Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91680 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Malwarebytes Targeted, Same problem as before despite new har


  • This topic is locked This topic is locked
58 replies to this topic

#31 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 17 October 2009 - 10:45 AM

I haven't been able to do the scan yet, I've just been incredibly busy. I probably won't be able to do the scan today either. I just wanted to make a post to tell you that, so that the topic isn't locked.

    Advertisements

Register to Remove


#32 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 17 October 2009 - 10:48 AM

OK, no problem, thanks for letting me know

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#33 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 25 October 2009 - 02:27 AM

This past week has been hell for me. Just incredibly busy with school and family stuff that popped up. I'm not going to bore you with the details of why I was busy though. Everything looked fine on the computer and everything was working properly until three days ago. The computer started siplaying the pop up windows again and at first, I just thought it was a "normal" virus and I ran Malwarebytes which was still there. I say still there, because now the .exe doesn't display, just like before, and the pop ups have become worse.

#34 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 25 October 2009 - 06:32 AM

Hi,

Were you ever able to find out how to disable / remove mcAfee from your system.

While it is still enabled it is probably interfering in the fixes we are doing:

Please do the following:

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • In the custom scans section copy and paste in the following

    %systemroot%\*. /s /r

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#35 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 25 October 2009 - 07:00 AM

This is a school computer,


C:\Documents and Settings\jmart366\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe



Sorry to butt in here but as Technician at a school district, I need ask a few questions.

Are you allowed to work on the schools computers?
Do you have domain / network administrators?

This type of infection should have been prevented at the server / domain level.

You had this infection before and replaced the hard drive.
It's possible your network is infected. Have you reported this?

Why would a P2P program like LimeWire be allowed on your computers?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#36 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 25 October 2009 - 03:24 PM

I attempted the scan, but part way through it, I got blue screened and was forced to restart the computer. I'll attempt it again once I finish this post. LDTate: We are allowed to download and use whatever programs we wish on the computer. I have Windows Live Messenger on this computer as well as AIM, which didn't come with the computer. We're allowed to use what we wish. The campus' network somehow has limewire or any P2P/torrent download program blocked, so its impossible to use them on campus.

#37 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 25 October 2009 - 05:42 PM

OTS.txt is attached. After the scan was completed, it displayed the OTS.txt. Then the computer forced a reboot on me, but so far, nothing seems to be worse. Also, McAfee's viruscan found and deleted a "y.exy"

Attached Files

  • Attached File  OTS.Txt   249.26KB   271 downloads


#38 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 25 October 2009 - 08:07 PM

Hi,

Please do the following:

Start OTS
Copy/Paste the information inside the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Processes - Safe List]
YY -> askupgrade.exe -> C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
YY -> askservice.exe -> C:\Program Files\AskBarDis\bar\bin\AskService.exe
[Win32 Services - Safe List]
YY -> (ASKUpgrade) ASKUpgrade [Win32_Own | Auto | Running] -> C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
YY -> (ASKService) ASKService [Win32_Own | Auto | Running] -> C:\Program Files\AskBarDis\bar\bin\AskService.exe
[Modules - Safe List]
YY -> fopihofu.dll -> C:\WINDOWS\System32\fopihofu.dll
YY -> siyizene.dll -> C:\WINDOWS\System32\siyizene.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {201f27d4-3704-41d6-89c1-aa35e39143ed} [HKLM] -> C:\Program Files\AskBarDis\bar\bin\askBar.dll [AskBar BHO]
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YY -> {c2b6d7b0-a02f-48eb-9f08-f1ebbf51fb0a} [HKLM] -> C:\WINDOWS\System32\fetuboji.dll [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{3041d03e-fd4b-44e0-b742-2d9b88305f98}" [HKLM] -> C:\Program Files\AskBarDis\bar\bin\askBar.dll [Ask Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "veluhepoj" -> C:\WINDOWS\System32\fopihofu.DLL [Rundll32.exe "c:\windows\system32\fopihofu.dll",a]
YY -> "yojududabo" -> C:\WINDOWS\System32\siyizene.dll [Rundll32.exe "siyizene.dll",s]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{97cfe1bc-b455-49a0-9195-db27a6de3a21}" [HKLM] -> C:\WINDOWS\System32\fopihofu.dll [mifigakal]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{97cfe1bc-b455-49a0-9195-db27a6de3a21}" [HKLM] -> C:\WINDOWS\System32\fopihofu.dll [gahurihor]
[Files/Folders - Created Within 30 Days]
NY -> AskBarDis -> C:\Program Files\AskBarDis
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> hikuline -> C:\WINDOWS\System32\hikuline
NY -> 7 C:\Documents and Settings\jmart366\Local Settings\temp\*.tmp files -> C:\Documents and Settings\jmart366\Local Settings\temp\*.tmp
NY -> 5 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY -> fopihofu.dll -> C:\WINDOWS\System32\fopihofu.dll
NY -> tisawipu.dll -> C:\WINDOWS\System32\tisawipu.dll
NY -> yonubima.dll -> C:\WINDOWS\System32\yonubima.dll
NY -> defubigo.dll -> C:\WINDOWS\System32\defubigo.dll
NY -> votifiwa.dll -> C:\WINDOWS\System32\votifiwa.dll
NY -> siyizene.dll -> C:\WINDOWS\System32\siyizene.dll
NY -> fetuboji.dll -> C:\WINDOWS\System32\fetuboji.dll
NY -> siliyada.dll -> C:\WINDOWS\System32\siliyada.dll
NY -> torayowo.dll -> C:\WINDOWS\System32\torayowo.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#39 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 26 October 2009 - 04:17 PM

For some reason copy and paste have been disabled, so I have to type it out in the box. I don't know if I should do that or not, there might be some minor thing that I miss that messes up everything, so I'll wait for your input.

Edited by Mirrodin, 26 October 2009 - 04:19 PM.


#40 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 26 October 2009 - 04:23 PM

Hi Try using the keyboard shortcuts to copy and paste Ctrl +A to select all the text Ctrl +C to copy it Ctrl +V to paste it into OTS

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#41 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 26 October 2009 - 04:44 PM

I tried the shortcuts as well. Nothing has worked.

#42 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 26 October 2009 - 04:45 PM

Try it in safe mode

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#43 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 26 October 2009 - 05:03 PM

Will do.

#44 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 26 October 2009 - 05:34 PM

When in safe mode, I can't access the internet so I can't really get to the info. I'm guessing save the page as an HTML page or something?

#45 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 26 October 2009 - 05:48 PM

No, Does your safe mode with networking not allow you to connect? I am uploading a batch fix for you extract it to your desktop, click on the fix.bat icon it will only take a moment to run. A notepad should open when complete. See if your ability to copy./paste returns once it's done.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users