Vibrant ads and MSN sending spam from my email

Discussion in 'Malware Help (A Specialist Will Reply)' started by PlookoTad, Sep 27, 2010.

  1. PlookoTad

    PlookoTad Private E-2

    Thank you for your helpful service. I am trying to help a friend fix his computer. The first problem he had was his MSN email sending spam to random members of his contact list. I have run your READ & RUN ME FIRST protocol and am attaching the logs. No spam has gone out from his account today, but unwanted floating pop-up ads are still appearing (they each have the word "Vibrant" listed near the close box). I suspect, therefore, that I didn't get all the malware removed. Any help you can provide would be most appreciated.
     

    Attached Files:

    PlookoTad, Sep 27, 2010
    #1
  2. PlookoTad

    PlookoTad Private E-2

    Here is the last log.
     

    Attached Files:

    PlookoTad, Sep 27, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

    As I go through your logs, please take a look at this because I think it applies to you ;)

    IntelliTXT help me permanently disable this!
     
    Last edited: Sep 27, 2010
    Kestrel13!, Sep 27, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ask.com Toolbar <--- uninstall this

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\Documents and Settings\HP_Owner\Templates\664514575
C:\Documents and Settings\HP_Owner\Templates\F2tkIp4
C:\Documents and Settings\HP_Owner\Templates\jh40y5l 
Registry:: 
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]     
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running?
     
    Kestrel13!, Sep 27, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let me just pop in to make a comment. Vibrant Media ads are not malware. They are advertising boxes that will appear as your mouse moves over various keywords on the webpages you are viewing. These are quite normal on many sites ( even Major Geeks main site ) as it is a source of revenue to keep the sites running.
     
    chaslang, Sep 28, 2010
    #5
  6. PlookoTad

    PlookoTad Private E-2

    Thank you, chaslang, for your note on Vibrant Media. I had kind of figured that out from Ketrel13!'s link, and I definitely want MajorGeeks to have enough revenue to stay around. You people are tremendous!

    And thank you, Kestrel13!, for your response. Oops, you made me remember that I had forgotten to tell you about an error that occurred while I was doing the READ & RUN ME FIRST steps. I did try to remove Ask.com Toolbar with Add/Remove Programs, but couldn't. Here's what happens:

    After I answer "Yes" to "Are you sure you want to remove Ask.com Toolbar from your computer?" I get this message from Windows Installer:

    The feature you are trying to use is on a network resource that is unavailable. Click OK to try again or enter an alternative path to a folder containing the installation package Ask.com Toolbar.msi

    Use source:
    C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\{172C46F9-F9A5-4CC4-964B-563351AEA463}\​

    If I click OK I get one of two messages:

    Add or Remove Programs
    The installation source for this product is not available. Verify that the source exists and that you can access it.​
    or

    ! The Path 'C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\{172C46F9-F9A5-4CC4-964B-563351AEA463}\Ask.com Toolbar.msi' cannot be found. Verify that you have access to this location and try again, or try to find installation package 'Ask.com Toolbar.msi' in a folder from which you can install the product Ask.com Toolbar.​

    It does not remove Ask.com Toolbar from the list of programs. Also, on this computer, there is a folder in C:\Program Files that is called Ask.com and in it are four files:
    • config.xml
    • GenericAsk Toolbar.dll
    • mupcfg.xml
    • UpdateTask.exe

    Is there a way to remove Ask.com Toolbar manually? I created the CFscript.txt file as you requested, but I haven't run it with ComboFix yet, because I wasn't able to complete your first command. Your help is greatly appreciated,
     
    PlookoTad, Sep 28, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go ahead and run the fix Kes gave you. Then get her the new logs and she can help you remove the Ask. toolbar.
     
    TimW, Sep 28, 2010
    #7
  8. PlookoTad

    PlookoTad Private E-2

    Thank you. I ran the fix and here are the logs.
     

    Attached Files:

    PlookoTad, Sep 28, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please try using Your Uninstaller first to uninstall ASK, however it if fails, then move onto this manual fix below:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
Folder::
c:\program files\Ask.com
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Then you may need to use something like this Add/Remove Pro to get rid of the entry in your add/remove programs.

    Tell me what these files are?

    • C:\Documents and Settings\NetworkService\Local Settings\Application Data\4pXA
    • C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH
    • C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4
    • C:\Documents and Settings\NetworkService\Local Settings\Application Data\JH40y5L
    • C:\Documents and Settings\NetworkService\Local Settings\Application Data\mHU3Jy
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and answer my questions about those files.
     
    Kestrel13!, Sep 29, 2010
    #9
  10. PlookoTad

    PlookoTad Private E-2

    Thank you again, Kestrel13! for your helpful suggestions.

    1. Yesterday, my friend's antivirus program gave him a message that it had blocked a new threat, and so he ran the SUPERAntiSpyware and Malwarebytes' Anti-Malware scans again. The second one found something and deleted it. I have attached those logs as well as the ones you requested.

    2. Your Uninstaller seemed to take care of the Ask.com Toolbar. But I ran your fix also, just to be sure. I have attached the combofix and MGTools logs.

    3. Also, since I started helping my friend with this malware problem, his printer suddenly quit being able to print anything from the web. Instead of printing (from his IE8 browser), the computer will now beep (one or four times) when asked for a printout, but nothing prints. Print Preview shows a blank page with an odd footer, such as "file://C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\SS2PDNRM.htm" The letters before the ".htm" change. Is this related to the malware infestation? Can it be fixed as well?

    4. About those 5 files you listed from "C:\Documents and Settings\NetworkService\Local Settings\Application Data\..."? I have NO idea what they are.

    Your help is SO appreciated.
     

    Attached Files:

    PlookoTad, Oct 1, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\4pXA
C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH
C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4
C:\Documents and Settings\NetworkService\Local Settings\Application Data\JH40y5L
C:\Documents and Settings\NetworkService\Local Settings\Application Data\mHU3Jy
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Any other problems you may be having you will have to resolve in the software forum.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Don't forget the new SAS log.
     
    Kestrel13!, Oct 2, 2010
    #11
  12. PlookoTad

    PlookoTad Private E-2

    Your willingness to help, Kestrel13!, is too great to express with words!

    I followed your latest suggestions and have attached the logs for your review. I was relieved to hear that my friend's printer challenge is probably not due to malware.
     

    Attached Files:

    PlookoTad, Oct 2, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 3, 2010
    #13
  14. PlookoTad

    PlookoTad Private E-2

    Kestrel13! (and the rest of you MajorGeeks malware fighters), thank you so much for your help. Thanks to your advice and instructions, my friend's PC is back up and running (except for that printer thing, which I took to another forum). He has learned some valuable lessons, I hope.

    For my part, I wish you and yours ultimate safety, peace, and vibrant good health. For my friend's part, he wanted to make a cash donation to MajorGeeks.com as a token of his appreciation--but I can't seem to find the link. Is there one?
     
    PlookoTad, Oct 7, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    At the end of all of my posts there is a blue coloured link "Support Majorgeeks" Your friend could purchase some geekwear if he wanted. :)

    You're both welcome for the help. Take care and sage surfing!
     
    Kestrel13!, Oct 8, 2010
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds