Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting rid of Qone8.com and mama.cn


  • This topic is locked This topic is locked
8 replies to this topic

#1 marinecomputer

marinecomputer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 05 August 2015 - 05:04 AM

Hi,

 

New to bleepingcomputer.com.  Saw a previous post answered by TwinHeadedEagle with possibly an identical problem.

 

I have Windows 7 Vista SP2 X 64 bit.  Using Avast software and Malwarebytes.

 

Lately, Avast crashed two or three times.  And, the Avast browser add-on was disabled after those occasions.  Also, Avast SmartScan informs me I now have registry problems, that it can not fix.

 

When I run Malwarebytes, no malware/adware/viruses are detected.

 

However, when I run Avast SmartScan I receive notices that two viruses are "outbound".  The viruses and their IPs follow;

 

Qone8.com   IP 50.22.218.160 (Chantilly, Virginia)

 

mama.cn       IP 119.145.147.81 (China)

 

I've tried all the Internet tips available, but these outbound virus notifications appear (almost) every time I run Avast SmartScan.  And, Avast daily reports I have registry problems.  I couldn't follow the threads between TwinHeadedEagle and Scorsagian who worked together to solve what sounded like an identical problem.    Since TwinHeadedEagle recommended I Scarsagian generate two reports via FarBar recovery scan tool, I have done that also.  The reports are attached.

 

If someone can assist, I'd greatly appreciate it.  Thanks in advance,  MarinecomputerAttached File  Addition.txt   34.58KB   1 downloadsAttached File  FRST.txt   237.15KB   3 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:52 PM

Posted 05 August 2015 - 08:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

EmptyTemp:
CloseProcesses:

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-07-22]
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===


How is the computer running now?

#3 marinecomputer

marinecomputer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 06 August 2015 - 04:45 AM

Hello,

 

First - thank you for taking the time to reply.  It must have taken a good bit of your time.

 

But, I'm sorry to say that I just can't understand your directions.  I'm a 60-year old business manager and not terribly familiar with the inner workings of computers. If at all possible, can you put your directions into simpler terms - "Click here", "type this in the box", etc.

 

For instance;

 

Start - start what?  Click on the Windows "Start" icon in the lower left side of the computer screen?  Or, did you mean - "Start" the process?

 

Emptytemp:

Closeprocesses:  I have no idea what I am supposed to do here or with the list of files listed immediately below up to where you typed, "end"?

 

The FarBar tool did not download on my computer.  I tried, but the tool simply runs and doesn't download.  I checked my installed programs and it is not there.  I'll try a few more times, but I can't find the tool.

 

I can understand the other directions to download and run the virus scanning/removal programs.

 

Thank YOU,

 

MC

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:52 PM

Posted 06 August 2015 - 08:03 AM



My first command to run the FixList.txt file can be skipped.
I just wanted to clean some remnant entries in the registry.
Nothing can come of the empty item.


The Farbar too is running from your Internet Temporary cache.
C:\Users\blueberries\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NK61PEDD

I suspect that when you download the RogueKiller and AdwCleaner tools that they will also be saved in the IE Cache.
They need to be saved on your Desktop.
If you have problems with this let me know.


===

Download the RogueKiller and AdwCleaner tools to your desktop.

Just execute the programs and paste the content of the logs on you next reply.

===

Reset Internet Explorer:

Open Internet explorter and on the Menu
Click >Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

Follow the instructions on the page to clear the Internet Explorer cache.

https://kb.wisc.edu/page.php?id=15141

If you need additional information please ask before proceeding.

#5 marinecomputer

marinecomputer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 06 August 2015 - 08:21 PM

Thanks again.

 

I ran RogueKiller and AdwClean Removal tools.  You didn't say to click on, "Clean" after running Adw, but I assumed I should, so I clicked on that button.

 

Couldn't find one consolidated report from RogueKiller, so I had to generate a report from each sector scanned.  On one screen, there seemed to be lots of Rootkit errors, but the page didn't allow me to generate a report.

 

I still can't find FarBar on the computer.  After C:users/blueberries - App Data option does not exist.  I'll keep trying and will likely find it.  I know I've seen the TemporaryInternetFiles/IE.5 folder before  - somewhere.

 

Sorry for the multiple reports from RogueKiller if only one report was possible.  I just couldn't figure out how to put everything into one report without copying and pasting into one Notepad file.

 

I  cleaned the Internet cache and also used the Developer Tools option to run a second cleaner.

 

Please let me know if I did something wrong or need to send you a different report.  Advice on how to obtain the report would be appreciated if I didn't do something correctly.

 

Thanks - MC

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:52 PM

Posted 07 August 2015 - 08:01 AM

Your reports are all the same...

I have downloaded and run the new version of the RogueKiller.
I must admit my old instructions may have confused you.

You should have the program file on your Desktop.
Just run it and follow the following revised instructions.
You have nothing to do until you are asked to click SCAN and save the file.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
p.s.
There should be one report generated.

#7 marinecomputer

marinecomputer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 07 August 2015 - 10:09 AM

Nasdaq;

 

Thanks one last time for all the work on my behalf.

 

But, after doing what I did to the computer, it virtually stopped working completely.  It shut off automatically, browser add-ons disappeared, every time I restarted I was forced to reinstall IE9 and many other problems.

 

So, I wiped the HD clean and completely reinstalled Windows 7 Vista SP 2.  Just finished after 7 hours.  Things seem to be working smoothly, though I haven't checked everything out (It is midnight in Japan).

 

I don't know if you can answer the question or not...  Do you recommend a particular virus software program.  I had McAfee for many years and switched to Avast 2-3 weeks ago.  Since buying Avast, all the problems started.  Basically, the first time I've had viruses in almost 20 years of using home computers.

 

Regardless of response - my sincere thanks for all of your help.

 

MC



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:52 PM

Posted 07 August 2015 - 01:10 PM

The paid version of Avast is good.

Keep it up to date.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:52 PM

Posted 13 August 2015 - 10:03 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users