Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dealsfactor malware infection (windows 8)


  • Please log in to reply

#1
ArghUser

ArghUser

    Member

  • Member
  • PipPip
  • 14 posts
Hi there,
 
I have a dealsfactor infection from helping a friends laptop (who was riddled with viruses, argh!)  I ran adwcleaner and malwarebytes but it didn't catch it all.  I was also wondering if there's a way for me to learn how to create fixlogs for frst when i run into issues like this in the future (so i don't have to take up your guy's times! haha).
 
Problem is, trying to post either of my logs (FRST and Addition- or one or the other) keeps timing out this post from sending.  I'd notepad them and attach, but I know it says to copy/paste only.  Would it be easier for me to pastebin both?  This is an insanely large addition file, i've never seen one this large.
 
Thank you for the help!

  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,793 posts
Hello,

You can attach logs if necessary.

Thanks
Joe :)
  • 0

#3
ArghUser

ArghUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Hi Joe!

 

Thanks, I've attached the FRST and ADD logs :)

Attached Files

  • Attached File  Logs.txt   547.7KB   51 downloads

  • 0

#4
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,793 posts
Hello,

Can you post the adwCleaner SO.txt log and the Malwarebytes log too.

Also;

Farber Recovery Scanner needs to be running fron the desktop. You have it in the downloads folder. Please move to desktop
To do that:
  • Navagate to your downloads folder--> C:\Users\Angel\Downloads
  • In the downloads folder find FRST (Farber recovery scan tool)
  • Right click on it,Choose cut.
  • Go back to the desktop.
  • On an empty space right click, choose paste.
  • Farber will now have been successfully moved to desktop.
No additional scan needed. I'll review the logs and get back to you.

Thanks
Joe :)
  • 0

#5
ArghUser

ArghUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Hi Joe!

 

Here are the logs-

 

Attached Files

  • Attached File  FRST.txt   541.5KB   98 downloads

  • 0

#6
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,793 posts
Hello,

A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://g.msn.com/1ewenusDefaultPack/U217_DefaultPack_DHP2
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3257919228-2720765789-3481981865-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
CHR HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ncmdmcjifbkefpaijakdbgfjbpaonjhg] - No Path Or update_url value
S3 AppObserver; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys [X]
C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys
C:\Users\Angel\AppData\Local\Temp\BrowserKill32.exe
C:\Users\Angel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphitafa.dll
C:\Users\Angel\AppData\Local\Temp\Quarantine.exe
C:\Users\Angel\AppData\Local\Temp\sqlite3.dll
AlternateDataStreams: C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes
C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes
CMD: ipconfig /flushdns
hosts:
Emptytemp:
end
Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

In your next reply post;

Fixlog.txt, That log will be located on the desktop.
  • 0

#7
ArghUser

ArghUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Hey Joe-

 

Thanks for the help!  Here's the log-

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Chickita at 2015-03-28 19:00:39 Run:1
Running from C:\Users\Angel\Desktop
Loaded Profiles: Chickita (Available profiles: Chickita & music_000 & Administrator)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://g.msn.com/1ew...efaultPack_DHP2
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3257919228-2720765789-3481981865-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
CHR HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ncmdmcjifbkefpaijakdbgfjbpaonjhg] - No Path Or update_url value
S3 AppObserver; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys [X]
C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys
C:\Users\Angel\AppData\Local\Temp\BrowserKill32.exe
C:\Users\Angel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphitafa.dll
C:\Users\Angel\AppData\Local\Temp\Quarantine.exe
C:\Users\Angel\AppData\Local\Temp\sqlite3.dll
AlternateDataStreams: C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes
C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes
CMD: ipconfig /flushdns
hosts:
Emptytemp:
end
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\Software\Microsoft\Internet Explorer\Main\\Secondary Start Pages => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 
"HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Google\Chrome\Extensions\ncmdmcjifbkefpaijakdbgfjbpaonjhg" => Key deleted successfully.
AppObserver => Service deleted successfully.
"C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys" => File/Directory not found.
C:\Users\Angel\AppData\Local\Temp\BrowserKill32.exe => Moved successfully.
"C:\Users\Angel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphitafa.dll" => File/Directory not found.
C:\Users\Angel\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Angel\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Angel\Desktop\2015-03-26 00.29.49.png => ":com.dropbox.attributes" ADS removed successfully.
"C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes" => File/Directory not found.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 1.3 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 19:02:21 ====
 
 
On reset, I wasn't prompted by dealsfactor, and I see nothing in my extensions on my browsers either

  • 0

#8
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,793 posts
OK,

Did you run ComboFix at anytime, I see it in your downloads folder,
2015-03-25 22:17 - 2015-03-25 22:17 - 05615749 _____ (Swearware) C:\Users\Angel\Downloads\ComboFix.exe
If you ran it, do you have the log file ? It would be located at C:\Combofix.txt

Thanks
Joe :)
  • 0

#9
ArghUser

ArghUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

I haven't actually.  I'm running windows 8.1 64bit but every time I try installing it here, I get an error telling me my laptop isn't compatible, while listing windows 8.1 64bit :P

 

Runs on another 8.1 64 bit laptop i have, but not this one.


  • 0

#10
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,793 posts
OK,

ComboFix isn't compatible with windows 8.1, I would suggest not using ComboFix unless instructed.

How is the computer ? Any issues Malware related ? If not we can remove the tools we used.

Thanks
Joe :)
  • 0

#11
ArghUser

ArghUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Everything seems good now, no pop ups, I've went through my browsers again, I see no issue currently, thank you! 


  • 0

#12
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,793 posts
Hello,

Lets clean up the tools I had you download. This exercise will remove all malware tools and log files from the desktop, it will clear out all restore points and create a new one.

Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report.
    Paste it for my review.
Thanks
Joe :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP