Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus / Malware blocking Google / Yahoo etc. Also getting random surveys


  • Please log in to reply
10 replies to this topic

#1 JeepinCJ

JeepinCJ

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 23 November 2013 - 10:55 AM

Per the title, I think I have a couple of things going on.  First I'm getting random pop-ups for surveys.  That's been going on for awhile now but Adblock Plus has been catching most of them, but not all.
 
The second thing which has just started is some random websites are being blocked... like yahoo.com, for instance comes up with "no site configured at this address"
 
I searched the web and saw posts around looking at the hosts file within windows/system32/drivers/etc/hosts  I looked at this file via notepad, but didn't see any sites being blocked. 
 
I've done full scans with Ad-Aware Antivirus and Malware Bytes.  There have been also a couple of recent java upgrades, but they appeared to be legit vs. some of the fakes out there.
 
 
 
 
I'm running Windows Vista Home Premium Service Pack 2  - 64bit operating system
 
That's all I know.  Where do we go from here?
 
Thank you in advance!


Edited by JeepinCJ, 23 November 2013 - 12:23 PM.
moved from Vista to the appropriate forum


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:27 PM

Posted 23 November 2013 - 12:37 PM

Please download AdwCleaner and run it.
 
An image like the one below will open, click on Scan.
 
adwcleaner11_zps48314883.png
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  
 
You will receive a message telling you that all programs will be close so that the infections can be removed.  Click on Ok.
 
When cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your next post.
 
 
 
How to post the log.
 
Right click on the Start orb startorb_zps06e1f985.png
 
Then click on Open Windows Explorer.
 
Click on the C: drive.
 
adwcleaner1_zpsb88a2269.png
 
Scroll down till you find AdwCleaner [S1] and double click on the log to open it.
 
adwcleaner2_zps924e5e92.png
 
Click the pointer in the middle of the log, then press the Ctrl and the A keys together to highlight the log.
 
Copy the log and paste it in your next post in this topic.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 23 November 2013 - 06:04 PM

Thank you for the help... after the clean and the reboot.  Google is loading via firefox, however yahoo.com is not and is giving the same error as described above.  Yahoo mail, and anything under it works just fine, but the homepage appears to be blocked.  It DOES however load under internet explorer.

 

Here's the log you requested upon reboot.Thank yo uagin!

 

 

# AdwCleaner v3.012 - Report created 23/11/2013 at 14:25:41
# Updated 11/11/2013 by Xplode
# Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# Username : Andy - ANDY-HP
# Running from : C:\Users\Andy\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

[!] Folder Deleted : C:\ProgramData\blekko toolbars
[!] Folder Deleted : C:\Program Files (x86)\adawaretb
[!] Folder Deleted : C:\Program Files (x86)\Conduit
[!] Folder Deleted : C:\Program Files (x86)\FirstRowSportApp.com
[!] Folder Deleted : C:\Program Files (x86)\Toolbar Cleaner
[!] Folder Deleted : C:\Program Files (x86)\vShare
[!] Folder Deleted : C:\Users\Andy\AppData\Local\PackageAware
[!] Folder Deleted : C:\Users\Andy\AppData\Local\Temp\AirInstaller
[!] Folder Deleted : C:\Users\Andy\AppData\Local\Temp\TempDir
[!] Folder Deleted : C:\Users\Andy\AppData\LocalLow\adawaretb
[!] Folder Deleted : C:\Users\Andy\AppData\LocalLow\boost_interprocess
[!] Folder Deleted : C:\Users\Andy\AppData\LocalLow\Conduit
[!] Folder Deleted : C:\Users\Andy\AppData\LocalLow\vShare
[!] Folder Deleted : C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\k3zspr6y.default\adawaretb
File Deleted : C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\k3zspr6y.default\Extensions\freehdsport@freehdsport.tv.xpi

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289663
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3E315C81-442B-431C-AEC8-ED189699EC24}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\vShare
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\Software\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vShare
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\1ClickDownload
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\vShare
Key Deleted : [x64] HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16520


-\\ Mozilla Firefox v3.6.10 (en-US)

[ File : C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\k3zspr6y.default\prefs.js ]


-\\ Google Chrome v31.0.1650.57

[ File : C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : icon_url
Deleted : search_url
Deleted : suggest_url
Deleted : keyword
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [6544 octets] - [23/11/2013 14:09:13]
AdwCleaner[S0].txt - [5930 octets] - [23/11/2013 14:25:41]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5990 octets] ##########
 



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:27 PM

Posted 24 November 2013 - 11:39 AM

When you ran malwarebytes did you update the definitions first?  

