Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with unknown (virus, trojan, spyware, malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 slowshootin

slowshootin

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 18 May 2015 - 01:47 PM

Hello,

 

I've already been helped by another user and redirected to the preparation guide.

Some of it is in dutch(sorry about that) if you have any questions please ask.

Is it ok if i reinstall the op?

 

Also i just got another message from avast that an attack has been blocked from the windows folder.

 

Slowshootin

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 22 May 2015 - 07:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove MyBestOffers using the Add/Remove programs applet.
MyBestOffersToday 007.246 (HKLM-x32\...\mbot_nl_246_is1) (Version: - MYBESTOFFERSTODAY) <==== ATTENTION

===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://nl.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://nl.wikipedia.org/wiki/Special:Search?search={searchTerms}
Toolbar: HKU\S-1-5-21-1855744329-2542374384-547676269-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S2 cizodyde; No ImagePath
S2 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [X]
S4 qyjohehi; No ImagePath

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 May 2015 - 08:14 AM

Hello nasdaq,

 

The program bestbuy was already deleted as stated by a message from the Add/Remove programs applet.

 

This is the log from farbar tool,

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-05-2015 01
Ran by piet at 2015-05-23 15:02:30 Run:1
Running from C:\Users\piet\Downloads
Loaded Profiles: piet (Available Profiles: piet)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://nl.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://nl.wikipedia.org/wiki/Special:Search?search={searchTerms}
Toolbar: HKU\S-1-5-21-1855744329-2542374384-547676269-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S2 cizodyde; No ImagePath
S2 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [X]
S4 qyjohehi; No ImagePath
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => key Removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}" => key Removed successfully
HKCR\Wow6432Node\CLSID\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}" => key Removed successfully
HKCR\Wow6432Node\CLSID\{d43b3890-80c7-4010-a95d-1e77b5924dc3} => key not found. 
HKU\S-1-5-21-1855744329-2542374384-547676269-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value Removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found. 
"HKLM\Software\MozillaPlugins\@esn/npbattlelog,version=2.5.1" => key Removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key Removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@esn/npbattlelog,version=2.5.1" => key Removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key Removed successfully
cizodyde => Service Removed successfully
HP Support Assistant Service => Service Removed successfully
qyjohehi => Service Removed successfully
 
 
The system needed a reboot. 
 
==== End of Fixlog 15:03:09 ====
 
 
 
 
This is the log from adwcleaner
 
 
 
 
# AdwCleaner v4.203 - Logbestand aangemaakt 23/05/2015 op 14:54:23
# Laatste update 30/04/2015 door Xplode
# Database : 2015-05-21.2 [Server]
# Besturingssysteem : Windows 7 Home Premium Service Pack 1 (x64)
# Gebruikersnaam : piet - PIET-HP
# Gestart vanuit : C:\Users\piet\Downloads\adwcleaner_4.203.exe
# Optie : Verwijderen
 
***** [ Services ] *****
 
 
***** [ Bestanden / Mappen ] *****
 
Bestand Verwijderd : C:\Users\piet\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
Bestand Verwijderd : C:\Users\piet\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
 
***** [ Geplande taken ] *****
 
 
***** [ Snelkoppelingen ] *****
 
 
***** [ Register ] *****
 
Sleutel Verwijderd : HKCU\Software\subpar
 
***** [ Webbrowsers ] *****
 
-\\ Internet Explorer v11.0.9600.17801
 
 
-\\ Google Chrome v42.0.2311.152
 
 
-\\ Chromium v
 
 
*************************
 
AdwCleaner[R0].txt - [15982 bytes] - [01/05/2015 21:37:00]
AdwCleaner[R1].txt - [1282 bytes] - [23/05/2015 14:52:55]
AdwCleaner[S0].txt - [12762 bytes] - [01/05/2015 21:44:10]
AdwCleaner[S1].txt - [1166 bytes] - [23/05/2015 14:54:23]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1225  bytes] ##########
 
From what i can see there is no more infections.
 
Should i scan with avast, adw and malwarebites?
 
Also a big thank you for your help. It is really amazing that you guys do this all for free:flowers:

 

Slowshootin



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 23 May 2015 - 12:54 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 May 2015 - 05:21 PM

hello nasdaq,

 

Just scanned with avast(no virusses found) and the again with malware but malware found one item,

 

Log posted below

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scandatum: 23-5-2015
Scantijd: 23:34:12
Logbestand: a.txt
Beheerder: Ja
 
Versie: 2.01.6.1022
Malware Gegevensbestand: v2015.05.23.04
Rootkit Gegevensbestand: v2015.05.16.01
Licentie: Gratis
Malwarebescherming: Uitgeschakeld
Kwaadaardige Website Bescherming: Uitgeschakeld
Zelfbescherming: Uitgeschakeld
 
Besturingssysteem: Windows 7 Service Pack 1
Processor: x64
Bestandssysteem: NTFS
Gebruiker: piet
 
Scantype: Bedreigingsscan
Resultaat: Voltooid
Objecten Gescand: 406247
Verstreken Tijd: 30 m, 13 s
 
Geheugen: Ingeschakeld
Opstarten: Ingeschakeld
Bestandssysteem: Ingeschakeld
Archieven: Ingeschakeld
Rootkits: Uitgeschakeld
Heuristiek: Ingeschakeld
POP: Ingeschakeld
POA: Ingeschakeld
 
Processen: 0
(Geen kwaadaardige items gedetecteerd)
 
Modules: 0
(Geen kwaadaardige items gedetecteerd)
 
Registersleutels: 1
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1146AC44-2F03-4431-B4FD-889BC837521F}{cae99edb}, In Quarantaine, [868a99fe6624b185dca6b5c1f60fa759], 
 
Registerwaardes: 0
(Geen kwaadaardige items gedetecteerd)
 
Registerdata: 0
(Geen kwaadaardige items gedetecteerd)
 
Mappen: 0
(Geen kwaadaardige items gedetecteerd)
 
Bestanden: 0
(Geen kwaadaardige items gedetecteerd)
 
Fysieke Sectoren: 0
(Geen kwaadaardige items gedetecteerd)
 
 
(end)
 
Any idea what this could be.
 
I will scan with adw tomorrow again so i will update you that log then.
 
Slowshootin


#6 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 May 2015 - 09:28 AM

Hello nasdaq,

 

Just booted up the pc and got this message from avast.

 

o903cQc.png?1

 

It is coming from svchost, so i'm kind of scared.

 

Also the url looks like it's a p2p network. Is this true?

 

Slowshootin



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 26 May 2015 - 01:06 PM

Avast blocked an attach from 37.48.117.50


Is this your Internet provider?
http://whatismyipaddress.com/ip/37.48.117.50

#8 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 27 May 2015 - 12:25 AM

Hello nasdaq,

 

No, it is most certainly not.

I looked up the company and it was one of the companies hosting the megaupload servers(not that is much of an answer).

But again this is not my internet provider. I checked again with my own i.p. and got normal information about my provider.

 

slowshootin



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 27 May 2015 - 06:52 AM


It may just be that Avast is doing it's jop.

However is you are using a router it may be infected.


How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#10 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 May 2015 - 07:48 AM

Hello nasdaq,

 

I did not jet reset the router because i'm very busy at the moment(will do it later this week, most likely on Sunday).

But what i do know is that we don't have this problem with any of the other 3 computers we have at our home. We all use the same router.

I don't know if this changes anything but just wanted to let you know.

 

Slowshootin



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 29 May 2015 - 01:10 PM

Forget about the router for now.

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Clear your Temporary Internet files.

===

Restart the computer normally.

How is it now?

#12 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 May 2015 - 01:50 PM

Can i clear my temporary internet files with CCleaner?



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 30 May 2015 - 07:24 AM

How is it now?

#14 slowshootin

slowshootin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 03 June 2015 - 01:08 PM

Hello nasdaq,

 

I did not encounter the same message again.

So i believe it is all well and done. 

Thank you very much for your help. I could not have done it without the help of you guys :flowers:  :love4u:  :thumbup2:

 

Slowshootin



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:47 PM

Posted 03 June 2015 - 01:32 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users