TechSpot

Help with popups malware please.

By vwguy78
Apr 6, 2008
  1. Hi I seem to be suffering with the same popup/ malware problem that everyone else is. McAfee doesn't seem to pick anything up during a virus scan. I think I got infected through an activeX control. Can some one talk me through what I need to do? Thanks!
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. vwguy78

    vwguy78 TS Rookie Topic Starter

    Here's the Logs.

    Here are the two requested logs attached.
     
  4. vwguy78

    vwguy78 TS Rookie Topic Starter

    RE: Logs

    The problems does seem to have gone away. Am I safe now?
     
  5. kritius

    kritius TS Guru Posts: 2,084

    No, I still need to finish up looking at the logs. Hang tight.

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      KILL ALL::
      
      File::
      C:\WINDOWS\system32\lvxmayey.ini
      C:\WINDOWS\system32\kbsrehar.exe
      C:\WINDOWS\system32\yxafiris.dll
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\qfwzijov
      C:\Documents and Settings\All Users\Application Data\Less Knob Balm Bait
      C:\Documents and Settings\All Users\Application Data\Bait cake roam slow
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "hcsagyrw"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "roam slow curb balm"=-
      "burn dvd mags balm"=-
      "5c53e714"=
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    ATF Cleaner

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:

      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.
      if you use Firefox:

      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
      if you use Opera:

      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program

    After this run HijackThis again and post a fresh log for me.
     
  6. vwguy78

    vwguy78 TS Rookie Topic Starter

    RE:

    I have dragged the txt file across but no log file is produced. Should i skip forward to running ATF?
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Reboot and see if its there, maybe in the c:\ drive, if not try this again.

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\lvxmayey.ini
      C:\WINDOWS\system32\kbsrehar.exe
      C:\WINDOWS\system32\yxafiris.dll
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\qfwzijov
      C:\Documents and Settings\All Users\Application Data\Less Knob Balm Bait
      C:\Documents and Settings\All Users\Application Data\Bait cake roam slow
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "hcsagyrw"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "roam slow curb balm"=-
      "burn dvd mags balm"=-
      "5c53e714"=
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Then run ATF and HijackThis again.
     
  8. vwguy78

    vwguy78 TS Rookie Topic Starter

    Here are the logs.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...