 

Did you run the long test?

 

Did Malwarebytes find anything?

 

 

 

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET Online Scan in a new window.
    ESET OnlineScan

  • Click the esetonlinebtn.png button.

  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.

       

    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.

       

  • Check "YES, I accept the Terms of Use."

  • Click the Start button.

  • Accept any security warnings from your browser.

  • Under scan settings, check "Scan Archives"and "Remove found threats"

  • Click Advanced settings and select the following:

     

    • Scan potentially unwanted applications

    • Scan for potentially unsafe applications

    • Enable Anti-Stealth technology

       

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  • When the scan completes, click List Threats

  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

  • Click the Back button.

  • Click the Finish button.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 24 November 2013 - 12:32 PM

I'll run eset, post its log, and then run the full malware bytes scan tonight after updating definitions and post its log.  thx for the help!



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:27 PM

Posted 24 November 2013 - 12:50 PM

I'll be around. :thumbup2:


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 25 November 2013 - 02:59 PM

So here's something new...

 

Firefox can no longer access bleeping computer.  Internet explorer is currently still wokring.  I have other machines aroun the house without this current issue so even if I get completely locked out of the internet I still have other machines I can download files / post from and transfer them over to the vista machine...

 

Now for more data... ESET froze at 21% last night whlist scanning the C drive.  It did find a threat, but I couldn't see enough of it (at bottom of screen) to make out what it was.  I've since restarted and will to grab a screen capture if it hangs again today.

 

Will write more soon.

 

Thanks!

 



#8 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 26 November 2013 - 11:44 AM

Here are the logs... nothing from malware bytes after updating the definitions and running a full scan.  Nothing from ESET.  Details below.

 

internet explorer (9.0.8112.16421) - google does not work / bleeping computer loads (haven't found anything else not working.)

 

firefox (25.0.1 - says up-to-date)- google works, yahoo NOW WOKRING... was not previously.  bleeping computer NOT WORkING

 

man this is weird... anything else?  I have NOT tried uninstalling / reinstalling firefox nor internet explorer.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.26.01

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Andy :: ANDY-HP [administrator]

11/25/2013 9:26:20 PM
mbam-log-2013-11-25 (21-26-20).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 982937
Time elapsed: 7 hour(s), 43 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

Here's what ESET showed... also nothing...

 

708,000 files scanned,

Infected files 0

cleaned files 0

scan time 14 hours



#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:27 PM

Posted 26 November 2013 - 11:55 AM

Please download and run RKill and run it.

 

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

 

Once RKill is run reattempt to run the ESET online scan.


Edited by dc3, 26 November 2013 - 11:56 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 26 November 2013 - 05:23 PM

Here's what RKill logged.  Running ESET now.  Forgot that the Windows Defender keep stopping upon startup.  Noted it caught that in RKill.

 

Will post the ESET log after it completes.  Thanks!  Have NOT had a survey pop-up in a while...

 

 

Program started at: 11/26/2013 05:16:09 PM in x64 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\WinMsgBalloonServer.exe (PID: 4052) [WD-HEUR]
 * C:\Windows\SysWOW64\WinMsgBalloonClient.exe (PID: 1224) [WD-HEUR]
 * C:\Windows\SysWOW64\BeepApp.exe (PID: 2588) [WD-HEUR]

3 proccesses terminated!

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Andy\Desktop\rkill\rkill-11-26-2013-05-16-22.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\.exe\shell found and deleted!

  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to !
  * HKCU\SOFTWARE\Classes\.exe has been deleted!

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Automatic

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 11/26/2013 05:18:03 PM
Execution time: 0 hours(s), 1 minute(s), and 53 seconds(s)



#11 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:06:27 PM

Posted 27 November 2013 - 07:47 PM

ComboKill did wonders!  looks like everything is running sound now.  I'm going to keep scanning to see if RKill find things still "magically" loading over the next few days.  Thank you again for your help and I'll post whatever else I find.  Even after RKill ran, that BeepAp.exe kept loading itself.

 

Thank you again!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users