JeanInMontana
-
Posts
3,859 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by JeanInMontana
-
-
You forgot the HJT log. Those techs don't know much outside the manual and scripts they get fed. Update MBAM again and do a quick scan, post that log and a new HJT. We need to be sure it's not going to come back on you. I need the HJT log.
-
OK, few things to clean up. Run HJT in scan only put a check next to the following files and click fix when done.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <======== I recommend you set a start page, this way you know if it has changed due to malware
O3 - Toolbar: gksraemq - {F9387F02-A5A7-4C48-B4FC-7FE81C4EAD52} - C:\WINDOWS\gksraemq.dll (file missing)
O20 - AppInit_DLLs: rqiqgs.dll
I don't know what is going on with your Adobe Reader but you seem to have 2 versions on the machine. All the 08 extra context entries are for version 8 but I see version 9 also.
Remove those lines with HJT reboot, update MBAM, run a quick scan, show me that log and one more HJT.
-
Happy birthday!! Yes delete the malware folder.
Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.
Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.
Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.
A firewall and antivirus are also essential. The Windows firewall in XP and Vista is not sufficient.
Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.
Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.
SpywareBlaster from Javacool Software
The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free
Also the full protection of MBAM is offered at a very low price.
-
Hi vizion and welcome to Malwarebytes. Please follow these instructions and begin your own topic in that forum. We can have a look there and see what's going on.
-
I need both logs at the same time please. MBAM log after update and HJT after that.
-
Great, you get to break in a brand new forum! Update MBAM and run a quick scan, show me that log and a new HJT log. I'm hoping nosirrah has had time to get to your file.
-
Well, the program was probably trying to protect your pc. They can't tell if the changes are good or bad, only that there has been a change.
-
@ srpad You need to move HJT to C:/ not on the desktop.
-
i read this post on download.com that antivirus 2008 became more evil antivirus 2008 at downlaod.com
if you have xp antivirus 2008 don't ever boot in safe mode because it will be undetectable and it seems that mbam can't remove xp antivirus 2008 after it became more evil
the instruction about how to remove xp antivirus 2008 manually if mbam failed to remove it is in the link above
And do a complete scan every 3 or 4 days using malware bytes anti-malware and the programs above
And download xp sp3 or vista sp1 and always download the updates from microsoft
Ahem, ahmed12 but you don't know what your talking about. Even in the thread you link to here there is a post stating it is fully removed by MBAM. So what makes you say we don't remove it? Got anything to back this up? We want to see if and fix it if you can show it.
-
What makes you say nothing was removed? Did you post the HJT log after MBAM scanned and removed? The times show no. Please update MBAM run a quick scan post that log then a HJT log with all browsers and extra programs not running.
-
One is a registry repair and two are malware, the HJT one is a bug of sorts, and can be ignored. You should post logs in the HJT forum follow those instructions at that link and start your own topic in that same forum. Someone will take a look for you.
-
Contemplated breaking and or removing all commercial links.
-
Hi Luctuan and welcome to Malwarebytes. Glad we could help you.
-
Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.
Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.
-
OK what you need to do for this is contact your ISP. Tell them your router is infected with a DNS changer trojan and it needs a hard reset to clean it up. We can't do it, no one can. You can do the hard reset most likely, but your going to lose connection until they reconfigure the router. If they won't listen to you when you try to tell them about this, that's what I would do.
On the back of the modem/router there should be a Reset button a tiny little hole with a button recessed into it. You can reset that using a regular pen. They will have to assign you new dynamic name servers, and this will clean the infection. But until they do that you won't be able to connect if you do the hard reset yourself.
I don't know how your tech support is at your ISP, but my experience has been they all have a script to read from and assume you wouldn't know if the modem had power or not. In light of this trying to explain to them that your router has been compromised might be impossible. If you can do a hard reset yourself and call and play dumb about how things got messed up might be your best option. Have them on the phone when you push the button. They will be able to see there has been a reset and it's a simple thing for them to reassign.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac1ff267-7bbb-47e1-9504-34a19d7f7408}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.98 85.255.112.13 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ac1ff267-7bbb-47e1-9504-34a19d7f7408}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.98 85.255.112.13 -> Quarantined and deleted successfully.
