Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious Infection


  • Please log in to reply
32 replies to this topic

#1 ep2002

ep2002

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 28 June 2014 - 04:41 AM

Wow, I've NEVER had such a serious infection before.

 

How I got it I have no idea, as my computer was fine until I left my house, I came back & started to work oni my site & I couldn't. My Fx was highjacked with tons of ads & popus that won't go away. Chrome seems fine.

 

I did get my hosting company to look at my site & they did find malicious files in it, so I don't know if I got it from there or what.

 

Here's a SS - http://awesomescreenshot.com/08d3267325

 

I can barely use Last Pass

 

I can barely type or move my arrow keys, & it was a struggle even to log into this site

 

I've un Afvast at least 5 times on full scan & it's finding 1 threat at a time, but they are low threats so that can't be it.

 

I've run Malwarebytes 3 times & it just finds non malicious threasts tha tit's been finiding for a few weeks now.

 

Please help!

 

Thank you

 

Michelle

 

 

 



BC AdBot (Login to Remove)

 


#2 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 28 June 2014 - 04:50 AM

Ok, I'm using Chrome so I can actually type.

 

Sites that are popping up: (I'll list them as I get them. I forgot to take down a few, one to do with Apple, something to do with my computer having too many popups (this was before the popups started) & that my Windows was infected.

 

I'm also getting audio that randomly starts & I have no idea where it's coming from.

 

 

http://intl.fuckingballoon.eu/?sov=62570201&hid=drpjftfhlhhtjphrd&nodl=nodl&id=XNSX.

 

http://awesomescreenshot.com/005326ao94 0 see the buttons & banners?


Edited by ep2002, 28 June 2014 - 05:00 AM.


#3 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:06:39 AM

Posted 28 June 2014 - 11:49 AM

 In Firefox I've added Adblock Plus.  In both Chrome and Firefox be sure your popup blocker is turned on (in Internet Options).  I'd try running Malwarebytes and Avast in Safe Mode because some malware can hide itself in normal mode.  If this doesn't help, you can download & try these there programs:  AdwCleaner, Junkware Removal Tool, and TDSSkiller.

 

Good luck.


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#4 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 28 June 2014 - 03:22 PM

Thank you, but I thought I was to wait to try any of these things on my own.



#5 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 02 July 2014 - 08:54 PM

I don't understand what is going on. I was told to start a new topic if no one responded to this one, then I'm told NOT to.

 

Can someone please help me?

 

Thank you



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 02 July 2014 - 10:10 PM

Hello -

Sorry that you have not had a helpful reply yet ......

 

Please start here -

Download Security Check from HERE or HERE and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt;

* Please Copy and Paste the contents of that document.
Note:: If a security program requests permission to access the Internet, allow it to do so.

 

 

NOW :

Download RKill] by Grinler
If you have problems then run it in Safe Mode -
Double click it and a black box will flash for about 30 seconds.
This means the program ran. If it will not run, please tell me.

Please Copy / Paste the log back here

 

 

 

* NOW :

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button only once to ensure correct readings
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* Click on the Clean button only once to ensure correct readings
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are also saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

From here, we can see the way to move on.

Note : I may another post below this soon.


Edited by noknojon, 02 July 2014 - 10:17 PM.


#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 02 July 2014 - 10:15 PM

There is now a new version of Malwarebytes Anti-Malware (V2.0.2) This passes V1.75.0.1300

If you wish to Re-scan you will need to remove the old version first.

Please see

* Download Malwarebytes Anti-Malware Free and save it to your desktop
* Double click the desktop icon, click Run, then OK
* Click Next
* Select I accept the agreement then continue to click Next then finally click Install
** Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
* If you are notified the Database is out of date click Update Now
* Click Scan Now >>

----------

** Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
* Click Start (Start, Search, All files and folders for Windows XP) then type mbam
* Double click one of the four following files (if one does not work try the next one, and so on) -

A black command window will open. Follow those instructions until the Malwarebytes program starts the scan

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com
----------

** When completed click the down arrow on Export Log and select Text file (*.txt)
* Save the file to your desktop as MBAM
* Click Apply Actions then restart your computer if requested
Copy and Paste the contents of MBAM.txt in your reply

 

 

Please update us on your computer problems.



#8 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 02 July 2014 - 10:36 PM

Thank you VERY much for taking on my case. Also Flash isn't working now, it keeps crashing on Chrome left & right. Could be crashing on Fx, but I'm not using Fx b/c of all the issues.

 

Here's the first bit.

