Could someone help me? Virus SOS

[JakeRazy]

Hi i really need some help with this. My computer has a number of ad-ware spy-ware and malware infections. I was told to attach the scan logs which are listed below.
EDIT:Also the virus keeps reinstalling itself every time i open up the internet.

Thanks in advance,
Jake Razy

 

[kimsland]

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

By the way, you will need to then restart, and run (and attach) a new HJT log

 

[JakeRazy]

Thanks for helping me,
Something i forgot to mention before is that the viruses keep reinstalling when i access the internet. Ok, so i updated malwarebytes, ran a full scan, and attached the log below. Also i ran hijackthis again and attached the log.

 

[mflynn]

Hi Jake

Well some may have been jumping back on but it looks like you only clicked to remove in the last MBAM.

Run HJT scan only Select and remove the below.

O2 - BHO: {d7b439e8-7763-e9d9-2f14-9f9b004b35f3} - {3f53b400-b9f9-41f2-9d9e-36778e934b7d} - C:\WINDOWS\system32\ymkevm.dll
O2 - BHO: (no name) - {A8ABF2DF-2BC2-450E-8E92-8714222398E4} - C:\WINDOWS\system32\urqOGaab.dll (file missing)
O20 - AppInit_DLLs: wbsys.dll ymkevm.dll

Then
----------------------------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Please make a note of what it found if any as it has no log.
If it finds several things reboot to Safe Mode and run again before continuing below.

Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html
----------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

 

[JakeRazy]

Hi Mike,
I deleted the files on hijackthis. The new log is listed below.
I also used the x clean micro and it did find a few things

W32.msn.maker = 3 Registry keys
NTrootkit - FU SVKP
Smart shopper
Your screen-freeze sound effects(I recall downloading this but deleted it)

I couldn't use combofix it froze my computer everytime i tried to open it. I think it might of been my virus protection (McAfee) that blocked it.

 

[mflynn]

OK that is not good about ComboFix.

Boot to safe Mode Networking and
1. Update again MBAM and SAS and run again. Both had removed items, we need to confirm a clean log. They both often find more on the second run.

2. Try the ComboFix from here (Safe Mode Networking).

3. Do the below after both 1 & 2 even if #2 still does not work.

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

EDIT: Turn off all virus scanners and other security software while doing this.

 

[JakeRazy]

Hello Mike,
I rebooted my computer in safe mode and to my surprise the ComboFix worked, so i have attached below as log.txt. SD fix worked too so i have attached the report below.

 

[mflynn]

OK Just what I thought!

Just because the cleaners show removed does not mean that it will not find more on a second run.

Do this:

Update MBAM and SAS again and run each Attach logs back here.

After both MBAM and SAS are finished run ComboFix again from Normal Mode.

Our goal is Clean logs.

Mike

 

[JakeRazy]

Ok, so i got ComboFix working and attached the log. I also ran MBAM and SAS on my computer and attached the logs.

 

[mflynn]

Uh oh!

You have a Keylogger. If this computer is used for any kind of online banking or purchases then you need not to use it for this until we agree it is clean.

You also need to change all passwords/PIN's used on this computer.
----------------------------------------------------------------------------------------------------------------------------------
COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

File::
c:\windows\system32\Days5.ini
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
c:\windows\system32\DLLDEV32i.dll
c:\windows\system32\Utility.dll
c:\windows\ALX_1600x1200.bmp
c:\windows\iun6002.exe
Folder::
c:\temp

Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back to us.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

As soon as I see this log is clean I have another special tool to run that will address the Keylogger and banking more directly.

Mike

 

[JakeRazy]

Ok, so i ran ComboFix with the script and attached the log below. I also did a full scan with MBAM and SAS and found that the log was clear.

 

[mflynn]

OK run ComboFix again (without the script).

Attach log. I need to see the clean results.

New HJT log after.

Mike

 

[JakeRazy]

Alright so i ran the combofix and hijackthis and attached the logs below.

 

[mflynn]

Run MBAM click More Tools-Run Tool

And paste the below line in File name: and click open.

c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

Then go here: http://www.bleepingcomputer.com/forums/topic17258.html
Go down to removal instructions Download and follow the instructions post back log.

Mike

 

[JakeRazy]

When i paste in the file it automatically opens a folder with multiple items in it. Which one should i choose? The items are:
Wisecustomcall64.dll
Wisecustomcall.dll
Wisecustomcalla1.dll
Wisecustomcalla.dll

 

[mflynn]

Ignore those for now they are harmless.

Do the SmitFraud,

Mike

 

[JakeRazy]

Hi Mike,
It took a while but i got SmithFraudfix to run and i attached the log. I know i said before that the SAS scan was clean but i just did another one and ad-ware showed up. It identified it as ad-ware.Hotbar/shopperreports. I put a log down below, if you can help me with the ad-ware i would be grateful.
EDIT: mbam is still clean though:::Scratch that it just showed up with 12 viruses! i think i got rid of them though

 

[mflynn]

These new ones showed up after either ComboFix or Smitfraud cleared their load and exposed them as they were not seen by MBAM and SAS before.

Problem is you forgot to click next and delete them in MBAM. Evidenced by the No Action taken in the MBAM log.

So UPDATE MBAM and SAS and run each again, post each log, look in each log and run again until clean. Hopefully this will finally get all.

Mike

 

[JakeRazy]

I scanned with mbam and sas. mbam was clean but sas still had that ad-ware, i deleted it but im scanning right now and it showed up again. Is there any special program i can use to remove the adware? I already tryed ad-aware but it came up with 0 infections.

 

[mflynn]

Of course it found the same thing this last scan, that you found but did not delete on the scan before that!

Did you forget you ran it once and did not clean!

OK the last MBAM has removed items! We need to see it clean. UPDATE and run it again! It should come up clean this time.

Show me a new MBAM run ( after the one above) that has the same items and I will believe you!

Get this run it to clean Hotbar http://client.hotbar.com/downloads/Uninstaller/Uninstaller.exe

Then the SAS should be clear!

Mike

 

[JakeRazy]

I ran mbam and the results were clean. However, the hotbar uninstaller wouldn't install.

 

[mflynn]

Fantastical!

Check Add/Remove for Hotbar if there uninstall it first, then do the below even if not in Add/Remove.

Try this one: http://fileforum.betanews.com/download/HotBar_Adware_Removal_Tool/1101766545/1

Then reboot and run SAS Quick Scan to finish the job or come up clean.

OK it looks like you are finally clean so run the tool below to allow a deep look at your system in case we missed something. You had so much so hard to clean, and most of them real bad boys!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Download OTScanIt: http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, copy and paste contents back to here.
You may split/spread over multiple posts or post as an Attachment.

Mike

 

[JakeRazy]

When i run the hotbar uninstaller it says hotbar adware is not installed on my system. It was also classified as shopperreports, so maybe a shopperreports remover?

 

[mflynn]

Yes that is what it is attached to.

Get rid of it in Add/remove and quick scan with SAS.

Mike

 

[JakeRazy]

I re-ran the SAS scan but it still showed up with the hotbar. I cant find it in add/remove either.