Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email sending out spam / malware problem?


  • Please log in to reply
63 replies to this topic

#1 Jerry84

Jerry84

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 05:33 AM

I had started this in the wrong forum yesterday without luck so am moving it to here where it belongs

 

  • Members
  • bullet_black.png
  • 3 posts

Posted Yesterday, 04:41 PM

Hi I was sent here by Gizmo after sending them scans of my regersty. Since mid week My computer ha been sending out my address box with a message to click on a link. I do not have a copy but have seen them because I was getting the same thing from people I know but I never clicked on link and deleted them. Not sure what started this I am very careful with spam or anything that looks like spam.

thank you for any help you can offer

 

Have already changed email password, and I have run 4 or 5 spyware/malware/virus programs.

malwarebytes shows as many as 20 maybe problems another one had 3 which 2 were deleted and FREZZE (A) would not delete.

Any help please???

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 06:07 AM

Hello -

Plese post the MBAM log with the "FREZZE (A)" detected, and post the Full Log.

Open "Logs" at the top of MBAM program and select the log that I am requesting.

 

I need this first.

Thank You -

 

EDIT - Please list as many of the tools that you recall use the of -


Edited by noknojon, 21 October 2013 - 06:10 AM.


#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 06:26 AM

First create a restore point or backup. This can be removed once your computer is "cleaned"

 

 

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
It  seems you have acceptet a program called Free Offers that includes this infection

• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\247downloads.ico".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\247downloads.url".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\dolphinico.ico".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\dolphinico.url".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\registryCleaner.ico".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\registryCleaner.url".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\wfallsaw.ico".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\wfallsaw.url".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\whalesico.ico".
• The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\whalesico.url".
• The file at "<$DESKTOP>\Click To Find and Fix Errors.lnk".
• The file at "<$DESKTOP>\Free Animated Desktop Wallpaper.lnk".
• The file at "<$DESKTOP>\Free Dolphins ScreenSaver.lnk".
• The file at "<$DESKTOP>\Free Whales ScreenSaver- Just Released.lnk".
• The file at "<$DESKTOP>\Unlimited Downloads Music, Movies, Games & More!.lnk".
• The file at "<$SYSDIR>\rkinstaller.exe".
• A file with an unknown location named "waterfalls3free.exe".

Please use Windows Explorer or another file manager of your choice to locate and delete this folder.
• The directory at "<$PROGRAMFILES>\Free Offers from Freeze.com". <Original problem



#4 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 07:26 AM

Here are logs from programs I ran yesterday trying to get rid of this program, I know very little about this but use antivirus/malware programs from microsoft to stop this from happening, when this started last week I found the antiviruse program turned off , do not know how this happened.

 

LOGS

 

Last update: 10/20/2013 9:02:57 AM

User account: Jerry-HP\Jerry

 

Scan settings:

 

Scan type: Deep Scan

Objects: Rootkits, Memory, Traces, C:\, D:\, F:\

 

Detect PUPs: On

Scan archives: On

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

 

Scan start:       10/20/2013 9:04:46 AM

Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\FREEZE.COM\INSTALLER -> ID     detected: Trace.Registry.EZ Game Cheats (A)

Key: HKEY_USERS\S-1-5-21-3172710772-1567355707-1076244364-1001\SOFTWARE\IMESH     detected: Trace.Registry.IMesh (A)

Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\FREEZE.COM             detected: Trace.Registry.Freeze (A)

 

Scanned          526432

Found  3

 

Scan end:        10/20/2013 10:40:10 AM

Scan time:       1:35:24

 

Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\FREEZE.COM            Quarantined Trace.Registry.Freeze (A)

Key: HKEY_USERS\S-1-5-21-3172710772-1567355707-1076244364-1001\SOFTWARE\IMESH     Quarantined Trace.Registry.IMesh (A)

 

Quarantined    2

 

 

Malware Bytes scan

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.10.20.05

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Jerry :: JERRY-HP [administrator]

 

Protection: Enabled

 

10/20/2013 1:22:40 PM

MBAM-log-2013-10-20 (13-29-52).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 239145

Time elapsed: 6 minute(s), 22 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 16

HKCR\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} (PUP.Optional.BabylonToolBar.A) -> No action taken.

