Jump to content

Infected like a sailor on shore leave, MWB can't detect


Recommended Posts

Howdy, my computer recently became infected with some insidious malware and I can't seem to get rid of it.  None of the anti-malware programs I've tried have detected any infections, yet I get constant popups saying my java is out of date, or call XXXX because I have virus- semi broken English type stuff.  I think this all started when I used my debit card for something and my bank instantly shut it down. 

 

I attached the logs requested from the sticky, any help would be much appreciated!

 

-Yosh

mwblog.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Minion%20Welcome.jpg

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat :)

Before we start please note the following:

  • Analysis and research take some time, also sometimes real life gets in the way, please be patient.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Paste the logs in your posts, attachments make my work harder and more complicated.
  • Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight! :)

warning.gif Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.


51a612a8b27e2-Zoek.png Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

    createsrpoint;process;services-list;systemspecs;startupall;skipfix-iedefaults;firefoxlook;chromelook;filesrcm;installedprogs;
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply.

Don't forget to re-enable your switched-off protection software!

Link to post
Share on other sites

You have got a new variant of a Chrome infector.
 
 
Do the following:



JRTbythisisu.png Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on JRTbythisisu.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and let this process run uninterrupted.
  • This scan can take a while, depending on your System specs.
  • Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.



adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • The program will begin to update the database (if internet connection is operational). Please wait a little bit.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.

Please include the contents of that file in your reply.

Link to post
Share on other sites

Hello, ran both programs as requested but now when I try to run Internet Explorer it doesn't exactly freeze- it just won't let me input any data anywhere or move to a new website.  I wasn't able to post a reply here, and wasn't able to log into my email so I could mail myself the logs from both programs I ran so that I could post here from a different computer.  If I let it sit while it 'loads' it just eventually crashes outright.  

 

I pretty much can't leave my home page.  

Link to post
Share on other sites

Pretty much junk was removed. Let's see what is going on there now.



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Link to post
Share on other sites

It won't go away so easily...



warning.gif SpyBot S&D Warning

MVPS.org is no longer recommending SpyBot S&D due to very poor testing results (scroll down and read under Freeware Antispyware Products).
My advice is to get rid of this program. To do so:

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for SpyBot, right-click the entry and click Uninstall.

This is optional, but please consider it. At least until we are clean, cause SpyBot is able to hinder the removal process.



warning.gif IOBit software warning!

I see that you are running some IOBit software. Although legitimate one, IOBit as a vendor is considered a rogue one here due to stealing Malwarebytes' interllectual property. This is only an information and a polite request to refrain from using its software. Whether you decide to do it or not, it's your call.



51a612a8b27e2-Zoek.png Scan with ZOEK

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    createsrpoint;fopdddcinljmpmioaklghcalngfhbaen;chrchrdefaults;4d349a54;sc:\progra~2\gs_boo~1;fsesgiguard;sC:\Program Files\Enigma Software Group;fsC:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP;f
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply.
Don't forget to re-enable your switched-off protection software!



remove%20outdated.jpg Uninstall some programs

We need to uninstall some programs.

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of programs to uninstall:

  • Google Chrome

After completing uninstalls, please manually reboot your machine!



chrome.png Google Chrome reinstall

Please go to the official Chrome download website and install a fresh version.

Link to post
Share on other sites

Stubborn crap :angry2:



51a612a8b27e2-Zoek.png Scan with ZOEK

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    createsrpoint;kdnlonomoeclcdilhggfjhmpkdcffhob;chrkdnlonomoeclcdilhggfjhmpkdcffhob;zchromelook;
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply.
Don't forget to re-enable your switched-off protection software!

Link to post
Share on other sites

ZOEK reports that it has been deleted. Let's confirm.


FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Link to post
Share on other sites

The infection is gone, but we need to rectify some more things here.

TDSSKiller_Kaspersky.png Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on TDSSKiller_Kaspersky.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Make sure that Verify driver digital signatures & Detect TDLFS File System are marked and click OK.
  • Click the Start Scan button and wait patiently.
If anything will be found follow this guidelines:
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    > Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    > If Cure is not available, please choose Skip instead.

  • Do not choose Delete unless instructed!
A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
Link to post
Share on other sites

This looks ok. Seems that something must completely block the browsers and it is user mode.


FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startCloseProcesses:HKU\S-1-5-21-3580133325-2108892799-1155786202-1001\...\MountPoints2: E - E:\DVDSetup.exeHKU\S-1-5-21-3580133325-2108892799-1155786202-1001\...\MountPoints2: {0a59549e-cd45-11df-ab2a-1c6f65213f15} - "F:\WD SmartWare.exe" autoplay=trueHKU\S-1-5-21-3580133325-2108892799-1155786202-1001\...\MountPoints2: {c4c0be99-a800-11df-87ae-1c6f65213f15} - F:\LaunchU3.exe -aHKU\S-1-5-21-3580133325-2108892799-1155786202-1004\...\MountPoints2: E - E:\DVDSetup.exeHKU\S-1-5-21-3580133325-2108892799-1155786202-1004\...\MountPoints2: {0a59549e-cd45-11df-ab2a-1c6f65213f15} - "F:\WD SmartWare.exe" autoplay=trueHKU\S-1-5-21-3580133325-2108892799-1155786202-1004\...\MountPoints2: {a8690bc6-9ced-11e1-84cb-f4403a1ed3f7} - F:\DVDSetup.exeHKU\S-1-5-21-3580133325-2108892799-1155786202-1004\...\MountPoints2: {c4c0be99-a800-11df-87ae-1c6f65213f15} - F:\LaunchU3.exe -aGroupPolicy: Group Policy on Chrome detected <======= ATTENTIONCHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONToolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No FileFF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileFF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No FileFF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No FileFF Plugin-x32: @videolan.org/vlc,version=2.0.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll No FileFF Plugin HKCU: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileS2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]S3 MSICDSetup; \??\F:\CDriver64.sys [X]R4 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [X]2014-10-29 01:47 - 2014-10-29 01:47 - 05405491 _____ () C:\Users\Yosh\Downloads\Setup.exe2014-10-16 21:39 - 2014-10-16 21:39 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A72014-10-15 03:50 - 2014-10-15 12:15 - 00000000 ____D () C:\ProgramData\IObit2014-10-15 03:50 - 2014-10-15 03:50 - 00000000 ____D () C:\Users\Yosh\AppData\Roaming\IObit2014-10-15 03:50 - 2014-10-15 03:50 - 00000000 ____D () C:\Program Files (x86)\IObit2014-10-15 03:49 - 2014-10-15 03:49 - 30583304 _____ (IObit ) C:\Users\Yosh\Downloads\IObit-Malware-Fighter-Setup.exe2014-10-13 15:01 - 2014-10-13 17:22 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP2014-10-13 15:01 - 2014-10-13 15:01 - 00000000 ____D () C:\Program Files\Enigma Software Group2014-10-13 15:00 - 2014-10-13 15:00 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Yosh\Downloads\SpyHunter-Installer.exeHosts:Task: {38A52378-37FD-4BFD-9F3C-7C25344D4C88} - System32\Tasks\ZoomExUpdaterTask{F3B9B33B-833B-425B-9CF1-3C2614237342} => C:\ProgramData\Premium\ZoomEx\ZoomEx.exe <==== ATTENTIONTask: {76439B5F-ED32-42DF-95F1-7F4FD0140A75} - \AdobeFlashPlayerUpdate No Task File <==== ATTENTIONTask: {8AB65339-84F2-4397-9234-6BEC402CAD83} - \AdobeFlashPlayerUpdate 2 No Task File <==== ATTENTIONTask: C:\Windows\Tasks\ZoomExUpdaterTask{F3B9B33B-833B-425B-9CF1-3C2614237342}.job => C:\ProgramData\Premium\ZoomEx\ZoomEx.exe <==== ATTENTIONC:\ProgramData\Premium\ZoomExAlternateDataStreams: C:\ProgramData\TEMP:30FD0CBDAlternateDataStreams: C:\Users\Yosh\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_0news-1751121550AlternateDataStreams: C:\Users\Yosh\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_1messages-431041656AlternateDataStreams: C:\Users\Yosh\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_2events-250898981AlternateDataStreams: C:\Users\Yosh\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_3friends-215113587HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"Folder: C:\ProgramData\PremiumEmptyTemp:end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.



FarbarServiceScanner.png Scan with Farbar Service Scanner

Download Farbar Service Scanner by Farbar and save it to your desktop.

  • Right-click on FarbarServiceScanner.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Make sure all of the options are checked!
  • Press Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.

Please include that log in your next reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.