Those lines are the Trojan but its in your router/modem, not your machine. If you get them to reset the DNS. Update MBAM and do a quick scan, post that log and a new HJT.
-
Hi there intel_outside and welcome to Malwarebytes. I need you to set your system to show all files and folders.
Please set your system to show
all files; Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Now, please find these files
C:/Windows/System32/wxvault.dll
C:/Windows/System32/rygdwv.dll
C:/Windows/System32/mrkcza.dll
C:/Windows/System32/ lbmqqz.dll
Copy them all into a folder and zip it, then begin a topic here and attach the files to the post.
Turn off TeaTimer
Open SB S&D
Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.
Click on the Tools section and then Resident.
You will see two items.
1. Resident "SD helper" (Internet Explorer bad download blocker.) active
2. Resident "Tea Timer" (Protection of over-all system settings.) active.
Uncheck number 2..
Leave number 1 checked always.
You can enable Tea Timer again if you wish once all special fixes have been done.
Now turn off all programs not necessary and close all browsers run HJT again in scan only and put a check next to the following items and click fix.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {8B50A1B5-8EF2-4AB0-B105-A06D61DB4D9F} - (no file)
O2 - BHO: (no name) - {D000F365-B799-4FB3-BF36-66AB7AEE6836} - (no file)
O2 - BHO: (no name) - {E8BCF159-49B9-496F-AB23-F727641F2468} - (no file)
O20 - Winlogon Notify: rqRKCvTL - C:\WINDOWS\
Reboot the machine.
As soon as we can get those files the bad one will be added to MBAM and we can finish the clean up.
-
Hello adele and welcome to Malwarebytes. Please get this program HiJack This! and post a log from it along with a new log from MBAM after you have updated it, your running an outdated version.
-
OMG!! -
No you did not have a virus, you had several trojans and adware. It is ok if that line won't go it's not malware. All of the stuff connected to Logitech is needed if your actually using the features they add. The drivers are not installed in those lines. However, it's probably best to leave them alone if your using the features.
Your log clearly shows you did not update Adobe Acrobat Reader
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll <========== The current version is 9 and lower versions are known to be exploitable. Java also doesn't look to be updated. 1.6 update 7 is current.
Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.
Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.
Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.
A firewall and antivirus are also essential. The Windows firewall in XP and Vista is not sufficient.
Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.
Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.
SpywareBlaster from Javacool Software
The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free
Also the full protection of MBAM is offered at a very low price.
-
I need a reply here or I close the thread.
-
Hi nats15 and welcome to Malwarbytes. Sorry for the delay in anyone replying to you. Since it has been two days and many updates to MBAM, let's get a scan after you update. Run a quick scan with MBAM and post that log and a new HJT please.
-
Oh dear, I gave poor instructions. You should click fix for all those lines. Update MBAM again run a quick scan and post the log, and a new HJT log with the corrections please. I am sorry.
OK, I need to know what type of router/modem your using too. DSL or ? We think you may have a trojan in the router, this will need a special fix so I need that info.
-
Glad we were able to fix you up! Surf safe.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.
-
Ok let's clean up some things with HJT.
Run scan only and put a check next to the following items, then click fix.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
Reboot the machine.
Do you use a Logitech mouse or keyboard? The lines below are from Logitech if you have that installed, but are not necessary to run at startup if you are not using those features.
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here Java Update and install the correct version for your system. Choose the offline installation.
Your running an outdated and unsafe version of Adobe Acrobat Reader latest version. Or get the alternative faster lighter on resources Foxit PDF Reader and Editor Look at the Downloads tab here or Downloads if you don't want to see the features etc.
Update MBAM run a quick scan post that log and a new HJT log.
Wondering if it got all of it
in Resolved Malware Removal Logs
Posted
First can you show us a EULA for the tool bar showing C:\Program Files\AskSBar\SrchAstt was it installed on purpose?
Second, yes MBAM usually gets all malware and traces. MBAM does component linking and will often get all infection components both file and registry
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) <======== That should be removed to clean up.
I would like to see a MBAM log after update and a new HJT. We don't make a habit of doing 3rd party fixes so if your friend's friend would join and deal with this it would be for the best.