Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

WAS Hijacked by Abnow.com/MediaShift

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 4th, 2012, 3:07 am

The ESET Scan just finished. It took about 2 hours to complete . The scan did detect one threat....

Here's the ESET Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=512abf2b5457984ea80139ac3dd3c4c5
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-04 06:54:29
# local_time=2012-02-04 01:54:29 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 66 100 2835437 164939133 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=161042
# found=1
# cleaned=0
# scan_time=6863
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am
Advertisement
Register to Remove

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 4th, 2012, 3:22 am

So far I haven't run into any problems running any of the programs you've listed. Your instructions have been very clear and easy to follow. I can't thank you enough for your time, expertise, and patience Gary!

I'm going to be heading to bed shortly but will check back here as soon as I get up. I'll be sure to promptly complete any instructions you post between now and then.

Thanks again and take care Gary!!
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby Gary R » February 4th, 2012, 11:29 am

The file found by E-Set is one that was quarantined by Combofix, it's encrypted so is no danger to your machine. We'll remove it when we finish cleaning up.

So we've just got a few minor issues to deal with.

First

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Java(TM) 6 Update 21
Java(TM) SE Runtime Environment 6
Advanced SystemCare 5


Old versions of java can be exploited, and IOBit Advanced System Care is a program with a poor reputation, and which is known to illegally incorporate other people's software into their product .... http://forums.malwarebytes.org/index.ph ... opic=29681

Reboot your computer once those programs have been uninstalled.

Now download and install JDK 6 Update 30 (JDK or JRE).


Next

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
SRV - [2011/11/10 19:23:52 | 000,490,840 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
[2011/03/18 21:45:03 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2011/12/12 21:56:13 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2011/03/18 21:45:03 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com
O15 - HKU\.DEFAULT\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-21-541192795-2877211147-3894580139-1000\..Trusted Domains: tube8.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-541192795-2877211147-3894580139-1000\..Trusted Domains: tubedirty.com ([www] http in Local intranet)

:Files
C:\IObit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 5
C:\Users\Braden\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced SystemCare 5.lnk
C:\Users\Braden\AppData\Local\x34ld0wa75056ge55t2tgw3a1m25050
C:\ProgramData\x34ld0wa75056ge55t2tgw3a1m25050
C:\Users\Braden\AppData\Roaming\Azureus
C:\Users\Braden\AppData\Roaming\IObit
C:\Users\Braden\AppData\Roaming\PeerNetworking
C:\Users\Default User\AppData\Roaming\IObit
C:\Program Files\IObit

:Commands
[ClearAllRestorePoints]
[EmptyTemp]
[ResetHosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 4th, 2012, 1:43 pm

Here's the OTL Log:

All processes killed
========== OTL ==========
Error: No service named AdvancedSystemCareService5 was found to stop!
Service\Driver key AdvancedSystemCareService5 not found.
File C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe not found.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\searchplugin folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\META-INF folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\chrome folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\searchplugin folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\modules folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\META-INF folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\defaults folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\chrome folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc} folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com\searchplugin folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com\META-INF folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com\DualPackage folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com\defaults folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com\components folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com\chrome folder moved successfully.
C:\Users\Braden\AppData\Roaming\mozilla\Firefox\Profiles\ywjexflu.default\extensions\engine@conduit.com folder moved successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http not found.
Registry key HKEY_USERS\S-1-5-21-541192795-2877211147-3894580139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tube8.com\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-541192795-2877211147-3894580139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tubedirty.com\www\ deleted successfully.
========== FILES ==========
C:\IObit\Advanced SystemCare V5\Boottime folder moved successfully.
C:\IObit\Advanced SystemCare V5 folder moved successfully.
C:\IObit folder moved successfully.
File\Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 5 not found.
File\Folder C:\Users\Braden\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced SystemCare 5.lnk not found.
C:\Users\Braden\AppData\Local\x34ld0wa75056ge55t2tgw3a1m25050 moved successfully.
C:\ProgramData\x34ld0wa75056ge55t2tgw3a1m25050 moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\torrents folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\tmp folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\shares folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\rss folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins\mlab folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins\azutp\x64 folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins\azutp\win32 folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins\azutp folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins\azupnpav folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins\aefeatman_v folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\plugins folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\net folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\logs folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\dht folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\devices folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\cache folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus\active folder moved successfully.
C:\Users\Braden\AppData\Roaming\Azureus folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\SmartRAM folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\IObit Uninstaller folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\IObit SmartDefrag folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\InternetBooster folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\DiskCleaner\backup folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\DiskCleaner folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced Uninsataller folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Toolbox folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Startup Manager folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\SmartRAM folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Smart RAM folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\SecurityHoles folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Log folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\EmptyFolder folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Driver Manager\DriverBackup folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Driver Manager folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Boottime folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5\Backup folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V5 folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\Toolbox folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\Startup Manager folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\SmartRAM folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\PMonitor folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\Log folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\DiskCheck folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\Disk Cleaner folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4\Backup folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare V4 folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare\Backup\Registry folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare\Backup folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit\Advanced SystemCare folder moved successfully.
C:\Users\Braden\AppData\Roaming\IObit folder moved successfully.
C:\Users\Braden\AppData\Roaming\PeerNetworking folder moved successfully.
C:\Users\Default User\AppData\Roaming\IObit\Advanced SystemCare V5\Boottime folder moved successfully.
C:\Users\Default User\AppData\Roaming\IObit\Advanced SystemCare V5 folder moved successfully.
C:\Users\Default User\AppData\Roaming\IObit\Advanced SystemCare V4\Log folder moved successfully.
C:\Users\Default User\AppData\Roaming\IObit\Advanced SystemCare V4 folder moved successfully.
C:\Users\Default User\AppData\Roaming\IObit folder moved successfully.
C:\Program Files\IObit folder moved successfully.
========== COMMANDS ==========


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Braden
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 250735087 bytes
->Java cache emptied: 630 bytes
->FireFox cache emptied: 3423626 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 5943 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 59340 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2461844 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 105306559 bytes

Total Files Cleaned = 345.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 02042012_123409

Files\Folders moved on Reboot...
File\Folder C:\Users\Braden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content(234).IE5\IFKOEPXD\1_08p4GJzlBFHTpr33zU7q1fEHSPYOlgXoH2PMyE-gwXcRAXzZmdwZc3N0edxfNf69FFas1di8JiaxvS7CYUCez2b3NPeayRkOyMWyO1SKWTTXC7BL9Cu4GJs7LrgbQcnxc3lkUMq9gtLM8rxF1H3jP8,[1].css not found!
File\Folder C:\Users\Braden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content(234).IE5\IFKOEPXD\IcpMZpZVuss8Ar0IYIbn7QeS1kQ0h7wlXW7_igqZxmub3uPXBUuu_KpkoLJCaTSjVEKTsXagNjZRq_u1RB8MozXugWJJyu8VwJj0Xr55dIC7JKtViPtIyOV8Osew5U2zGedJHoidBazZclfgBa6-KAw,,[1].css not found!
File\Folder C:\Users\Braden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content(234).IE5\IFKOEPXD\OyS-kaEiXcVTOQ5j1-zactj37Q2Wz0xAWn-BRDHK8gyBFcxyQNCzXzeCdWJ251qAO8IwrCisfaYWYwuRcSPvFFOomy1IwQiJqDOWirc6vglZVX3W0Im3dXX6tZT9fi1cVpf8Fcjw__08MueG_VRT2IQ,,[1].css not found!
C:\Users\Braden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Braden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 4th, 2012, 2:09 pm

My nephew stays with me on the weekends and I let him use this laptop when he's over. Is there any programs that i can use that will clean or restrict him from using certain undesirable sites?
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby Gary R » February 4th, 2012, 2:18 pm

Looks like we've taken care of everything now. Time for a little housekeeping then I'll make a few suggestions about security.

First

Let's clear out Combofix and the files/folders it created
  • Click Start > Run
  • Copy/Paste ComboFix /Uninstall into the Run box.
  • Click OK
  • Combofix will now delete its files and folders and also perform the following function.
    • Clears System Restore cache and creates a new Restore point. This will remove any "malicious" System Restore files, which may have been created whilst your computer was infected.
IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete Junction and any log files it created.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 4th, 2012, 8:40 pm

Everything was removed and my laptop seems to be running a lot better.

I readover the two links you provided and am not sure what option would best fit. I think the only thing I have for security and protection is Microsoft Security Essentials. Should I pair that with a firewall and anti-virus programs?
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby Gary R » February 5th, 2012, 3:11 am

Microsoft Security Essentials is an Anti-Virus, so no need for another. If you have Vista's firewall turned on then you also do not need another firewall,

You have Malwarebytes' Anti-Malware installed, so that will take care of your Anti-Malware needs. The free version does not have any real-time protection, but provided you run regular scans with it, and don't forget to update it each time you do, then you should be fine. The paid for version does have real time protection and auto update.

