pop-ups "s3.cookingluck.com"

Can someone help me? I keep getting pop-up attacks on my Maxthon with the name "s3.cookingluck.com". Is this a virus of some sort?

Please help. Thanks.

 

Hi jacobmoh,
Welcome to Major Geeks!

This is malware. Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs so we can figure out which files have been put on your computer that need to be removed.

Thanks.
abri

 

Thanks, abri, for the advice. I have run completely the SAS software. The popups are gone, but I am attaching the SASlog for your reference.

Should I run the other softwares that I was asked to download?

Thanks again.

Jacob

 

Hi jacobmoh,

SuperAntiSpyware shows you have a LOT of viruses on your computer and it is limited in what it picks up. That's why we give you several different things. Please start at the beginning of the READ & RUN ME and go through all the instructions. You do not have to rerun SuperAntiSpyware since you already ran that. Nothing we ask you to do takes that long, and we can only really help you when you've gotten the logs for us to look at.

abri

 

Abri, I have runned the Anti-Malware software and attached is the log file as requested.

Sorry it's taking so long, but I will run the other softwares asap.

Thanks,
Jacob

 

hi abri,

Attached is the combofix-log.txt. Thanks.

Jacob

 

abri, i have run the last of the softwares - MGtools. I have attached the MGlogs.zip to this reply.

Again, thanks for helping me with this problem. I hope to hear from you.

Jacob

 

Hi Jacobmoh,

Please run the following:


Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Files Created Within group click 30 days
  • In the Files Modified Within group select 30 days
  • In the File String Search group select Non-Microsoft
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please post the resulting log here as an attachment.

abri

 

Hi Jacobmoh,

After you do the scan in post 8, please continue with the following instructions:


1) Please disable your guest account if this hasn't already been done.

2) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure:
sqmnoopt12.sqm


3) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

4) Reboot after uninstalling the above.

5) Install the current version of Sun Java from: Sun Java Runtime Environment


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {9950DF4E-5C3B-4EFC-9995-A304C0CE88D4} - C:\WINDOWS\system32\xxyvtstT.dll (file missing)
O2 - BHO: (no name) - {D7F0C9AA-1609-4A09-A153-62324D1D80FA} - C:\WINDOWS\system32\jkkIYrRk.dll (file missing)
O2 - BHO: (no name) - {E8A6F61E-D2AC-43ED-91C9-B80C9018B9CA} - C:\WINDOWS\system32\mlJYrrpm.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"


Are the following part of programs you know or want to keep? If not, please fix them as well.

O2 - BHO: Malaysia online Toolbar - {2aa9d2c0-1cb7-4dd6-a87c-92e1ec62589f} - C:\Program Files\Malaysia_online\tbMala.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: Malaysia online Toolbar - {2aa9d2c0-1cb7-4dd6-a87c-92e1ec62589f} - C:\Program Files\Malaysia_online\tbMala.dll
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://202.71.104.89/ibrowser/cibrowser_1_1_1_130.cab


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti


After you click fix, just close hijackthis.



8) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\term.bat
C:\WINDOWS\elsq.exe
C:\WINDOWS\SYSTEM32\nhatquanglan5.exe

DIRLOOK:
C:\Documents and Settings\user\Application Data\TmpRecentIcons
C:\Documents and Settings\user\Application Data\WinRAR


REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9950DF4E-5C3B-4EFC-9995-A304C0CE88D4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7F0C9AA-1609-4A09-A153-62324D1D80FA}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8A6F61E-D2AC-43ED-91C9-B80C9018B9CA}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log. Also, if you have not yet attached it, the WinPFind log.


Let me know how things are running now?

abri

 

abri, I need your help to locate the WinPFind3u.exe software you asked me to download and run. I can't seem to find it. When I click the link, it leads to a "page cannot be found" browser. Please help. Thanks.

Jacob

 

Hmmm ... well that is too bad! It seems to have been pulled from all the sites. Please go ahead with the other instructions and we'll see if we can remove anything related to that manually. If you've already run the instructions in post 9, please attach the combofix log and get a fresh set of MGlogs.zip. Do NOT rerun combofix, as we need to see the log which was produced by running the instructions in post 9 and if you've already done those instructions, rerunning it will overwrite the results we want to see. If you didn't do the instructions in post 9, then please do them including the Combofix instructions. With the MGlogs, it is good for them to be as current as possible, so if you need to you can rerun those as per the instructions in post 9, step 10.

I will be gone for a few days. If somone else has time to help you, they will. Otherwise, thanks for being patient.

abri

 

Abri, things are running fine now. No more pop-ups.

Thanks very much for assisting me with my problem. Will be visiting Major Geeks more often now.

Regards,
Jacob

 

Hi jacobmoh,

I'm glad things are working better. I would like to post the final cleanup instructions to you, so that you can get all our tools and logs out of your computer, but I am hesitant to do this until you've attached the Combofix log so I can see if the files which needed deleting got deleted and to see the contents of the two folders I asked about. Additionally, I need the new MGlogs.zip which is produced when you double click on C:\MGTools\GetLogs.bat and allow it to run. I would feel better if I could confirm that everything really is in order.

Thanks.
abri