[ArghUser]

Hi there,

 

I have a dealsfactor infection from helping a friends laptop (who was riddled with viruses, argh!)  I ran adwcleaner and malwarebytes but it didn't catch it all.  I was also wondering if there's a way for me to learn how to create fixlogs for frst when i run into issues like this in the future (so i don't have to take up your guy's times! haha).

 

Problem is, trying to post either of my logs (FRST and Addition- or one or the other) keeps timing out this post from sending.  I'd notepad them and attach, but I know it says to copy/paste only.  Would it be easier for me to pastebin both?  This is an insanely large addition file, i've never seen one this large.

 

Thank you for the help!

[Advertisements]

Hello,

You can attach logs if necessary.

Thanks
Joe

[zep516]

Hello,

You can attach logs if necessary.

Thanks
Joe

[ArghUser]

Hi Joe!

 

Thanks, I've attached the FRST and ADD logs

Attached Files

•  Logs.txt   547.7KB   162 downloads

[zep516]

Hello,

Can you post the adwCleaner SO.txt log and the Malwarebytes log too.

Also;

Farber Recovery Scanner needs to be running fron the desktop. You have it in the downloads folder. Please move to desktop
To do that:

• Navagate to your downloads folder--> C:\Users\Angel\Downloads
• In the downloads folder find FRST (Farber recovery scan tool)
• Right click on it,Choose cut.
• Go back to the desktop.
• On an empty space right click, choose paste.
• Farber will now have been successfully moved to desktop.

No additional scan needed. I'll review the logs and get back to you.

Thanks
Joe

[ArghUser]

Hi Joe!

 

Here are the logs-

 

Attached Files

•  FRST.txt   541.5KB   215 downloads

[zep516]

Hello,

A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://g.msn.com/1ewenusDefaultPack/U217_DefaultPack_DHP2
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3257919228-2720765789-3481981865-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
CHR HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ncmdmcjifbkefpaijakdbgfjbpaonjhg] - No Path Or update_url value
S3 AppObserver; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys [X]
C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys
C:\Users\Angel\AppData\Local\Temp\BrowserKill32.exe
C:\Users\Angel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphitafa.dll
C:\Users\Angel\AppData\Local\Temp\Quarantine.exe
C:\Users\Angel\AppData\Local\Temp\sqlite3.dll
AlternateDataStreams: C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes
C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes
CMD: ipconfig /flushdns
hosts:
Emptytemp:
end

Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

In your next reply post;

Fixlog.txt, That log will be located on the desktop.

[ArghUser]

Hey Joe-

 

Thanks for the help!  Here's the log-

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015

Ran by Chickita at 2015-03-28 19:00:39 Run:1

Running from C:\Users\Angel\Desktop

Loaded Profiles: Chickita (Available profiles: Chickita & music_000 & Administrator)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

CloseProcesses:

CreateRestorePoint:

HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://g.msn.com/1ew...efaultPack_DHP2

SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}

SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKU\S-1-5-21-3257919228-2720765789-3481981865-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}

CHR HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ncmdmcjifbkefpaijakdbgfjbpaonjhg] - No Path Or update_url value

S3 AppObserver; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys [X]

C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys

C:\Users\Angel\AppData\Local\Temp\BrowserKill32.exe

C:\Users\Angel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphitafa.dll

C:\Users\Angel\AppData\Local\Temp\Quarantine.exe

C:\Users\Angel\AppData\Local\Temp\sqlite3.dll

AlternateDataStreams: C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes

C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes

CMD: ipconfig /flushdns

hosts:

Emptytemp:

end

*****************

 

Processes closed successfully.

Restore point was successfully created.

HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\Software\Microsoft\Internet Explorer\Main\\Secondary Start Pages => value deleted successfully.

"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.

HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

"HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.

HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 

"HKU\S-1-5-21-3257919228-2720765789-3481981865-1001\SOFTWARE\Google\Chrome\Extensions\ncmdmcjifbkefpaijakdbgfjbpaonjhg" => Key deleted successfully.

AppObserver => Service deleted successfully.

"C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys" => File/Directory not found.

C:\Users\Angel\AppData\Local\Temp\BrowserKill32.exe => Moved successfully.

"C:\Users\Angel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphitafa.dll" => File/Directory not found.

C:\Users\Angel\AppData\Local\Temp\Quarantine.exe => Moved successfully.

C:\Users\Angel\AppData\Local\Temp\sqlite3.dll => Moved successfully.

C:\Users\Angel\Desktop\2015-03-26 00.29.49.png => ":com.dropbox.attributes" ADS removed successfully.

"C:\Users\Angel\Desktop\2015-03-26 00.29.49.png:com.dropbox.attributes" => File/Directory not found.

 

=========  ipconfig /flushdns =========

 

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

========= End of CMD: =========

 

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.

Hosts was reset successfully.

EmptyTemp: => Removed 1.3 GB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog 19:02:21 ====

 

 

On reset, I wasn't prompted by dealsfactor, and I see nothing in my extensions on my browsers either

[zep516]

OK,

Did you run ComboFix at anytime, I see it in your downloads folder,
2015-03-25 22:17 - 2015-03-25 22:17 - 05615749 _____ (Swearware) C:\Users\Angel\Downloads\ComboFix.exe
If you ran it, do you have the log file ? It would be located at C:\Combofix.txt

Thanks
Joe

[ArghUser]

I haven't actually.  I'm running windows 8.1 64bit but every time I try installing it here, I get an error telling me my laptop isn't compatible, while listing windows 8.1 64bit

 

Runs on another 8.1 64 bit laptop i have, but not this one.

[zep516]

OK,

ComboFix isn't compatible with windows 8.1, I would suggest not using ComboFix unless instructed.

How is the computer ? Any issues Malware related ? If not we can remove the tools we used.

Thanks
Joe

[ArghUser]

Everything seems good now, no pop ups, I've went through my browsers again, I see no issue currently, thank you! 

[zep516]

Hello,

Lets clean up the tools I had you download. This exercise will remove all malware tools and log files from the desktop, it will clear out all restore points and create a new one.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report.
  Paste it for my review.

Thanks
Joe