Possible infection

[gzembow]

I was advised by a friend to run MBAM, rkill and ComboFix - need assistance with possible infection.

 

thanks

[Blackbird]

Hi there gzembow!

 

I am Blackbird and I will be helping you dealing with your computer problems.

 

I need some more information before I can help you though:

- Since when did you experience any problems that are still there now?

- What problems do you experience exactly?

- Can you please post the results of MBAM, RKill and ComboFix in your next reply?

 

Beside that I want to warn you: Running tools like ComboFix was NEVER meant to be done by users without supervision of a Trained Helper. I want to advise you to never run these kind of tools again, without proper supervision of a qualified Helper. This, because tools like ComboFix do a lot more than you think and can ruin your computer if they were not used properly!

 

I hope to hear from you soon.

[gzembow]

Thank you for your assistance.

 

I now know that I should not try this without guidance. The infected computer belongs to a friend of my mother and she still uses AOL as her primary email and browser.

 

It started 11 days ago and appeared to be a hijacker just effecting AOL. The url it was redirecting to was variations on adnxs.com.

 

So I ran MBAM on 12/12 and quarantined what it found. (logs attached)

 

Then 3-5 days later the hijacker came back. The owner was leaving for holidays with her family so I was only able to try again yesterday. I followed some steps I found online and I ran Spybot v1.6.4 and cleaned a few things it found like Doubleclick. (logs attached).

 

Then I ran rKill and it seemed to indicate that the hosts file was infected.  (logs attached). So I found a MS page on how to reset the hosts file and did that.

 

Last I ran ComboFix and decided I was over my head and needed assistance. Lesson learned.  (logs attached).

 

I hope I did not do too much damage.

 

Please let me know what to do next.  Thank you very much.

mbam-log-2014-12-12 (22-55-02).xml

protection-log-2014-12-12.xml

Checks.141228-1427.log

Checks.141228-1438.txt

Fixes.141228-1716.txt

Update downloads.log

Rkill B4.txt

Rkill before.txt

Rkill.txt

hosts.txt

ComboFix.txt

[Blackbird]

Hi there,

 

I reviewed your logfiles. No shocking things are in there.

 

The logfiles are outdated though, and I would like to have some recent logfiles instead. Therefor, perform the following steps, please.

 

1. Please download a new, fresh copy of RKill.

• Right-click RKill and choose Run as Administrator....
• Follow the instructions given by the program.
• Save the logfile that will be created by the program.

• Post this logfile in your next reply.

 

2. Run Malwarebytes' Anti-Malware.

Note: If you're using the old version of the program (v 1.x) please uninstall this version and download and install the new v. 2.x instead. Click here to download.

• Once the program has opened itself, download the latest update-pack by clicking Update Now.
• Now click the Settings tab, and select Detection and Protection. Make sure the following items are set like this:
  • Place a checkmark at "Scan for rootkits"
• Click the Scan tab.
• Select Threat Scan and click the Run Scan button.
• Delete everything that will be found. If a restart is required, allow Malwarebytes' Anti-Malware to restart your computer.
• Post the scan results in your next reply.

 

3. Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Please tell me in your next reply which problems you're still facing, together with the logfiles from RKill, MBAM and Farbar's Recovery Scan Tool.

 

Good luck!

[gzembow]

thank you again.

 

I am about to run the three you listed but I forgot to include the 2nd set of MBAM log files that might be of some value.

 

The new logs will follow as soon as ready.

mbam-log-2014-12-28 (09-43-11).xml

protection-log-2014-12-28.xml

[Blackbird]

Hi there,

 

I wanted to let you know I reviewed your logfiles. I would like to ask you though to upload the logfiles in txt-format from now on. That's easier for me to analyse.

 

Thanks in advance!

[gzembow]

Here are the latest results from the tests you suggested.

 

rkill

mbam

farbar

 

Please let me know what you see and if you need anything else.

MBAM 141229.txt

Addition_29-12-2014_11-46-50.txt

FRST_29-12-2014_11-46-51.txt

Rkill 141229.txt

[Blackbird]

Hi there,

 

Please download the attached fixlist.txt and save it to the same location as Farbar Recovery Scan Tool.

 

Warning!: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

 

Please tell me which problems you're still facing.

fixlist.txt

[gzembow]

Thanks again.

 

here is the fixlog.txt file

 

there are no obvious issues happening at this time.

 

Please advise next step.

Fixlog.txt

[Blackbird]

Hi gzembow,

 

It all seems okay to me again.

 

1. Please remove ComboFix by going to Start > Run (or type it in the search field in the Start menu), and type: combofix /uninstall

 

2. You can remove the other programs used manually. Don't use them after we finished this topic, as they were meant for using under supervision. Ofcourse you can continue using Malwarebytes' Anti-Malware.

 

Please let me know if you got any other questions, or if I can close this topic.

[gzembow]

Blackbird:

 

Thank you very much.

 

I'll let you know within 24-48 hours if all is good and the topic can be closed.

 

Happy New Year!

[Blackbird]

Hi gzembow,

 

All right with me, I'll be looking forward to it!

You have a great new year too

 

Note: I will be working with New Years Eve... So if you post then, my next reply will be a bit delayed probably.

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!