Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Heres the deal.


  • This topic is locked This topic is locked
21 replies to this topic

#1 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 29 August 2011 - 07:45 PM

Okay, so it all started about 5'o clock round here, (it's 5:36pm where I am now) so, I'm working on a bootable tech usb, so I need to get Easyuha to open a uha archive, so I go to software.informer.com, there are two versions up, 1.0 and 1.6 I pick 1.0 (didn't see 1.6 before) it says "this software is not hosted on our server, are you sure you want to continue" I click yes, because I thought hey, it must be safe... right? So, I go to the site, it's all in Chinese and a bunch of flash based popups come up, ads and stuff, I click exit on all of them and navigate away,I then notice that they have version 1.6 on the softwareinformer also, so I take a look, same message "not hosted on our servers blah blah" so I go okay, so I scroll down to click on the outgoing link, and what do I see "the link to the publisher of this software has been removed due to the fact that their website might harm your computer, great -_- so just to be safe I look in my taskmanager and I find 20 instances of ie running, no windows though. On top of this I had just de-installed mbam to re install it (stupid, right I know) so I have no mbam, and my antivrius didn't detect anything, so yeah I'm here again due to my lack of thinking. I know the drill. Just wanted to fill you guys in *sigh* Link to 1.6 (has notice) hxxp://easy-uharc.software.informer.com/1.6/ Link to 1.0 (no notice, I clicked the page on this version) hxxp://easy-uharc.software.informer.com/

Deactivated links. ~ OB

Edited by Orange Blossom, 30 August 2011 - 10:20 PM.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 29 August 2011 - 07:50 PM

Can you see if you can get SAS portable on a flash drive?

SAS Portable
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

#3 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 29 August 2011 - 07:53 PM

Okay, I'm downloading it right now.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#4 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 29 August 2011 - 07:55 PM

Okay, I'll see if that works, I was able to make it to the mbam download screen, downloading mbam, should I run that after sas, if I can?

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 29 August 2011 - 08:01 PM

Yes you should.

#6 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 29 August 2011 - 09:29 PM

It only found tracking cookies, it deleted the logs, I forgot to copy them and I exited, it deleted them when I exited, I downloaded the .com version.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 29 August 2011 - 09:33 PM

Try downloading mbam on a flash drive and install it.

#8 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 29 August 2011 - 10:16 PM

Okay, did so, installed mbam, now for the real test, will it update, then will it scan?

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#9 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 29 August 2011 - 10:21 PM

Okay, updated, and I am performing a full scan.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#10 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 30 August 2011 - 12:51 AM

Mbam log, what's it with adware and my computer I don't download random programs!!! I only download stuff I know, or I research it!!! :angry:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7607

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/29/2011 10:50:09 PM
mbam-log-2011-08-29 (22-50-09).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 433367
Time elapsed: 1 hour(s), 29 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#11 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 30 August 2011 - 02:55 AM

I know where I got the adware from! Cnet.com aka download.com, they have been starting to repackage programs into their own downloader that wants you to change your homepage and tries to add a toolbar to ie and firefox!

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 30 August 2011 - 06:47 AM

I dont see anything so far.

Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#13 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 30 August 2011 - 02:25 PM

Okay, before I run gmer, I just wanted to say the crashing and bsod have not been happening ever since I changed the sound drivers.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#14 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:04:53 AM

Posted 30 August 2011 - 02:54 PM

Gmer log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-30 12:53:26
Windows 6.1.7601 Service Pack 1
Running: 7x7r5d07.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004e9e9235
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004e9e9235 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}@iaiblbekkhecjkckkc 0x69 0x61 0x6B 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}@hacefgagedhfiejc 0x69 0x61 0x6B 0x63 ...

---- EOF - GMER 1.0.15 ----

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 30 August 2011 - 03:37 PM

You may want to get a much deeper look per this:

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}@iaiblbekkhecjkckkc 0x69 0x61 0x6B 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}@hacefgagedhfiejc 0x69 0x61 0x6B 0x63 ...



Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users