TechSpot

What is this?

By KandKsMama
Nov 28, 2008
  1. About a week ago my laptop began having popups almost every other page I browse to. I am also getting normal search results with google, but when I click a link google found it brings me to another weird search engine. I have tried to update my Mcafee and it tells me it can't connect to re-install. I get Mcafee free through Comcast and when I go to download it again it tells me I am offline, the page is missing or can't be displayed. It doesn't run and crashes when I try to run it through my network and every online scan I try to run doesn't work and either crashes, causes my computer to reboot or says it can't load. I am in the process of trying to repair my desktop so all I have left is my laptop and I was supposed to be launching an online business in Dec. which is now on hold until I determine what is wrong with both computers. Is there anything I can run that will work on getting rid of whatever I might have? I have been able to install Malwarebytes, Super Antispyware and Adaware... and I am running them again but the last time it found anything it was just some cookies.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi

    Welcome aboard.

    We need to se what we are up against so....

    Well first in SAS click Preferences-Statistics and logs. Attach all logs bottom to top.

    Next MBAM logs do the same,

    Then do this special fix..

    and post the logs.

    Mike
     
  3. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Hopefully I am doing this right.

    Here is both the logs. I am going to try the link you posted as well.
     

    Attached Files:

  4. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here are the logs after doing the special fix
     

    Attached Files:

  5. mflynn

    mflynn TS Rookie Posts: 2,655

    Hello KandKsMama

    Good job I am sure things are better already.
    But on the last mbam log it says No action taken at the end of each found item. Meaning you ran the scan but exited mbam before removing them.

    I know it takes time but you must run again and remove them.

    Then..

    Download RSIT
    http://images.malwareremoval.com/random/RSIT.exe

    Run it, when finished it will open a log Maximized on the screen, attach the contents of this log back here then close that log.

    Then the 2nd log is Minimized so Max it and attach it also to a separate post.
    The logs will contain a HighJackThis log also.

    Mike
     
  6. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here is the first one
     

    Attached Files:

    • log.txt
      File size:
      31.2 KB
      Views:
      5
  7. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here is the second one
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    As stated above when you last ran MBAM you exited without clicking to remove the Malware as evidenced by the "No Action taken" in the log.

    You must run MBAM again and select remove. Then attach new log.

    Mike
     
  9. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Sorry for the delay I was away during the weekend. Here is the log. It says quarantined and deleted. I will say the popups are now gone, which I am hoping is a good sign.
     

    Attached Files:

  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Good job.

    MBAM has old update. You need to update it and run again!

    Same for SAS run again.

    Post these logs if they contain something. If empty no need to post just let me know.

    These programs must come up clean after finding something it removed / fixed.

    Last after the above is run post #5 above RSIT again.

    Mike
     
  11. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    OK I hope it lets me update, last time I tried it wouldn't. I will post back if it lets me or not.
     
  12. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    It let me update MBAM, but not SAS. I am about to run MBAM again but it seems like every time I remove them and reboot they come back.
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi KandKsMama

    They are not coming back!

    Actually it is working as each time it found something different which can happen as when one is cleaned it exposes one that was hidden the first time.

    After this MBAM scan post log and do below.

    That should also break SAS loose so if you complete Combofix reboot and do the SAS.

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike
     
  14. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here is the most recent MBAM log, I am about to run combofix and then SAS and will see what happens.
     
  15. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here are the logs, it still wont let me update SAS.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You might want to find the source of the reinfection with the Trojan DNS Changer, Mike. The Mbam logs are as follows:
    11/28, 7:01:31, removed
    11/29, 10:03:30, no action for same
    12/03, 12:52:40, removed same again
    12/04, 2:47:28, removed same again
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes I see but ComboFix did it the last time.

    OK KandKsMama

    Empty Recycle Bin!

    Open MBAM UPDATE then click More Tools Run Tool

    Then paste the below 3 lines 1 at a time to "File name" and click Open.

    c:\windows\System32\3B7DBF990C.sys
    c:\users\All Users\3B7DBF990C.sys
    c:\progra~2\3B7DBF990C.sys

    Reboot run Combofix again and post log.

    Mike
     
  18. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here are the logs
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

  20. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Ok ran MBAM again and here is the log.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Actually they ARE coming back. Each Mbam logs shows the same removals:
    Even after running ComboFix rhey come back again! The question is where are they coming from.

    I couldn't find a HijackThis log in any of the posts here. Please run HijackThis and attach the log.
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    The HJT log is in the RSIT log any help is appreciated. I think this is the new Malware that is hittig MySpace.

    Yep they are returning now for sure now!

    Boot to Safe Mode.

    Open Fixes folder run Fixit.cmdagain from safe Mode.

    When it boots back to normal mode run no other program.

    Do the below in order given:

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Then

    Go here Smitfraudfix
    Download and instructions are here.

    Post log.

    Mike
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I found the HijackThis log on Post #6. My guess is that the source of reinfection may be ask.com. There is some explanation of why this Toolbar is not desirable. Unfortunately, it's being seen pre-checked on some site with downloads for other programs:
    http://www.benedelman.org/spyware/ask-toolbars/

    Vongo may also be another source of infection.

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK any processes for the following:
    Ask> bar or search assistant
    Vongo

    Control Panel> Add/Remove Programs> UNINSTALL anything related to Ask

    Start> Run> services.msc> right click on Vongo> change Startup to either Manual or Disabled.

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.
    NOTE: You will get a nag message that you can just close after checking 'don't show this message again.' Stay in Selective Startup.

    Rescan with HijackThis and attach a new log.

    I have found that in the cleaning process, it is best to handle inappropriate entries found in the HijackThis log at the time of the first posting. If left, some of these entries can be a source of reinfection.
     
  24. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    Here is my HJT log I am still doing the other stuff
     
  25. KandKsMama

    KandKsMama TS Rookie Topic Starter Posts: 28

    SDfix RunThis.bat does not work for me. When I click on it a blue window pops up for about half a second and then closes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...