Jump to content

Need some assistance - Malwarebytes keeps getting stuck during heuristic analysis


Recommended Posts

I have since scanned with RogueKiller, TDSSKiller, AdwCleaner, and FRST. I've only used AdwCleaner to clean up. I'm interested in using FRST to remove what's leftover, but I don't know how to create the fixlist.txt necessary. Please advise.

ROUGEKILLER REPORT 07.23.14.txt

TDSSKiller.3.0.0.40_23.07.2014_20.11.58_log.txt (1).txt

TDSSKiller.3.0.0.40_23.07.2014_20.17.44_log.txt (1).txt

AdwCleanerR0.txt

AdwCleanerS0.txt

FRST.txt

Addition.txt

post-169754-0-02463500-1406173848_thumb.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Hello lorien11

I would like to get a new FRST report then to start

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
Link to post
Share on other sites

  • Staff

Hello lorien11

I need you to download this script I have made for you --> fixlist.txt

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Gringo

Link to post
Share on other sites

Just noticed that you wanted it copied and pasted :)

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-08-2014 01

Ran by Rachel at 2014-08-27 12:29:12 Run:1

Running from C:\Users\Rachel\Downloads

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************



C:\Users\Rachel\AppData\Local\Coupon Companion

Task: {66896765-BB7C-4BC6-A758-5AC4ACAAF2B6} - \MySearchDial No Task File <==== ATTENTION

 

 

 

 

*****************

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.

"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.

"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.

"C:\Users\Rachel\AppData\Local\Coupon Companion" => File/Directory not found.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{66896765-BB7C-4BC6-A758-5AC4ACAAF2B6}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{66896765-BB7C-4BC6-A758-5AC4ACAAF2B6}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySearchDial" => Key deleted successfully.

 

==== End of Fixlog ====

Link to post
Share on other sites

  • Staff

Hello lorien11

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Here are the reports:

 

# AdwCleaner v3.308 - Report created 31/08/2014 at 17:48:09
# Updated 20/08/2014 by Xplode
# Operating System : Windows 7 Professional  (64 bits)
# Username : Rachel - RACHEL-VAIO
# Running from : C:\Users\Rachel\Desktop\adwcleaner_3.308.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7600.17267
 
 
-\\ Mozilla Firefox v19.0.2 (en-US)
 
[ File : C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\br4802nl.default\prefs.js ]
 
 
-\\ Google Chrome v36.0.1985.143
 
[ File : C:\Users\Rachel\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [search Provider] : hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites&cd=2XzuyEtN2Y1L1Qzuzzzzzy0F0F0A0D0E0AtDzy0F0EyD0AyDtN0D0Tzu0CyBtDtBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=710575478&ir=
 
*************************
 
AdwCleaner[R0].txt - [23613 octets] - [23/07/2014 20:31:45]
AdwCleaner[R1].txt - [1194 octets] - [31/08/2014 17:44:45]
AdwCleaner[s0].txt - [23730 octets] - [23/07/2014 20:39:26]
AdwCleaner[s1].txt - [1493 octets] - [31/08/2014 17:48:09]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [1553 octets] ##########
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by Rachel on Sun 08/31/2014 at 17:54:03.30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\Rachel\AppData\Roaming\mozilla\firefox\profiles\br4802nl.default\prefs.js
 
user_pref("extensions.crossriderapp4493.4493.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com | jquery.org/license */\n(function(a,b){function cy(a){return f.isWindow(a)?
Emptied folder: C:\Users\Rachel\AppData\Roaming\mozilla\firefox\profiles\br4802nl.default\minidumps [139 files]
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\pbkdpahkifcigckmhiafindmaflfifgm
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/31/2014 at 18:02:55.10
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Link to post
Share on other sites

  • Staff

Hello lorien11

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

I didn't really run into any problems running ComboFix, except that it seemed to think Avast was still running, despite having turned off all shields.

Also, immediately after turning Avast off, it notified me that it had detected two suspicious browser add-ons.

The timing seemed odd, so I did nothing, but after running ComboFix, I ran an Avast quick scan and it found no threats.

 

However, when I tried running Malwarebytes, it stalled out again at heuristic analysis. Here are the threats it detected before it stalled. 

 

ComboFix Log.txt

Link to post
Share on other sites

  • Staff

Hello lorien11

We need to reset Chrome back to defaults to completely clear out what is going on.

We can keep the bookmarks by exporting them - Export Bookmarks

Then I need you to go Google Sync and sign into your account

scroll down untill you see the "Stop and Clear" button and click on button

At the prompt click on "Ok"

Now we need to uninstall chrome

I want you to uninstall Chrome and if asked about user data or settings then remove this also

restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome

After you have Chrome reinstalled please check things out and let me know how it is doing.

Gringo

Link to post
Share on other sites

  • Staff

I would like you to rerun FRST for me and send me a new report

If you cannot find it here is the link again.

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ - Click on the BLUE download buttons only - ( The GREEN ones are ads)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

I would like for you to use these settings

Under whitelist I would like everything to be checked

Under optional scan

Only have Addition.txt select (the other three blank)

Press the Scan button.

It will make a two logs (FRST.txt) and (Addition.txt) in the same directory the tool is run from.

Please attach both reports to your reply to me

Link to post
Share on other sites

  • Staff

Hello

Lets try running Malwarebytes in safe mode

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.

Wait 30 seconds, and then turn the computer on.

Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.

Ensure that the Safe Mode option is selected.

Press Enter. The computer then begins to start in Safe mode.

Login on your usual account.

Gringo

Link to post
Share on other sites

  • Staff

Lets see if the 1.75 version does the same thing

First lets remove the 2.0 version of the software

To completely remove Malwarebytes Antimalware you will first need you will need to uninstall it from the control panel in (XP) add/remove and in (Vista and later) program and features

Then I want you to run our cleanup tool that will remove any traces that is left over.

http://downloads.malwarebytes.org/file/mbam_clean

You can download the older version here - http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Click on the blue button that says "download now" Version 1.75

Once it is installed do not check for updates yet

go to the Settings and then go to the Updater Settings tab and untick the two topmost boxes. - this will keep it from being updated to the latest version but still allow database updates

I will need to know if this clears the problem

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.