Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Online banking account hacked. Need to determine if an infection on my laptop caused it.


  • Please log in to reply
16 replies to this topic

#1 Subodh

Subodh

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 04 March 2011 - 12:35 PM

Hi,

I recently lost money from two of my banking accounts. Both are with the same bank and both were hacked in the same manner. Similar "under the radar" transactions were carried out. Though I did not lose much, I am worried that I may lose more in the future if I do not determine the cause for such loss.

So, I want to know if such hacking happened because of some infection on my computer that allowed someone else to trap my login IDs, passwords and other security codes used for banking. I use a Dell XPS M 1530 with Vista Home Premium with Eset Smart Security 4.2.71.2 installed. I use Firefox 3.6.13 and have NoScript installed. My OS is always up-to-date and I do not respond to any phishing e-mails (nor do I store any banking account related data on e-mail). Also, I do sometimes access the accounts from my wife's laptop which is an Acer with Vista Home Premium (always updated), Microsoft Security Essentials (always updated) with Google Chrome/IE 7 as the browser. Given that both machines are usually absolutely updated, I am perplexed as to what could have caused the hacking.

Can someone advice on how to go about finding out if there is an infection on my laptop or my wife's laptop that could have caused the hacking? Please help.

Best,
Subodh

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 09 March 2011 - 02:00 PM

Hello and :welcome: to BleepingComputer.

Let's see what we're dealing with here.

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable any anti-malware software you have installed so it does not interfere with RKill running. This is because some anti-malware software mistakenly detects RKill as malicious. Please refer to this page if you are not sure how to disable your security software.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
***************************************************

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 12 March 2011 - 09:36 PM

Hi Blade Zephon,

Thank you for your reply. Unfortunately, I was traveling and so got to this matter only today.

I ran both RKill and MBAM as per your instructions and here are the logs.

-----------------------------------------------------------------------------------------------
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 13-03-2011 at 7:17:43.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\system32\msfeedssync.exe


Rkill completed on 13-03-2011 at 7:17:48.
-----------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6039

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

13-03-2011 07:31:22
mbam-log-2011-03-13 (07-31-22).txt

Scan type: Quick scan
Objects scanned: 200420
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Subodh\x.exe (Trojan.KillAV) -> Quarantined and deleted successfully.
-----------------------------------------------------------------------------------------------

As far as I recall, 'x.exe' was a file that I had downloaded sometime in 2009, but never executed. Its' logo was like a "No Parking" sign and I had renamed the file from its' original name to 'x.exe'.

Just to add further, I did not have any trouble deleting any of the files with MBAM. However, MBAM did ask me to reboot, which I did without any trouble.

Please advise on what I should do next. In the meanwhile, I am planning to run these two programs on two additional laptops from where I access my bank account - my wife's laptop and my office laptop. Would it be okay to post the logs from those laptops in response to this post?

Best,
Subodh


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 13 March 2011 - 01:38 AM

Hello.

In the meanwhile, I am planning to run these two programs on two additional laptops from where I access my bank account - my wife's laptop and my office laptop. Would it be okay to post the logs from those laptops in response to this post?


If the scans find something, then I'd be happy to take a look at the logs for you. However, please do not post them until we are finished dealing with this computer, so that things don't get confusing. :wink:

***************************************************

Let's cross check those results with another scan.

Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, log in under the account that you normally use; do NOT log in under the account titled "Admin" or "Administrator" unless this account is the one used normally.

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

~Blade


In your next reply, please include the following:
SUPERAntiSpyware Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 18 March 2011 - 11:10 PM

Hello Blade Zephon,

Thanks :). You are right, I will wait to post details from the other laptops till after we have finished with this one.

Back to the current laptop, I ran TFC as well as SuperAntiSpyware Free (SASF) following your instructions. TFC cleared some 400+ MB of data that I did not know existed on my laptop :). As to SASF, below is the log. Overall, the laptop is running fine.

-----------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/19/2011 at 02:12 AM

Application Version : 4.50.1002

Core Rules Database Version : 6626
Trace Rules Database Version: 4438

Scan type : Complete Scan
Total Scan Time : 02:35:55

Memory items scanned : 341
Memory threats detected : 0
Registry items scanned : 10383
Registry threats detected : 0
File items scanned : 192093
File threats detected : 10

Adware.Tracking Cookie
C:\Users\Subodh\AppData\Roaming\Microsoft\Windows\Cookies\subodh@atdmt[2].txt
C:\Users\Subodh\AppData\Roaming\Microsoft\Windows\Cookies\subodh@content.yieldmanager[1].txt
C:\Users\Subodh\AppData\Roaming\Microsoft\Windows\Cookies\subodh@ad.yieldmanager[2].txt
.doubleclick.net [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
.ads.clicksor.com [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
.adbrite.com [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
.adbrite.com [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
.adbrite.com [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
.apmebf.com [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
.myroitracking.com [ C:\Users\Subodh\AppData\Roaming\Mozilla\Firefox\Profiles\bgj1rl9l.default\cookies.txt ]
-----------------------------------------------------------------------------------------

Please let me know how to proceed further from here. I have also heard something about rootkits. Would you please advise whether I should check for something like that?

Would also like to add here that my responses may be a little slow, because I am usually getting time only around weekends to run tests you are advising.

Best,
Subodh


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 19 March 2011 - 05:35 PM

Hello.

Have you used a known clean computer to change all your passwords, particularly those relating to banking or other sensitive information? If not. . . you should do that immediately. I would also recommend alerting your bank or other financial institution that your accounts were compromised. . . depending on the organization they may have policies in place to help recover what was lost.

I see no reason to suspect a rootkit on this machine. If the machine is running fine, then I think it's good to go.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 March 2011 - 10:15 AM

Hi Blade Zephon,

Thanks for the concern. I have already informed the bank and reported the matter to the police as well. I have also blocked the online banking facility for some time, till matters are sorted out.

I gather from your response that my machine is not infected and I can resume transacting online from this laptop. Thank you for your help and advise :thumbsup:.

I am also assuming that now I can check the other laptops and post the details from there :). I will start with my wife's laptop with the RKill and MBAM tests. The third laptop is from my office and has several group policies running on it. So, I would like to deal with it in the end.

Thanks for your continued advise.

Best,
Subodh


#8 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 21 March 2011 - 10:46 AM

Hi Blade Zephon,

I ran a scan on my wife's machine.

I ended up running RKill two times consecutively. And here are the logs:

--RKill - Log 1--------------------------------------------------------------------------
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 21-03-2011 at 20:29:36.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Users\Vaishali\AppData\Local\Temp\RtkBtMnt.exe
xe


Rkill completed on 21-03-2011 at 20:29:43.
--RKill - Log 1--------------------------------------------------------------------------

--RKill - Log 2--------------------------------------------------------------------------
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 21-03-2011 at 20:33:24.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\System32\grpconv.exe


Rkill completed on 21-03-2011 at 20:33:30.
--RKill - Log 2--------------------------------------------------------------------------

Here is the MBAM Log:
--MBAM Log--------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6119

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

21-03-2011 20:49:06
mbam-log-2011-03-21 (20-49-06).txt

Scan type: Quick scan
Objects scanned: 147856
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
--MBAM Log--------------------------------------------------------------------------

Please advise the next course of action.

Best,
Subodh


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 24 March 2011 - 04:39 AM

Hello.

Please run the steps outlined in Post 4 on the second machine, and post the logs.

~Blade

In your next reply, please include the following:
SUPERAntiSpyware Log
How is the computer running?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 26 March 2011 - 01:22 PM

Hi Blade Zephon,

I have hit a roadblock with my wife's computer. I was able to run TFC without any hassles. I was also able to install and update SAS. But, I am unable to boot into the safe mode. It actually initiates the safe mode, loads a ton of system files and then just restarts the machine all over again forcing a normal boot. I have experienced this problem with her machine earlier as well and have not thought much of it. But, now I am suspicious.

Anyways, I did some search and came across a utility called SafeBootKeyRepair and it was downloadable from Bleeping Computer. So, I got a little ahead of myself, actually downloaded this utility and attempted to run it. My wife's machine is a Vista machine and it gave me the following error when I ran the file.

--SafeBootKeyRepair Error---------------------------------------------------------------------------------------------

Unsupported Version
Error! Unsupported OS or version mismatch.

This batch will only run on Windows 2000 or XP. Please press any key to exit.

Press any key to continue . . .

--SafeBootKeyRepair Error---------------------------------------------------------------------------------------------

I am not sure if this is normal or not, because I think I read on one of the Bleeping Computer posts that this file runs on Vista. And I did run the file as an administrator.

Net result, though, is that I am unable to run SAS in the safe mode. Please advise.

Best regards,
Subodh


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 26 March 2011 - 06:43 PM

Hello.

Go ahead and try running SAS in normal mode.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 27 March 2011 - 02:22 PM

Hi Blade Zephon,

I ran SAS in the normal mode and here is the log.

-----------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/27/2011 at 06:50 PM

Application Version : 4.50.1002

Core Rules Database Version : 6683
Trace Rules Database Version: 4495

Scan type : Complete Scan
Total Scan Time : 01:59:44

Memory items scanned : 572
Memory threats detected : 0
Registry items scanned : 8920
Registry threats detected : 7
File items scanned : 148016
File threats detected : 23

Adware.IWinGames
HKU\S-1-5-21-832400294-3336927222-1247324870-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}
HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}

Adware.Tracking Cookie
C:\Users\Vaishali\AppData\Roaming\Microsoft\Windows\Cookies\vaishali@adtech[1].txt
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adinterax.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adinterax.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.statcounter.com [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\Vaishali\AppData\Local\Google\Chrome\User Data\Default\Cookies ]

Adware.MyWebSearch/FunWebProducts
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSIMG32.DLL
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\RICHED20.DLL

-----------------------------------------------------------------------------------------

Please advise next steps.

Best regards,
Subodh


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 31 March 2011 - 12:27 PM

Hello.

Sorry for the delay.

Apart from the issues with Safe Mode, which we'll get to, how's the computer running?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Subodh

Subodh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 02 April 2011 - 11:46 AM

Hi Blade Zephon,

Other than the safe mode issue, the computer is running fine. Given the logs, do you feel the computer is infected/needs to be tested further?

Also, can you advise on the safe mode issue as well please?

Thanks.

Best regards,
Subodh

Edited by Subodh, 02 April 2011 - 11:47 AM.


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:16 AM

Posted 04 April 2011 - 12:52 PM

Hello.

I see no real evidence of a serious infection on your machine; all that was found were some minor adware items, which were eliminated.

Regarding Safe Mode, please try running Startup Repair. This should be accessible from the same F8 menu used to boot into safe mode. If it is not you can run it from your Vista DVD.

Let me know if that helps.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users