MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 02-12-10, 17:06
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Suspect malware - at least adware

Hi,
Im running a 32 bit version of Windows XP on a 3 year old Compaq computer that I recently discovered was being used by my children 9 and 7. I have to hand it to them for getting that one by me! Now I've got floating ads bouncing around the screen. I had Norton, which I resubscribed to, but it won't update its virus definitions. I cannot run MalwareBytes, even after changing the name of the .exe file. I read and completed the steps (minus the Malwarebytes scan) and the logs are attached. My start bar turns white, my PC doesn't recognize that I have a sound card and my browser is frequently hijacked to sales sites - they vary, or shows an error message - the vary as well - mostly just "file not found". It occasionally reboots itself - suprise! The sound plays sometimes. I cannot find the Superantispyware log in my C drive. My patience runs thin. I think the Major has his work cut out for him, as this Private is ready to surrender. Thank you for any and all help you can offer!! Sincerely, GoofyRocks!

Last edited by goofyrocks; 02-12-10 at 17:09.. Reason: Forgot to thank you!
Reply With Quote
Sponsored links
  #2  
Old 02-12-10, 17:25
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

Attachments did not upload...
Attached Files
File Type: txt RootRepeal report 02-12-10 (15-03-13).txt (540 Bytes, 3 views)
File Type: txt ComboFix.txt (20.2 KB, 3 views)
File Type: txt exehelperlog.txt (414 Bytes, 3 views)
File Type: txt avplog.txt (2.0 KB, 2 views)
Reply With Quote
  #3  
Old 02-12-10, 17:48
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

.Zip
Attached Files
File Type: zip MGlogs.zip (134.0 KB, 3 views)
Reply With Quote
  #4  
Old 02-13-10, 17:25
evilfantasy's Avatar
evilfantasy evilfantasy is offline
Malware Fighter
 
Join Date: Mar 2006
Location: Tulsa, OK
Posts: 2,016
Thanks: 61
Thanked 157 Times in 137 Posts
Default Re: Suspect malware - at least adware

Hello goofyrocks.

When you ran the MGTools.exe, did you not get a pop up for the agreement to run HJT? Please make the agreement on the next run of the tools or tell if you get an error message of some sort.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Go to Add or Remove Programs and uninstall:

- J2SE Runtime Environment 5.0 Update 6

Now see here and install the new version of Java: Updating Sun Java



1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

File::
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\sgqwvi
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\xhwhnl
C:\WINDOWS\Temp\symlcsv1.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created along with the new ComboFix log.

Last edited by TimW; 02-13-10 at 17:46.. Reason: Added HJT question. Removed files.
Reply With Quote
  #5  
Old 02-14-10, 18:22
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

So far so good! The ads are gone. but there is an affected registry key. I'll post twice only to upload the rest of the logs. Thanks so much for your help so far!!!
GoofyRocks.
Attached Files
File Type: txt avplog.txt (2.2 KB, 1 views)
File Type: txt ComboFix.txt (20.7 KB, 3 views)
File Type: txt exehelperlog.txt (828 Bytes, 0 views)
File Type: txt mbam-log-2010-02-14 (11-52-10).txt (870 Bytes, 3 views)
Reply With Quote
Sponsored links
  #6  
Old 02-14-10, 18:24
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

The rest of the logs.....
Goofyrocks.
Attached Files
File Type: zip MGlogs.zip (136.2 KB, 6 views)
File Type: log registry mechanic scan.log (4.5 KB, 1 views)
File Type: txt Root repeal log.txt (10.1 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 02-14-2010 - 14-11-40.log (465 Bytes, 3 views)
Reply With Quote
  #7  
Old 02-14-10, 19:55
evilfantasy's Avatar
evilfantasy evilfantasy is offline
Malware Fighter
 
Join Date: Mar 2006
Location: Tulsa, OK
Posts: 2,016
Thanks: 61
Thanked 157 Times in 137 Posts
Default Re: Suspect malware - at least adware

Why did you run so many extra scans. Some of which we don't use here? Try to stick with my instructions. It makes it easier for both of us if you do.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:
  • O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
  • O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
  • O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
  • O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
After clicking Fix checked, exit HijackThis.



Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:
Comment:

 Files to delete:
C:\WINDOWS\Temp\symlcsv1.exe
 
 Folders to delete:
c:\documents and settings\Compaq_Administrator\Local  Settings\Application Data\xhwhnl
C:\Documents and Settings\Compaq_Administrator\Local  Settings\Application Data\sgqwvi
* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.
Reply With Quote
  #8  
Old 02-15-10, 07:55
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

Sorry about the extra scans. I thought the info might be of use to you. No more, I promise.

The bouncy ads are back....

Here's the log.

Thank you again for all your help!

Sincerely,
GoofyRocks
Attached Files
File Type: txt avenger.txt (2.6 KB, 4 views)
Reply With Quote
  #9  
Old 02-15-10, 11:21
evilfantasy's Avatar
evilfantasy evilfantasy is offline
Malware Fighter
 
Join Date: Mar 2006
Location: Tulsa, OK
Posts: 2,016
Thanks: 61
Thanked 157 Times in 137 Posts
Default Re: Suspect malware - at least adware

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




Delete your current version of ComboFix and download it again!

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix
Reply With Quote
  #10  
Old 02-15-10, 12:05
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

Ok -
Two more logs as requested. Thanks again!
Attached Files
File Type: txt log.txt (20.8 KB, 3 views)
File Type: txt mbam-log-2010-02-15 (11-34-22).txt (869 Bytes, 2 views)
Reply With Quote
Sponsored links
  #11  
Old 02-15-10, 16:28
evilfantasy's Avatar
evilfantasy evilfantasy is offline
Malware Fighter
 
Join Date: Mar 2006
Location: Tulsa, OK
Posts: 2,016
Thanks: 61
Thanked 157 Times in 137 Posts
Default Re: Suspect malware - at least adware

Quote:
The bouncy ads are back....
What sort of ads are these? Are they always the same or random?



ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
Reply With Quote
  #12  
Old 02-15-10, 19:51
goofyrocks goofyrocks is offline
Private E-2
 
Join Date: Feb 2010
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Suspect malware - at least adware

They are a 2" by 2" box that tracks diagonally across the screen. The ad content changes and there is a name that starts with a v - Veritas I think. I also now have something called buzzdock on the Bing search engine - I just noticied this today - although I generally search with Bing... You are a gem for helping me!
GoofyRocks
Reply With Quote
  #13  
Old 02-16-10, 11:24
evilfantasy's Avatar
evilfantasy evilfantasy is offline
Malware Fighter
 
Join Date: Mar 2006
Location: Tulsa, OK
Posts: 2,016
Thanks: 61
Thanked 157 Times in 137 Posts
Default Re: Suspect malware - at least adware

Let's get a log from ESET.

Using ESET's Online Scanner
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Connection Problems, Suspect Malware misterbojangles Malware Removal 5 12-12-09 16:56
Malware/adware problems Rhuarc Malware Removal 6 09-25-09 21:15
Browser Redirecting. Suspect Malware RobsanX Malware Removal 9 01-16-09 14:47
Adware & Spybot won't Rid Malware ania_wal Malware Removal 9 12-01-07 13:39
I suspect Malware is hogging my PC barvan Malware Removal 1 02-14-06 08:42


All times are GMT -5. The time now is 04:30.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright © MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger