:43   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-04-04 22:42 . 2008-04-04 22:47   <DIR>   d--------   C:\WINDOWS\system32\DLA
2008-04-04 22:42 . 2008-04-08 20:42   <DIR>   d--------   C:\Program Files\Google
2008-04-04 22:42 . 2008-04-04 22:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Sonic
2008-04-04 22:42 . 2006-07-21 12:21   99,176   --a------   C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2008-04-04 22:42 . 2006-08-18 14:17   92,920   --a------   C:\WINDOWS\DLA.EXE
2008-04-04 22:42 . 2006-08-18 14:17   56,056   --a------   C:\WINDOWS\system32\DLAAPI_W.DLL
2008-04-04 22:42 . 2006-08-11 12:05   51,768   --a------   C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-04-04 22:42 . 2006-08-11 11:35   28,184   --a------   C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-04-04 22:42 . 2006-08-11 11:35   12,920   --a------   C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-04-04 22:42 . 2008-04-04 22:42   120   --a------   C:\WINDOWS\wininit.ini
2008-04-04 22:41 . 2008-04-04 22:42   <DIR>   d--------   C:\Program Files\Roxio
2008-04-04 22:41 . 2008-04-04 22:41   <DIR>   d--------   C:\Program Files\Common Files\SureThing Shared
2008-04-04 22:41 . 2008-04-04 22:41   <DIR>   d--------   C:\Program Files\Common Files\Sonic Shared
2008-04-04 22:41 . 2008-04-04 22:41   <DIR>   d--------   C:\Program Files\Common Files\Roxio Shared
2008-04-04 22:41 . 2008-04-04 22:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-04 22:40 . 2008-04-04 22:40   <DIR>   d--------   C:\Program Files\Sigmatel
2008-04-04 22:40 . 2007-06-06 17:28   4,952,064   --a------   C:\WINDOWS\system32\stacgui.cpl
2008-04-04 22:38 . 2008-04-04 22:38   <DIR>   d--------   C:\Program Files\CONEXANT

Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #18 on: April 14, 2008, 01:59:35 AM »
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 02:13   7,053   ----a-w   C:\WINDOWS\system32\drivers\1028_Dell_VOS_1500.mrk
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\vsosdk ----

2008-04-11 15:13   47   --a------   C:\Documents and Settings\All Users\Application Data\vsosdk\0FE76DF480119F78F833224874556E6F9612A0C0F6D5FF3414F0BDC5B1F9C771.vsoact


(((((((((((((((((((((((((((((   snapshot@2008-04-13_12.26.51.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 16:25:47   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-04-13 23:49:49   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
- 2005-01-28 17:44:28   224,768   ----a-w   C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 21:40:06   227,328   ----a-w   C:\WINDOWS\system32\dllcache\wmasf.dll
- 2005-11-10 16:27:06   49,248   ----a-w   C:\WINDOWS\system32\java.exe
+ 2008-02-22 05:23:35   135,168   ----a-w   C:\WINDOWS\system32\java.exe
- 2005-11-10 16:27:16   49,250   ----a-w   C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 05:23:39   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
- 2005-11-10 18:03:54   127,078   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 06:33:32   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-04-06 02:56:22   19,836,024   ----a-w   C:\WINDOWS\system32\MRT.exe
- 2008-04-13 15:52:30   54,682   ----a-w   C:\WINDOWS\system32\perfc009.dat
+ 2008-04-13 23:18:06   54,682   ----a-w   C:\WINDOWS\system32\perfc009.dat
- 2008-04-13 15:52:30   385,164   ----a-w   C:\WINDOWS\system32\perfh009.dat
+ 2008-04-13 23:18:06   385,164   ----a-w   C:\WINDOWS\system32\perfh009.dat
- 2005-06-28 17:20:23   13,536   ------w   C:\WINDOWS\system32\spmsg.dll
+ 2007-10-27 20:39:36   13,536   ------w   C:\WINDOWS\system32\spmsg.dll
+ 2008-02-01 07:21:04   245,408   ----a-w   C:\WINDOWS\system32\unicows.dll
- 2005-01-28 17:44:28   224,768   ----a-w   C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 21:40:06   227,328   ----a-w   C:\WINDOWS\system32\wmasf.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 16:20 851968]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2008-01-29 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="rundll32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 17:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 17:30 974848]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 17:28 405504 C:\WINDOWS\stsystra.exe]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-04-04 22:37:48 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 04:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R3 DXEC02;DXEC02;C:\WINDOWS\system32\drivers\dxec02.sys [2006-11-02 13:31]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 19:50:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-04-13 19:51:23 - machine was rebooted
ComboFix-quarantined-files.txt  2008-04-13 23:51:17
ComboFix2.txt  2008-04-13 16:27:06
Pre-Run: 145,533,870,080 bytes free
Post-Run: 145,522,339,840 bytes free
.
2008-04-13 22:12:19   --- E O F --- 

Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #19 on: April 14, 2008, 02:11:22 AM »
oops, i forgot to turn off my antivirus when i ran that combofix this last time....

As far as how its running now, i have not had any popups since running combofix the first time...so it seems like it may of fixed the issue

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: reditty.com and other popups
« Reply #20 on: April 14, 2008, 02:53:06 AM »
How are things at your end. Just a bit to go.

One more file to test at virustotal

C:\WINDOWS\system32\Pvt.tmp


Please download
 OTMoveIt2 by OldTimer.


Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\WINDOWS\system32\iiffebbC.dll.vir
C:\WINDOWS\system32\iiffebbC.dll
 



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.



Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post the OTMOVEIT2 results and the malwarebytes results.

Thanks




Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #21 on: April 14, 2008, 03:12:20 AM »
pvt.tmp came back clean

C:\WINDOWS\system32\iiffebbC.dll.vir moved successfully.
File/Folder C:\WINDOWS\system32\iiffebbC.dll not found.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04132008_210451



Malwarebytes' Anti-Malware 1.11
Database version: 622

Scan type: Quick Scan
Objects scanned: 29444
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: reditty.com and other popups
« Reply #22 on: April 14, 2008, 03:26:20 AM »
Looks good. Everything good there now? If it is we just have some clean up to do.

* Goto add/remove programs and uninstall

malwarebytes

* Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

* Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml



* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0


* Check if you have insecure applications with Secunia Software Inspector

Foo2oo3

  • Guest
Re: reditty.com and other popups
« Reply #23 on: April 14, 2008, 03:32:57 AM »
Everything seems good now, thank you for your help. I really appreciate it

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: reditty.com and other popups
« Reply #24 on: April 14, 2008, 02:39:40 PM »
You're welcome.