HKCR\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} (PUP.Optional.SafeMonitor.A) -> No action taken.

HKCR\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54} (PUP.Optional.SafeMonitor.A) -> No action taken.

HKCR\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85} (PUP.Optional.SafeMonitor.A) -> No action taken.

HKCR\DynConIE.DynConIEObject.1 (PUP.Optional.SafeMonitor.A) -> No action taken.

HKCR\DynConIE.DynConIEObject (PUP.Optional.SafeMonitor.A) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B} (PUP.Optional.SafeMonitor.A) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B} (PUP.Optional.SafeMonitor.A) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B} (PUP.Optional.SafeMonitor.A) -> No action taken.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EE146ACC-D881-1414-2148-B1D008B47ADB} (PUP.ShopToWin) -> No action taken.

HKCU\SOFTWARE\Funmoods (PUP.FunMoods) -> No action taken.

HKCU\SOFTWARE\InstallCore\funmoods (PUP.FunMoods) -> No action taken.

HKCU\Software\DataMngr (PUP.Optional.DataMngr.A) -> No action taken.

HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> No action taken.

HKLM\SOFTWARE\InstallCore\funmoods (PUP.FunMoods) -> No action taken.

 

Registry Values Detected: 1

HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0F1K1I2W1M1Q1UtF1LtG1L -> No action taken.

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 2

C:\Program Files (x86)\LinkSwift (PUP.Optional.LinkSwift.A) -> No action taken.

C:\Program Files (x86)\EZDownloader (PUP.Optional.EZDownloader.A) -> No action taken.

 

Files Detected: 9

C:\Program Files (x86)\UnfriendApp\IE\common.dll (PUP.Optional.SafeMonitor.A) -> No action taken.

C:\Users\Jerry\Downloads\agsetup183se.exe (PUP.Funmoods) -> No action taken.

C:\Users\Jerry\Downloads\iMeshSetup-r393-n-bi.exe (PUP.Optional.iMeshMusicBoxTB.A) -> No action taken.

C:\Users\Jerry\Downloads\Produtools_Manuals_2.1.exe (PUP.Optional.Conduit.A) -> No action taken.

C:\Users\Jerry\Downloads\winamp564_full_emusic-7plus_en-us (1).exe (PUP.Optional.OpenCandy) -> No action taken.

C:\Users\Jerry\Downloads\winamp564_full_emusic-7plus_en-us.exe (PUP.Optional.OpenCandy) -> No action taken.

C:\Program Files (x86)\LinkSwift\updateLinkSwift.InstallState (PUP.Optional.LinkSwift.A) -> No action taken.

C:\Users\Jerry\AppData\Local\Google\Chrome\User Data\Default\bProtector Web Data (PUP.Optional.BProtector.A) -> No action taken.

C:\Program Files (x86)\EZDownloader\unins000.dat (PUP.Optional.EZDownloader.A) -> No action taken.

 

(end)



#5 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 07:32 AM

malwarebytes , emsisoft were the 2 programs that I saved from yesterday and posted above. bo not know what MBAM means , please tell me what program you need me to run , THank You



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 03:19 PM

MBAM = Malwarebytes Anti-Malware
Sorry, generic term we all tend to use.

 

HKCU\SOFTWARE\Funmoods (PUP.FunMoods) -> No action taken.
Please note that You must Tick these items to remove them. You have not done it in this scan

 

Malwarebytes Anti-Malware is more Proactive with detections, but is not fully automated in all functions.
Note :Scan options enabled, actually means Detections Enabled and you select to remove.

It is more detailed, but re-scan first and tick all findings for now

 

 

Thank You -



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 03:40 PM

Once you complete the above olease post these logs =>

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

Download MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List last 10 Event Viewer log
• List Installed Programs
• List Users, Partitions and Memory size.
• List Minidump Files
 
Click Go and copy / paste the result (Result.txt).

 

Thank You -



#8 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 03:49 PM

I am sorry I do not understand what you want me to do. I did nothing but run the malware program hoping that someone on a differant forum would look at it but after running it I was sent here. I need step by step on what you want. I closed the malware programs above after pasting them into a word doc so I will have to run them again I guess.  I can find non of the program files listed in post 3.


