TechSpot

Could someone help me? Virus SOS

By JakeRazy
Dec 21, 2008
  1. Hi i really need some help with this. My computer has a number of ad-ware spy-ware and malware infections. I was told to attach the scan logs which are listed below.
    EDIT:Also the virus keeps reinstalling itself every time i open up the internet.

    Thanks in advance,
    Jake Razy
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    By the way, you will need to then restart, and run (and attach) a new HJT log
     
  3. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Thanks for helping me,
    Something i forgot to mention before is that the viruses keep reinstalling when i access the internet. Ok, so i updated malwarebytes, ran a full scan, and attached the log below. Also i ran hijackthis again and attached the log.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Jake

    Well some may have been jumping back on but it looks like you only clicked to remove in the last MBAM.

    Run HJT scan only Select and remove the below.

    O2 - BHO: {d7b439e8-7763-e9d9-2f14-9f9b004b35f3} - {3f53b400-b9f9-41f2-9d9e-36778e934b7d} - C:\WINDOWS\system32\ymkevm.dll
    O2 - BHO: (no name) - {A8ABF2DF-2BC2-450E-8E92-8714222398E4} - C:\WINDOWS\system32\urqOGaab.dll (file missing)
    O20 - AppInit_DLLs: wbsys.dll ymkevm.dll

    Then
    ----------------------------------------------------------------------------------------------------------------------------------------------------
    D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    Please make a note of what it found if any as it has no log.
    If it finds several things reboot to Safe Mode and run again before continuing below.

    Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike
     
  5. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Hi Mike,
    I deleted the files on hijackthis. The new log is listed below.
    I also used the x clean micro and it did find a few things

    W32.msn.maker = 3 Registry keys
    NTrootkit - FU SVKP
    Smart shopper
    Your screen-freeze sound effects(I recall downloading this but deleted it)

    I couldn't use combofix it froze my computer everytime i tried to open it. I think it might of been my virus protection (McAfee) that blocked it.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK that is not good about ComboFix.

    Boot to safe Mode Networking and
    1. Update again MBAM and SAS and run again. Both had removed items, we need to confirm a clean log. They both often find more on the second run.

    2. Try the ComboFix from here (Safe Mode Networking).

    3. Do the below after both 1 & 2 even if #2 still does not work.

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mike

    EDIT: Turn off all virus scanners and other security software while doing this.
     
  7. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Hello Mike,
    I rebooted my computer in safe mode and to my surprise the ComboFix worked, so i have attached below as log.txt. SD fix worked too so i have attached the report below.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    OK Just what I thought!

    Just because the cleaners show removed does not mean that it will not find more on a second run.

    Do this:

    Update MBAM and SAS again and run each Attach logs back here.

    After both MBAM and SAS are finished run ComboFix again from Normal Mode.

    Our goal is Clean logs.

    Mike
     
  9. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Ok, so i got ComboFix working and attached the log. I also ran MBAM and SAS on my computer and attached the logs.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Uh oh!

    You have a Keylogger. If this computer is used for any kind of online banking or purchases then you need not to use it for this until we agree it is clean.

    You also need to change all passwords/PIN's used on this computer.
    ----------------------------------------------------------------------------------------------------------------------------------
    COMBOFIX-Script
    Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    File::
    c:\windows\system32\Days5.ini
    C:\sqmnoopt00.sqm
    C:\sqmdata00.sqm
    c:\windows\system32\DLLDEV32i.dll
    c:\windows\system32\Utility.dll
    c:\windows\ALX_1600x1200.bmp
    c:\windows\iun6002.exe
    Folder::
    c:\temp
    Then drag this script and drop on top of ComboFix.

    ComboFix will now run a scan on your system.

    It may reboot your system when it finishes. This is normal.

    When finished, it will create a log. Attach the log back to us.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    As soon as I see this log is clean I have another special tool to run that will address the Keylogger and banking more directly.

    Mike
     
  11. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Ok, so i ran ComboFix with the script and attached the log below. I also did a full scan with MBAM and SAS and found that the log was clear.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    OK run ComboFix again (without the script).

    Attach log. I need to see the clean results.

    New HJT log after.

    Mike
     
  13. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Alright so i ran the combofix and hijackthis and attached the logs below.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Run MBAM click More Tools-Run Tool

    And paste the below line in File name: and click open.

    c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

    Then go here: http://www.bleepingcomputer.com/forums/topic17258.html
    Go down to removal instructions Download and follow the instructions post back log.

    Mike
     
  15. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    When i paste in the file it automatically opens a folder with multiple items in it. Which one should i choose? The items are:
    Wisecustomcall64.dll
    Wisecustomcall.dll
    Wisecustomcalla1.dll
    Wisecustomcalla.dll
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Ignore those for now they are harmless.

    Do the SmitFraud,

    Mike
     
  17. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    Hi Mike,
    It took a while but i got SmithFraudfix to run and i attached the log. I know i said before that the SAS scan was clean but i just did another one and ad-ware showed up. It identified it as ad-ware.Hotbar/shopperreports. I put a log down below, if you can help me with the ad-ware i would be grateful.
    EDIT: mbam is still clean though:::Scratch that it just showed up with 12 viruses! i think i got rid of them though
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    These new ones showed up after either ComboFix or Smitfraud cleared their load and exposed them as they were not seen by MBAM and SAS before.

    Problem is you forgot to click next and delete them in MBAM. Evidenced by the No Action taken in the MBAM log.

    So UPDATE MBAM and SAS and run each again, post each log, look in each log and run again until clean. Hopefully this will finally get all.

    Mike
     
  19. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    I scanned with mbam and sas. mbam was clean but sas still had that ad-ware, i deleted it but im scanning right now and it showed up again. Is there any special program i can use to remove the adware? I already tryed ad-aware but it came up with 0 infections.
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    Of course it found the same thing this last scan, that you found but did not delete on the scan before that!

    Did you forget you ran it once and did not clean!

    OK the last MBAM has removed items! We need to see it clean. UPDATE and run it again! It should come up clean this time.

    Show me a new MBAM run ( after the one above) that has the same items and I will believe you!

    Get this run it to clean Hotbar http://client.hotbar.com/downloads/Uninstaller/Uninstaller.exe

    Then the SAS should be clear!

    Mike
     
  21. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    I ran mbam and the results were clean. However, the hotbar uninstaller wouldn't install.
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    Fantastical!

    Check Add/Remove for Hotbar if there uninstall it first, then do the below even if not in Add/Remove.

    Try this one: http://fileforum.betanews.com/download/HotBar_Adware_Removal_Tool/1101766545/1

    Then reboot and run SAS Quick Scan to finish the job or come up clean.

    OK it looks like you are finally clean so run the tool below to allow a deep look at your system in case we missed something. You had so much so hard to clean, and most of them real bad boys!
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Download OTScanIt: http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe
    Close all Apps and Browsers

    Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

    If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

    Enter the OTScanit folder and run OTScanit.exe.

    In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

    Top Left click Run Scan.

    The scan can take some time so allow it time.

    Then finished a log will open, save log, copy and paste contents back to here.
    You may split/spread over multiple posts or post as an Attachment.

    Mike
     
  23. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    When i run the hotbar uninstaller it says hotbar adware is not installed on my system. It was also classified as shopperreports, so maybe a shopperreports remover?
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes that is what it is attached to.

    Get rid of it in Add/remove and quick scan with SAS.

    Mike
     
  25. JakeRazy

    JakeRazy TS Rookie Topic Starter Posts: 20

    I re-ran the SAS scan but it still showed up with the hotbar. I cant find it in add/remove either.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...