Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this would not save log file...


  • This topic is locked This topic is locked
10 replies to this topic

#1 driveguy

driveguy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 10 June 2012 - 05:01 PM

I followed the prep guide, but was not able to get DDS to run. Boopme told me about OTL, here are the results.

Also. downloads stop, netflix stops, Two other computers on verison fios here are fine, win7 64, wireless to verizon fios router. AMD 1100 6 core, asus sabertooth 990, intel ssd, 16 gigs ram.

Running malware bites, superspyware, MSE.

Tanks, big ones!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 12 June 2012 - 01:44 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Run OTL - Double-click OTL.exe Posted Image to start it.

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzuyDyEtDyE0AyCyE0D0DtA0FtDyDyByDyDtN0D0TzutBtDtCtBtDyDtBzy&cr=1465270617
    IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzuyDyEtDyE0AyCyE0D0DtA0FtDyDyByDyDtN0D0TzutBtDtCtBtDyDtBzy&cr=1465270617
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzuyDyEtDyE0AyCyE0D0DtA0FtDyDyByDyDtN0D0TzutBtDtCtBtDyDtBzy&cr=1465270617
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzuyDyEtDyE0AyCyE0D0DtA0FtDyDyByDyDtN0D0TzutBtDtCtBtDyDtBzy&cr=1465270617
    IE - HKU\S-1-5-21-453652613-1583451861-4089997484-1000\..\SearchScopes\{0C5063A3-DA0E-4F5A-810C-26E3788A8530}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=C1FB3F69-2EAF-4285-94FC-42B54B05B397&apn_sauid=2716273C-9CEA-48B2-971D-2F9446EEB330
    IE - HKU\S-1-5-21-453652613-1583451861-4089997484-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzuyDyEtDyE0AyCyE0D0DtA0FtDyDyByDyDtN0D0TzutBtDtCtBtDyDtBzy&cr=1465270617
    CHR - default_search_provider: search_url = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzuyDyEtDyE0AyCyE0D0DtA0FtDyDyByDyDtN0D0TzutBtDtCtBtDyDtBzy&cr=1465270617
    CHR - Extension: PriceGong = C:\Users\driveguy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkomkajifikmkfnjgphkjcfeepbnojok\5.6.4_0\
    CHR - Extension: Funmoods = C:\Users\driveguy\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.5.1_0\
    O2 - BHO: (VideoFileDownload) - {9194649F-7143-4308-90C1-D6A35B0E354E} - C:\Program Files (x86)\OApps\bho_project.dll (VideoFileDownload)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\viprotocol - No CLSID value found
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Please let me know what problem persists.

#3 driveguy

driveguy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 12 June 2012 - 05:34 PM

here is the log file after run fix and reboot, Thanks.

Attached Files

  • Attached File  OTL2.Txt   91.76KB   2 downloads


#4 driveguy

driveguy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 12 June 2012 - 05:37 PM

Nasdaq,
It seems the download problem persists, web page download freezes, email download freezes, I still cannot get hijack this to save a log file.
Thanks,
Joe

Edited by driveguy, 12 June 2012 - 05:41 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 13 June 2012 - 08:12 AM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Download

===

After you have run the rkill tool do not restart the computer.

Try to run the DDS tool and submit the log.

Keep me posted if you cannot run it.

#6 driveguy

driveguy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 14 June 2012 - 05:41 PM

I ran Rkill, it terminated two processes,

C:\Users\driveguy\AppData\LocalLow\alotservice\alotservice.exe
and

c:\Windows\SysWOW64\rundll32.exe

I ran hijack this right away but had the same problems

first it reports not finding the 'hosts' file in ...\drivers, then I cannot save the log file. This sounds preaty funky. At this point I have no problem with scrubbing the system and reloading windows. Is that a path I should consider? I would like to find out what this thing is.

Thanks.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 15 June 2012 - 09:21 AM

An easier way would be to Start the Computer in Safe mode and select "Last Good Configuration"

As for knowing what the problem is we may never find out.

I do not know what operating system you have.
If you need help with this search last good configuration on Google.

Keep me posted.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 21 June 2012 - 08:26 AM

Are you still with me?

#9 driveguy

driveguy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 21 June 2012 - 09:18 AM

Hello Nasdaq,
I found out a few days ago that I'm leaving for China this comming Tuesday, so the computer has been off, and is likely to stay that way till I return. The trip is scheduled for a month, so between prep time for the trip, and covering the home front, I will take this up when I return. The computer in question is a second machine I use, a rocket I built for some heavy math applications, digital signal processing, and I'm not dead in the water without it. Thanks for your help, I wish I could take this up now, but getting ready for this trip means checking a lot of cables and software on my work laptop, and all the other stuff...
Driveguy

#10 driveguy

driveguy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 21 June 2012 - 09:25 AM

Nasdaq,
If you want to follow my travels, try this. go to 'aprs.fi', leave off the 'www'. You will see a place on the right to 'track callsign' enter 'WF2O-9' (thats 'oh'. not zero) After Tuesday, try a/WF2O, thats home, and B/WF2O, that might be me in China, if I get APRS to work over there.
See Ya!

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 22 June 2012 - 07:50 AM

I will close this topic for now.

When you return just send me a Personal Message and I will re open the topic.

Have a good trip.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users