 

 Results of screen317's Security Check version 0.99.85  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java 7 Update 55  
 Java version out of Date! 
 Adobe Flash Player 14.0.0.125  
 Adobe Reader XI  
 Mozilla Firefox (30.0) 
 Mozilla Thunderbird (24.0.1) 
 Google Chrome 35.0.1916.114  
 Google Chrome 35.0.1916.153  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 


#9 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 02 July 2014 - 10:40 PM

Rkill 2.6.7 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/02/2014 08:38:37 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 07/02/2014 08:38:57 PM
Execution time: 0 hours(s), 0 minute(s), and 20 seconds(s)


#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 02 July 2014 - 10:45 PM

Please use Internet Explorer 11  if you have problems -



#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 02 July 2014 - 10:52 PM

This is copied from another post, so if any wording is "off" then ignore it.

 

 

These are the most common solutions to eliminating the pop-up ads.

1. Go to Add/Remove Programs in Control Panel or Programs and Features if using Vista/Windows 7/8. From within Add/Remove Programs look for anything in the lists and select Remove.

2. Open your browser and disable (uncheck) all extensions. Make a list, then one by one, re-enable each extension to see if the pop-ups start appearing again with that particular extension. Once you identify the responsible extension...permanently remove it but let me know which one it was so I can update the above list.

* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer

3. If the above did not resolve the problem, then create a new browser user profile.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome          



#12 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 02 July 2014 - 11:18 PM

# AdwCleaner v3.214 - Report created 02/07/2014 at 21:11:32
# Updated 29/06/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Michelle - MICHELLE-PC
# Running from : D:\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : 70e6ca8c
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\RoYalCoupOen
Folder Deleted : C:\ProgramData\SaVerAddon
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\optimizer pro v3.2
Folder Deleted : C:\Program Files (x86)\Optimizer Pro
Folder Deleted : C:\Users\Michelle\AppData\Roaming\Optimizer Pro
Folder Deleted : C:\Users\Michelle\Documents\Optimizer Pro
Folder Deleted : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\ivkv5lzn.New-Profile-05-28-12\Extensions\boap3-aalk@fjeyacwuuey.net
Folder Deleted : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Extensions\llpjhokmnmbpcolnflgdienhmihbhagn
File Deleted : C:\Users\Michelle\Desktop\Optimizer Pro.lnk
File Deleted : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\ivkv5lzn.New-Profile-05-28-12\invalidprefs.js
File Deleted : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Optimizer Pro]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\optimi~1\optpro~1.dll
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17126
 
 
-\\ Mozilla Firefox v30.0 (en-US)
 
[ File : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\ivkv5lzn.New-Profile-05-28-12\prefs.js ]
 
Line Deleted : user_pref("extensions.EmZo.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.com\")>-1||url.indexOf(\"sumorobo.ne[...]
Line Deleted : user_pref("extensions.inboxq.localStorage", "{\"version\":\"2011.3.30\",\"queues\":\"[\\\"campaigns\\\"]\",\"queues_campaigns\":\"[{\\\"name\\\":\\\"Default\\\",\\\"terms\\\":[\\\"#lazyweb\\\",\\\"#as[...]
Line Deleted : user_pref("extensions.mAV.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.com\")>-1||url.indexOf(\"sumorobo.net[...]
 
-\\ Google Chrome v35.0.1916.153
 
[ File : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Extension] : llpjhokmnmbpcolnflgdienhmihbhagn
 
*************************
 
AdwCleaner[R0].txt - [5571 octets] - [02/07/2014 20:45:55]
AdwCleaner[S0].txt - [5533 octets] - [02/07/2014 21:11:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5593 octets] ##########
 


#13 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 02 July 2014 - 11:21 PM

I'm not sure why you think I don't have the latest version of MBAM b/c I do. Did it say somewhere I don't?

 

It's working, it's just not finding anything & someone had me to the rootkit & it didn't find anything either :(



#14 ep2002

ep2002
  • Topic Starter

  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Traveling around now to find my dream country
  • Local time:06:39 AM

Posted 02 July 2014 - 11:24 PM

Yeh I don't use IE, haven't in I don't know, the last 15 years & I don't want to start now. I don't even know how to use it.

 

Are you saying one of my extensions is responsible for all of this?

 

I don't see how it could be unless that extension got hacked b/c I've been using the same extensions for ages, I don't remember adding any new extensions recently & all was fine one day & then not fine the next.

 

Plus that wouldn't explain why Chrome is now acting up. Fx has one set of extensions & Chrome has barely anything. The only common extension between the 2 is Last Pass & I doubt it's that.

 

I thought you were going to help me clean out the computer. I don't want to have to redo Fx. I mean I will if I have to, but again, that doesn't explain why Chrome is starting to act up.

 

Thanks



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 02 July 2014 - 11:32 PM

The MBAM post was a standard post, as many people install it and forget about it. (not you)

 

 

Are any of these listed programs showing in Programs and Features, or in Add-ons ??

You have installed all of these items below that will redirect you or show up in Programs and Features or as Extensions.

RoYalCoupOen
SaVerAddon
optimizer pro v3.2

 

If so, you need to fully try and remove them first ............






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users