Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop infected, lots of new windows pop up


  • Please log in to reply
15 replies to this topic

#1 smrboyd1

smrboyd1

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 11:17 AM

I was here recently with an infected desktop. That issue couldn't be resolved so I borrowed a laptop. It is also showing signs of infections and I wanted to start here first before doing anything on my own. It runs windows 7, firefox is my browser.

Thanks for any help.



BC AdBot (Login to Remove)

 


m

#2 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 11:25 AM

Hmmm....bad luck seems to follow you lol . I don't see a link to a previous post so I'll start from scratch.

 

What antivirus and antimalware do you use, if any?

 

Was any software installed around the time of the infection?

 

Can you identify any software names in the popups? Example- Windows Prime Shield, MyPCBackup, PC Optimizer Pro, etc.

 

Do you have DomaIQ installed? (Check Add/Remove Programs)

Do you download from torrent sites? Play online games?

 

Try installing and running Speccy to get a list of your systems info to post here.



#3 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 02:28 PM

HA! Yes well this one came to me with problems. I just added a new user account and I don't seem to be having the same problems. I will answer your questions and go from there with it.

It had not been used for a while, so when I started it, it had a bunch of window updates. It seemed to have trouble from the start though.

It looks to have had Mcafee at some point but it isn't active now. I put avast on it.

I do think I saw My PCBackup. Usually it is a blank pop up window, then when I click on the x to close it, it opens a new window that avast then blocks.

I don't see DomalQ but there is something called Webcake 3.0 that I can't get rid of and it is associatd with a pop up.

I ran speccy under the new user account, it says post too long when I copy it from notepad though.

 



#4 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 03:35 PM

Speccy works best for viewing as an image grab, and I think some people get a website link to their info. I've never used Speccy so I'm not too familiar with it.

 

MyPCBackup is one of many malware apps that can be accidentally downloaded along with other 'legit' apps. Webcake is another one.

 

Do this:

 

Download and run Revo Uninstaller- the Free version. Remove MyPCBackup and Webcake.

 

If you can, get me a list of all the installed apps on your system.

 

Next, download and run AdwCleaner. It will preselect everything it finds, rarely do I have to uncheck anything. It's available in the Downloads section of this site.

 

Next download and run Malwarebytes. When installing, be sure to UNCHECK the "Trial version of Malwarebytes PRO". Let it update and run a quick scan. You will need to check the scan results carefully- Trojans and Rootkits are automatically selected, but PUPs (Potentially Unwanted Programs-Malware/spyware) WON'T be preselected. I generally always select everything it finds for removal.

 

Finally run a full scan (if you haven't already) with Avast. Then run AdwCleaner again. You should get a clean bill of health.



#5 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 05:27 PM

Ok it didn't like something. Everything seemed fine. Had to reboot after adwcleaner. After I put in my password, it goes to the welcome screen, then it goes black. I can reboot into safe mode but don't know what to do there.

#6 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 05:42 PM

Sounds like a definite infection.

 

In Safe Mode:

 

Click Start, type "msconfig" without "" and when it shows up at the top, right click on it and select "Run as administrator". Then when the menu shows select Start Up and deselect everything there. Then try to boot in Normal Mode again.



#7 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 05:43 PM

Did you do everything in the steps in the order I gave? Did you remove MyPCBackup and Webcake first?

 

It's crucial that you post what installed apps you have.

 

EDIT: It would also greatly help if you could post the cleanup log from Adwcleaner. It should be located in C:\Adwcleaner, there should be 2 log files. Copy the text from the S0 text file and paste it here.


Edited by Netghost56, 24 January 2014 - 05:45 PM.


#8 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 06:02 PM

Ok I tried that and it still got stuck at the welcome page.

 

Yes I did it in order. The only thing I didn't do was get a list of apps because I'm not sure how to go about that.

 

# AdwCleaner v3.017 - Report created 24/01/2014 at 15:21:00
# Updated 12/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : SDB - LAPTOP
# Running from : C:\Users\SDB\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : Partner Service
Service Deleted : vToolbarUpdater17.3.0

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG SafeGuard toolbar
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Program Files (x86)\AVG SafeGuard toolbar
Folder Deleted : C:\Program Files (x86)\MyPC Backup
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Granny\AppData\Local\AVG SafeGuard toolbar
Folder Deleted : C:\Users\Granny\AppData\LocalLow\AVG SafeGuard toolbar
Folder Deleted : C:\Users\SDB\AppData\Local\AVG SafeGuard toolbar
Folder Deleted : C:\Users\SDB\AppData\LocalLow\AVG SafeGuard toolbar
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml
File Deleted : C:\Users\Granny\AppData\Roaming\Mozilla\Firefox\Profiles\naqmpzm7.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WebCakeIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\kt_bho.KettleBho
Key Deleted : HKLM\SOFTWARE\Classes\kt_bho.KettleBho.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7169BBB3-3289-4696-B35D-4A88BCF6FB12}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A0B10EBE-4E51-4CAE-949B-E6B9E7D68CEA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BB975E58-E769-4E5A-BA12-B765BC559FF3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F511AFDB-726E-4458-90E7-1ECB97406544}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{86676E13-D6D8-4652-9FCF-F2047F1FB000}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Granny\AppData\Roaming\Mozilla\Firefox\Profiles\naqmpzm7.default\prefs.js ]

Line Deleted : user_pref("extensions.enabledAddons", "plugins%40getwebcake.com:1.00.01,wrc%40avast.com:9.0.2011.70,%7B4ED1F68A-5463-4931-9384-8FFF5ED91D92%7D:3.6.2,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0");
Line Deleted : user_pref("extentions.webcake.defaultEnableAppsList", "layers,brain/features,newOffers/wc");
Line Deleted : user_pref("extentions.webcake.installId", "b11cb78b-db45-4163-a562-cb0c75069257");

[ File : C:\Users\SDB\AppData\Roaming\Mozilla\Firefox\Profiles\274pnn83.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [8295 octets] - [24/01/2014 15:19:25]
AdwCleaner[S0].txt - [8341 octets] - [24/01/2014 15:21:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8401 octets] ##########
 



#9 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 07:06 PM

In safe mode, click Start, type Control Panel, select Uninstall a Program, and that will give you a list.

#10 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 07:18 PM

I just don't know how to get it to you. It's not a ton of stuff but more than I feel like typing.



#11 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 07:28 PM

ALT + PRT SCREEN. Then open mspaint and Paste, save as jpg. Then upload to tiny pic, then post pictures here.

Sorry I'm on the road at the moment

#12 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 07:39 PM

 dw2nft.jpg



#13 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:12 PM

Posted 24 January 2014 - 07:59 PM

Did you turn off everything in msconfig? Just the start up items.

You should be able to run malwarebytes in safe mode. Run a full scan.

#14 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 08:01 PM

I unchecked everything. I'll run mwb



#15 smrboyd1

smrboyd1
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 January 2014 - 08:28 PM

Nothing on MWB






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users