What is this?

Status
Not open for further replies.

KandKsMama

Posts: 28   +0
About a week ago my laptop began having popups almost every other page I browse to. I am also getting normal search results with google, but when I click a link google found it brings me to another weird search engine. I have tried to update my Mcafee and it tells me it can't connect to re-install. I get Mcafee free through Comcast and when I go to download it again it tells me I am offline, the page is missing or can't be displayed. It doesn't run and crashes when I try to run it through my network and every online scan I try to run doesn't work and either crashes, causes my computer to reboot or says it can't load. I am in the process of trying to repair my desktop so all I have left is my laptop and I was supposed to be launching an online business in Dec. which is now on hold until I determine what is wrong with both computers. Is there anything I can run that will work on getting rid of whatever I might have? I have been able to install Malwarebytes, Super Antispyware and Adaware... and I am running them again but the last time it found anything it was just some cookies.
 
Hi

Welcome aboard.

We need to se what we are up against so....

Well first in SAS click Preferences-Statistics and logs. Attach all logs bottom to top.

Next MBAM logs do the same,

Then do this special fix..

and post the logs.

Mike
 
Hopefully I am doing this right.

Here is both the logs. I am going to try the link you posted as well.
 

Attachments

  • mbam-log-2008-11-28 (19-01-31).txt
    1.2 KB · Views: 6
  • SUPERAntiSpyware Scan Log - 11-28-2008 - 19-26-45.log
    2.4 KB · Views: 6
Here are the logs after doing the special fix
 

Attachments

  • mbam-log-2008-11-28 (22-03-22).txt
    1.9 KB · Views: 8
  • SUPERAntiSpyware Scan Log - 11-22-2008 - 10-22-18.log
    581 bytes · Views: 7
Hello KandKsMama

Good job I am sure things are better already.
But on the last mbam log it says No action taken at the end of each found item. Meaning you ran the scan but exited mbam before removing them.

I know it takes time but you must run again and remove them.

Then..

Download RSIT
http://images.malwareremoval.com/random/RSIT.exe

Run it, when finished it will open a log Maximized on the screen, attach the contents of this log back here then close that log.

Then the 2nd log is Minimized so Max it and attach it also to a separate post.
The logs will contain a HighJackThis log also.

Mike
 
As stated above when you last ran MBAM you exited without clicking to remove the Malware as evidenced by the "No Action taken" in the log.

You must run MBAM again and select remove. Then attach new log.

Mike
 
Sorry for the delay I was away during the weekend. Here is the log. It says quarantined and deleted. I will say the popups are now gone, which I am hoping is a good sign.
 

Attachments

  • mbam-log-2008-12-03 (00-52-40).txt
    2.1 KB · Views: 5
Good job.

MBAM has old update. You need to update it and run again!

Same for SAS run again.

Post these logs if they contain something. If empty no need to post just let me know.

These programs must come up clean after finding something it removed / fixed.

Last after the above is run post #5 above RSIT again.

Mike
 
It let me update MBAM, but not SAS. I am about to run MBAM again but it seems like every time I remove them and reboot they come back.
 
Hi KandKsMama

They are not coming back!

Actually it is working as each time it found something different which can happen as when one is cleaned it exposes one that was hidden the first time.

After this MBAM scan post log and do below.

That should also break SAS loose so if you complete Combofix reboot and do the SAS.

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike
 
You might want to find the source of the reinfection with the Trojan DNS Changer, Mike. The Mbam logs are as follows:
11/28, 7:01:31, removed
11/29, 10:03:30, no action for same
12/03, 12:52:40, removed same again
12/04, 2:47:28, removed same again
 
Yes I see but ComboFix did it the last time.

OK KandKsMama

Empty Recycle Bin!

Open MBAM UPDATE then click More Tools Run Tool

Then paste the below 3 lines 1 at a time to "File name" and click Open.

c:\windows\System32\3B7DBF990C.sys
c:\users\All Users\3B7DBF990C.sys
c:\progra~2\3B7DBF990C.sys

Reboot run Combofix again and post log.

Mike
 
It let me update MBAM, but not SAS. I am about to run MBAM again but it seems like every time I remove them and reboot they come back.
They are not coming back!

Actually it is working as each time it found something different which can happen as when one is cleaned it exposes one that was hidden the first time.

Actually they ARE coming back. Each Mbam logs shows the same removals:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.101 85.255.112.143 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93c3c067-ae12-4954-b0b3-242635116997}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.101 85.255.112.143 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.101 85.255.112.143 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{93c3c067-ae12-4954-b0b3-242635116997}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.101 85.255.112.143 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.101 85.255.112.143 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{93c3c067-ae12-4954-b0b3-242635116997}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.101 85.255.112.143 1.2.3.4 -> Quarantined and deleted successfully.

Even after running ComboFix rhey come back again! The question is where are they coming from.

I couldn't find a HijackThis log in any of the posts here. Please run HijackThis and attach the log.
 
The HJT log is in the RSIT log any help is appreciated. I think this is the new Malware that is hittig MySpace.

Yep they are returning now for sure now!

Boot to Safe Mode.

Open Fixes folder run Fixit.cmdagain from safe Mode.

When it boots back to normal mode run no other program.

Do the below in order given:

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Then

Go here Smitfraudfix
Download and instructions are here.

Post log.

Mike
 
I found the HijackThis log on Post #6. My guess is that the source of reinfection may be ask.com. There is some explanation of why this Toolbar is not desirable. Unfortunately, it's being seen pre-checked on some site with downloads for other programs:
http://www.benedelman.org/spyware/ask-toolbars/

Vongo may also be another source of infection.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - Global Startup: Vongo Tray.lnk = ?
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK any processes for the following:
Ask> bar or search assistant
Vongo

Control Panel> Add/Remove Programs> UNINSTALL anything related to Ask

Start> Run> services.msc> right click on Vongo> change Startup to either Manual or Disabled.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.
NOTE: You will get a nag message that you can just close after checking 'don't show this message again.' Stay in Selective Startup.

Rescan with HijackThis and attach a new log.

I have found that in the cleaning process, it is best to handle inappropriate entries found in the HijackThis log at the time of the first posting. If left, some of these entries can be a source of reinfection.
 
SDfix RunThis.bat does not work for me. When I click on it a blue window pops up for about half a second and then closes.
 
Status
Not open for further replies.
Back