If you don't already have one (and I don't see signs that you have), I'd install a Hosts file ...... the easiest way to do this on Vista is as follows ....

Download HostsXpert and unzip it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the programme.
  • Check to see if top button on left hand side says Make Writable ?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only ? to secure it against infection.
  • Exit the programme.
(If you are prompted by UAC at any time during this procedure, allow the prompts)

Other than that, it's just a matter of observing safe surfing habits (as described in the article I linked to in my last post).

Having a suspicious nature is a definite asset when you are online, just so long as you don't let it become too over developed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 5th, 2012, 2:17 pm

Thanks Gary! I have been unable to turn my Windows Firewall on for some reason. I keep geting error messages but I'll try to figure that out on my own.

You've been an amazing wealth of knowledge. I can't thank you enough for walking me through every step of my Malware removal.

I will be making a donation/contribution to Maleremoval.com this Friday in appreciation of your services.

All hail Gary!!
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 5th, 2012, 3:06 pm

Couple of questions real quick....

What do "Host Files" do? I downloaded as you instructed but I'm not sure what it is I did.

Also, I have ben unable to fix my Windows Forewall problem. I ran Microsoft "Fix-it" tool but it was unable to fix the problem. Do you know of any other way to fix this problem?

Thanks Gary!
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby Gary R » February 5th, 2012, 3:40 pm

You didn't tell me you had a problem with your Firewall, otherwise I'd have had a look at it.

Please download Farbar Service Scanner ... by Farbar and save it to your Desktop.
  • Double click FSS.exe to run it. (Vista - W7 users: Please right click on FSS.exe and select Run As Administrator).
  • Ensure the Windows Firewall button is checked (ticked).
  • Press the Scan button.
  • When finished, a text file named FSS.txt will be created on your desktop.
  • Copy/Paste the contents in your reply please.

I'll explain about HOSTS files once we've dealt with your Firewall problem.


I'm going to be out for the rest of the evening, so it will be tomorrow morning (my time) before I get back to look at your FSS log.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 5th, 2012, 5:26 pm

Sorry, I didn't realize it wasn't working until we worked on my security.

Farbar Service Scanner Version: 05-02-2012
Ran by Braden (administrator) on 05-02-2012 at 16:25:12
Running from "C:\Users\Braden\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-12-08 08:01] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby Gary R » February 6th, 2012, 3:25 am

It seems that your Windows Firewall service is not running because FSS is telling me it has been removed.

We need to check if that is the case, or whether there are just bits of the key missing.

If it is the former, then the only safe way to resolve things is to reformat your hard drive and re-install Windows, if it is only damaged, then we may be able to repair the damage.

  • Double click FSS.exe to run it. (Vista - W7 users: Please right click on FSS.exe and select Run As Administrator).
  • Copy/Paste the contents of the code box below into the Search: box.
Code: Select all
MpsSvc

  • Press the Export Service button.
  • When finished a log file will be created on your desktop.
  • Copy/Paste the contents in your reply please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby McBraden » February 6th, 2012, 11:58 pm

Am I supposed to select any of the catagories on the side of FSS?

When I select Internet Services and Windows Firewall then hit "export" the only thing in the note pad is "Windows Registry Editor Version 5.00"

Am I doing this wrong? At the worst am I able to download a third party Firewall?
McBraden
Regular Member
 
Posts: 20
Joined: February 1st, 2012, 3:34 am

Re: WAS Hijacked by Abnow.com/MediaShift

Unread postby Gary R » February 7th, 2012, 2:41 am

No, there's no need to select any of the scan options down the side.

The reason you're not getting anything other than "Windows Registry Editor Version 5.00" is because there's nothing else there.

It would seem that your Windows Firewall Service Key has been totally removed. I've seen this happen a couple of times with the latest version of Zero Access. At the moment we don't quite know why. It is not as a result of any of the tools we've run, but it may be as a result of any tools you may have run before coming here, or it may be something that this particular version does for reasons only its creator knows.

Windows Firewall is integrated into Vista at Kernel level, and is a key component of your security system. Whether it would be possible to just install a 3rd party firewall without compromising the security of your computer and leaving it open to being infected again I couldn't say. Personally I would not recommend this course of action.

Unfortunately sometimes there's no other option than to back up your personal files and folders, reformat your hard drive and reinstall Windows, and I'm afraid this looks like one of those occasions. I'm sorry I don't have any better news for you.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware