Sagipsul, TexasCoastSigns, and Yellowcom popups

Status
Not open for further replies.
Channel F

Channel F

Posts: 7   +0
I got this absolutely *fantastic* little virus from Photobucket the other day and it pretty much knocked my system out of commission. My system is used for business and video editing and I am currently unable to perform my duties at work without the system in a working order. Like other users I've seen, I have similar problems and I've been looking through the advice and I've copied some of it that applied to my system but it looks like different stuff happens to different computers. When I use the Alt-Tab function I can see many copies of Mozilla Firefox without icons running, but I can do nothing to get rid of them save for ending the process.

I no longer have any System Restore points. I do not know where they went, I guess they purged on January 1st. Whoever thought that was a good idea needs to be punched in the throat. Hard. Regardless, I have run Malware Bytes in Safe Mode and again in regular mode, both without Internet connection, and it looked like it was clean, but I still get these damn pop ups every 10 or so minutes. I have the Hijack This log, but I didn't know I was supposed to save the Malware Bytes log at the time, since it was before I had found these forums.

Below is the HJT log. Any help would be beyond appreciated.
- Channel F

edit: I suppose I should mention that I have scanned this computer with AVG Free 8.0, Malware Bytes, and Ad-Aware SE. It came up clean about an hour ago, but I guess it missed something because I am still getting pop ups. All 3 programs are completely up to date. I am also currently getting logs from the other 2 programs in the 8-Step Thread. I have HJT posted right now just as a preliminary if anyone wants to glance at it. I am "semi" computer savvy so having to do some manual "search and destroying" in Safe Mode and such is not a problem, I just need some instructions and direction that's all - and I'll be ready to quote some Duke Nukem while pressing the Delete key.

Log information:
hijackthis.log - Standard HJT log.
SUPERANtiSpyware...20-50-54.log - Standard SAS log.
mbam...15-23-11.txt - MBAM running in Safe Mode prior to all other scans. (See later post for the "11 hours" explanation.)
mbam...17-55-51.txt - MBAM after the reboot from 15-23-11.
 
Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Uninstall Ad-Aware

Install Avira


Run Startup Control Panel and remove any not required startups: (should be most!)


Start up Malwarebytes again; Update it; then run a full scan again (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

Or better yet, just follow the => Guide precisely
 
I'll get started installing the new stuff while the other programs are doing their scans.

Any recommendations on what the suggested minimum number of startup processes are? A lot of them are all just random letters to me so I don't touch them since I don't want to foul anything up. However I have heard that critical system processes don't show up as ones in the list to turn off and on.
 
I have 1 startup => Avira ;)

All my hardware (printer so forth) and all Pics and everything works perfectly
 
Okay, I've got all 3 logs up. They were run in this order:
1. MBAM (In Safe Mode)
2. HJT
3. SAS

I edited them into the first post.

Interesting notes:
If you notice in the MBAM log it says the scan took over 11 hours. For some reason the system slowed to a crawl in Safe Mode because after around 30 minutes of operation svchost.exe would cause an error, choosing "OK" or "CANCEL" from that dialogue box would start a 1-minute countdown to system shutdown. I found that if you didn't actually DO anything when it came up the scan would continue as normal but took FOREVER. I let this run overnight last night while I was at work and later at a friend's place. The scan had items that needed to be deleted upon reboot, I ran MBAM again and it detected the items and dealt with them. Or so I thought.

HJT didn't really run into any errors or slowdowns, and neither did SAS.

edit: I uploaded the second MBAM log, 17-55-51, ran after the Safe Mode reboot.
 
Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

I know I know :suspiciou
 
kimsland said:
Start up MBAM again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

I know I know :suspiciou
Click to expand...

MBAM is updating right now and preparing for another scan. In the meantime all relevant logs for this ordeal have been added to the first post. :)

Thank you very much for the help thus far. :3
 
AVG was not gone the first time I scanned with MBAM, it was uninstalled before Avira and SAS were installed (and then ran) though. Right now MBAM is going again, this time without AVG in the mix.

Just for posterity, here is a HJT log from right now to show what's going on. AVG should be out of there. :) MBAM is currently going, and Avira is hanging out in the background with its active detection going.

MBAM has finished the scan I started, it found only 1 infection. Here is the log:
 
Re-open HJT and tick and fix this lone entry:
O20 - AppInit_DLLs: rkyaix.dll
Click to expand...

Your log file is still very large, due to the many not required (but not Malware) shortcut startups
You could use Startup Control Panel, to remove (un-tick) as many as you can
And then restart, to confirm all is still good :grinthumb
 
This was (hopefully) the Trojan's last stand. I do not see the process or registry key in the report log below. :)
 
Please re-run HJT and tick and fix the following
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: .trymedia.com[/url] (HKLM)
Click to expand...
All the "zone.msn.com" entries concern me
And I have not checked them (being about 20 of)

Your HJT log is still very large, so I can not say conclusively that it's clean (it would take way too long to confirm)

Generally, I would say it looks Malware free :)

-----------------
Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

-----------------
Uninstall SuperAntispyware
Run CCleaner once more
-----------------
Restart

If you'd like to reply back with your thoughts, that'll be nice ;)
 
zone.msn.com is MSN's gaming section which I also believe was used for their Search Club giveaways, something I was playing off and on. I don't know if Messenger uses that domain as well but I trust that domain.

Anyways I think the virus has been eliminated because I am no longer getting pop ups and MBAM is coming up clean now. I also am not getting alerts from Avira every so often that a random Trojan from system32 is trying to do something. Now that we have come this far I would like to ask - is it safe for me to use PayPal again now on this system? Also is it safe for me to login to my FTP managers and whatnot where I work on my sites to continue uploading and working on pages?

Thank you so much, does TechSpot have a donate link? :)
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
538
Mark Fuller
M
midian182
Microsoft revives aggressive Windows 11 upgrade campaign with intrusive popups for Windows...
2
Replies
46
Views
739
Ecurb
Ecurb
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
474
eriksnyman1
E

Latest posts

Back