Edited by Jerry84, 21 October 2013 - 04:18 PM.


#9 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 04:08 PM

I just ran the malwarebytes again and there are 4 or 5 of the funmoods amd I suppose to delete all of them. An please tell me how to find all the files above this that you want me to delete?  BTW I so not use firefox browser it came on the computer I on use the 32 bit IE browser, thank you.


Edited by Jerry84, 21 October 2013 - 04:10 PM.


#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 04:16 PM

Hello -

Please slow me down at any time and ask for details - I do jump ahead

 

Now - Please open Malwarebytes program, Run a Quick scan,

Now - Tick all found infections (click OK) and then post the log back here -

 

Thank You -



#11 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 04:54 PM

I check everything in the malwarebytes and hit remove selected which was the only option then it had me reboot which took a while , it did not want to let me log back in with my fingerprint which is the only way I have. Once in I reran the malware and now have these 6 programs

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.21.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jerry :: JERRY-HP [administrator]

Protection: Enabled

10/21/2013 5:36:53 PM
MBAM-log-2013-10-21 (17-50-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239775
Time elapsed: 13 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCR\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} (PUP.Optional.BabylonToolBar.A) -> No action taken.
HKCR\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} (PUP.Optional.SafeMonitor.A) -> No action taken.
HKCR\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54} (PUP.Optional.SafeMonitor.A) -> No action taken.
HKCR\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85} (PUP.Optional.SafeMonitor.A) -> No action taken.
HKCR\DynConIE.DynConIEObject.1 (PUP.Optional.SafeMonitor.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1

 

Do I try to remove these again?



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 05:06 PM

Hello -

Do I try to remove these again?<= Yes please the scan part was 100% correct -

After the scan are you able to tick all found items (for removal) and click OK if required ?

You are only Scanning and not Ticking these items to Remove them -

 

A Notepad log will open after removal (like this one) and that is what I want you to Copy / Paste here.

 

In Post #7 I ask for extra information to see if there are "general problems"

 

The mention of Firefox is only a "generic part of my post, as I do not know your programs.



#13 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 05:24 PM

I do get confused on computers re the firefox, After scanning I can click (tick) each item then at the bottem of the page there is a remove selected which is what I did last time. Then the program said to reboot to finish cleaning. So now I will try to remove the 6 that did not remove last time. I did not see a note pad open up last time I will look this time again, This malwarebytes is a 14 day trial program and may not have everything needed.

 

thanks



#14 Jerry84

Jerry84
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 October 2013 - 05:28 PM

Ok here is the notepad from the last 6, I have to reboot again and willl lt you know if teh progams are gone.

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.21.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jerry :: JERRY-HP [administrator]

Protection: Enabled

10/21/2013 5:36:53 PM
mbam-log-2013-10-21 (17-36-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239775
Time elapsed: 13 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCR\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} (PUP.Optional.SafeMonitor.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54} (PUP.Optional.SafeMonitor.A) -> Quarantined and deleted successfully.
HKCR\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85} (PUP.Optional.SafeMonitor.A) -> Quarantined and deleted successfully.
HKCR\DynConIE.DynConIEObject.1 (PUP.Optional.SafeMonitor.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files (x86)\UnfriendApp\IE\common.dll (PUP.Optional.SafeMonitor.A) -> Quarantined and deleted successfully.

(end)


Edited by Jerry84, 21 October 2013 - 05:29 PM.


#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 AM

Posted 21 October 2013 - 05:29 PM

Hi -

Quick Edit - That was exactly as I was asking, but I would prefer you to Not use the trial version at this time

 

As a safeguard, I have posted this to refresh your copy of the program (just to be sure)

This will only take 5 or so minutes and may clear up some options -

 

 

First -

Please Uninstall your version of Malwarebytes Anti-Malware as described in Method 3 Removal Only

 

Next -
Download Malwarebytes Anti-Malware Free (a.k.a MBAM) to your desktop.
NOTE : Do not accept (Untick) the Free Trial Offer at this time.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

 

Thank You -


Edited by noknojon, 21 October 2013 - 05:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users