MySpace confusion

**picklemonkey** · October 18, 2005, 09:16:06 PM

Re: MySpace confusion

I still don't think it's myspace

does Windows Explorer open? if so, open it, turn on the Address bar if it's off (View, Toolbars, Address Bar), then type in http://google.com.

did it crash, or are you in google? if you're in google, go to View, Toolbars, and look for any additional crazy toolbars that shouldn't be there... they'll likely be unchecked. let me know if you see any

**Balanc3** · October 18, 2005, 10:21:52 PM

Re: MySpace confusion

It wasn't myspace. It was a link he clicked on inside a message that he received in his myspace inbox.

The toolbars were the first thing I removed after this site began loading up his computer.

There were crazy links on his desktop. Ipod video, golden casino, Free Daily Porn, Shopiing, he got fucked up! Luckily I keep backup after backup after backup. I would just hate to have to have to full format recover!

**picklemonkey** · October 18, 2005, 10:28:07 PM

Re: MySpace confusion

and IE still doesn't load?

1) download AutoRuns: http://www.sysinternals.com/Files/Autoruns.zip
2) run autoruns.exe
3) wait for the hourglass to disappear from the "Everything" tab (or, at least the IE tab)
4) go to the Internet Explorer tab
5) post a screenshot

we're looking for any dll in there that doesn't have the publisher column filled in, or it says something other than a known good vendor (Microsoft, Adobe, etc)

**Balanc3** · October 18, 2005, 10:33:17 PM

Re: MySpace confusion

Will do in the morning!

Yea man, I've been running all sorts of removal tools for each piece of adware. But I'm missing at least 2 more removals before he's completely disenfected.

**picklemonkey** · October 18, 2005, 10:39:29 PM

Re: MySpace confusion

btw... adware is a malicious program. Ad-aware is a program used to remove adware

**glacius** · October 19, 2005, 04:17:09 AM

Re: MySpace confusion

scams scams scams
my friendster gets flooded with those types of emails, my myspace has been safe so far..

**Balanc3** · October 19, 2005, 08:38:35 AM

Re: MySpace confusion

rise and shine!

**picklemonkey** · October 19, 2005, 09:27:30 AM

Re: MySpace confusion

I'd uncheck the two Yahoos and the Safer Networking items and try starting up IE... if that doesn't work, try a File->Save As and post it in here for me

**Balanc3** · October 19, 2005, 10:11:09 AM

Re: MySpace confusion

That yahoo stuff is ok, its part of his SBC Yahoo Experience! He's where I am at the moment.

Incident Status Location

Adware:Adware/QoolShown No disinfected C:\WINNT\SYSTEM32\KKDSKP.EXE

Adware:adware/consumeralertsystemNo disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\cassetup.exe

Adware:adware/qoologic No disinfected C:\WINNT\SYSTEM32\vgactl.cpl

Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log

Adware:adware/virtualbouncer No disinfected C:\PROGRAM FILES\VBouncer

Adware:adware/elitebar No disinfected C:\WINNT\etb

Spyware:spyware/clipgenie No disinfected Windows Registry

Virus:W32/Mimail.C.worm Disinfected Archive Folders\Sent Items\FW: Re[2]: our private photos agaamrum\photos.zip[photos.jpg.exe]

Adware:Adware/ISearch No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\cmdinst.exe

Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\i66D.tmp

Adware:Adware/QoolShown No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr217A

Virus:W32/Bagle.AB.worm Disinfected Personal Folders\Deleted Items\SpamTrap\**SPAM** Fax Message Received\the_message.vbs

Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Deleted Items\Server Report\test.zip[test.exe]

Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Deleted Items\Hello\uvlplk.scr

Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Deleted Items\vebpf\document.scr

Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Deleted Items\Mail Delivery System\lnnyc.pif

Virus:W32/Bagle.F.worm Disinfected Personal Folders\Deleted Items\^_^ meay-meay!\Picture.scr

Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Mail Delivery (failure snorton@npa412i.com)\message.scr

Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Mail Server\data.zip[details.txt .pif]

Virus:W32/Bagle.U.worm Disinfected Personal Folders\Deleted Items\atrrwkn.exe

Virus:W32/Zafi.B.worm Disinfected Personal Folders\Deleted Items\Check this out kid!!!\jennifer the wild girl xxx07.jpg.pif

Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Inbox\Earthlink\RE: Protected message\Encrypted.zip

Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Sent Items\FW: Protected message\Encrypted.zip

Spyware:Spyware/SurfSideKick No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1080\A0092201.exe

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092943.exe

Spyware:Spyware/SurfSideKick No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092945.dll

Spyware:Spyware/SurfSideKick No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092947.exe

Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092948.dll

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092953.exe

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092954.exe

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0092956.cpl

Virus:Trj/Agent.AKT Disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1082\A0093116.exe

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1083\A0093122.dll

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1083\A0093123.exe

Virus:Trj/LdPinch.LD Disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1083\A0093124.exe

Virus:Trj/Qoologic.B Disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1083\A0093125.dll

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1084\A0094106.exe

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1084\A0094107.exe

Adware:Adware/QoolShown No disinfected C:\System Volume Information\_restore{B4353CB4-AAAB-4E18-9A0C-7AB27E1BB4D9}\RP1084\snapshot\MFEX-2.DAT
Adware:Adware/Yahoo No disinfected C:\WINNT\Downloaded Program Files\ycomp5_0_2_7.dll

Adware:Adware/EliteBar No disinfected C:\WINNT\etb\pokapoka76.exe

Adware:Adware/Pacimedia No disinfected C:\WINNT\system32\APD123.exe

Adware:Adware/QoolShown No disinfected C:\WINNT\system32\ccqmcan.exe

Adware:Adware/QoolShown No disinfected C:\WINNT\system32\dddsdsj.dll

Virus:Trj/Qoologic.B Disinfected C:\WINNT\system32\ddkad.dll

Adware:Adware/ConsumerAlertSystem No disinfected C:\WINNT\system32\dist001.exe

Adware:Adware/Qoologic No disinfected C:\WINNT\system32\ggkwg.dll

Adware:Adware/QoolShown No disinfected C:\WINNT\system32\kkdskp.exe

Adware:Adware/Qoologic No disinfected C:\WINNT\system32\kknokcr.dll

Adware:Adware/ISearch No disinfected C:\WINNT\system32\MTE2ODM6ODoxNg.exe

Adware:Adware/QoolShown No disinfected C:\WINNT\system32\qqykq.dat

Adware:Adware/Pacimedia No disinfected C:\WINNT\system32\sav2.exe

Spyware:Spyware/SurfSideKick No disinfected C:\WINNT\system32\SSK3_B5 Seedcorn 4.exe

Adware:Adware/Qoologic No disinfected C:\WINNT\system32\vgactl.cpl
Adware:Adware/QoolShown No disinfected C:\WINNT\system32\wuauclt.dll

It was several worms, just as suspected. IE will no longer crash saying fatal error, it just opens and then closes again. If you can tolerate that log, you can see I disenfected all virus' however lots of adware/spyware remain - still getting popups. I will try to get Steve to show me the source message from myspace and post it.

**asdf_admin** · October 19, 2005, 10:21:00 AM

Re: MySpace confusion

stop using IE. go to firefox.

**Balanc3** · October 19, 2005, 10:27:51 AM

Re: MySpace confusion

I had him start using Firefox yesterday when this happened. Trying to get his computer clean without full format recover. This is his business machine- sensitve data.

**picklemonkey** · October 19, 2005, 10:28:03 AM

Re: MySpace confusion

can you post me an AutoRuns log?

**pimpmcknight** · October 19, 2005, 11:39:25 AM

Re: MySpace confusion

The same exact thing has happened to me, and all the girls are hot who send the sh!t, what a waste...

**DreamGirlie** · October 19, 2005, 03:37:23 PM

Re: MySpace confusion

i didnt read the whole thread sorry pickle...but i wanna have more myspace friends!

add me!

http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=1591711&Mytoken=11C9F558-B5B7-89EA-EF251292A19E663A71994532

**Balanc3** · October 19, 2005, 03:56:19 PM

Re: MySpace confusion

Sorry Pickle, I've been using another machine.

Autoruns Log

MySpace confusion

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Today's Birthdays

[ms] Statistics