Malware Fun Moods and Snap.do refuse to go away,

Status
Not open for further replies.

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Yes my whole desktop remains same and there is just black screen in the DOS command type screen that Notifications sends.
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
I crashed several times when I did a deep scan with Malwarebytes. So just went with quick scans and reboots. The two registry keys it finds keep returning after deletion and reboot (about 6 tries at scans). Perhaps I should just give hand remove a try.
Hitman Pro finds SearchQu which seems to always come back too. It has been around for last 3 months. Again did about 4 scans and reboots. I will have to hand remove this too as my trial period is over.
Last dof the Logs below.
Computer is working fine otherwise. Thank you so much for all the help.
[attachment=3568]
[attachment=3569]
 

Attachments

  • mbam-log-2013-02-13 (19-44-34).txt
    2.3 KB · Views: 92
  • HitmanPro_20130213_1959log.txt
    3.8 KB · Views: 127

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Just Run this

STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply


 
Last edited by a moderator:

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Hi Kuttus, here are the logs. I'm sending two from Adwcleaner as Items were clean but went back and hit clean then rest was cleaned. The snap.do toolbars gone. Next Jrt clean all junk it found.

Last night I did a scan with HiJackThis and it said that for some reason my system denied write access to the Hosts files and it gave instructions for editing it myself.
Then I tried RegRun and it showed the Hosts_Anti-Adware active in the registry and as one of the start up's run. There were a hundreds of other the same host files in log. Was thinking about checking into deleting them but on an Internet search there was a lot of stuff about it being dangerous and may cause system to become unstable if I were to delete.
Do you want to see those logs?
[attachment=3577]
[attachment=3579]
[attachment=3578]
 

Attachments

  • 1AdwCleaner[R6].txt
    1.9 KB · Views: 88
  • JRT.txt
    1.1 KB · Views: 103
  • AdwCleaner[S5].txt
    1.9 KB · Views: 91

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Just run the Ccleaner it will remove it from the registry.... You can remove them from the registry it will not make any harm to the computer....... Before that do the following step....

STEP 1: Take a BackUp of your Windows Registry

Please download ERUNT from here and save it in the infected computer.
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the part that asks you to add ERUNT to the start-up folder.
  • Start ERUNT by double clicking on the desktop icon or choosing to
  • Choose a location for the backup
    (The default location is C:\WINDOWS\ERDNT)
  • Make sure that boxes beside System Registry and Current User Registry are checked
    emvFs.png
  • Press OK
  • Press YES to create the folder.

<hr>
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Hi, Sorry it took me so long to get back.
I ran both programs and it appeared that I had a clean computer. Then I did a deep scan with SuperAntiSpyware which said I had 2 Trojan.Agent/Gen-FakeAlert in REGISTRY_BACKUP_TOOL\FILES. So I ran a scan with MicroTrends HijackThis and it flagged 837 lines of hosts anti-adware / pups in C:\windows\system32\drivers\etc\hosts. These lines are the same that RegRun had found. I had shut down all antivirus software and updated the program just before I used it. Next I scanned with UnHackMe and it found the identical lines. These lines, all inside Hosts_ folder? sent me into a bit of a panic as most were url’s to blacklisted sites which this computer has never been to. Others had download before the url. Then I went to RegRun. first flagged SDWINLOGON.DLL which couldn’t find the file and that it had either been deleted or hidden by a root kit. I deleted it along with a few other that seemed either useless or part of the Hosts lines problem. When I rebooted my computer refused to boot. I’d created a restore point so was able to get it back up after some time.
I’m just so ignorant of how things work when it comes to the Internet I decided it was time to learn. I was ignorant when it came to protecting my computer from malware and am now actively learning. Research became my focus of today. I tracked down some IP’s that were connected to the HOSTs files and ended up with Sendori. They have a cloud service and a middle man for sellers. They claim to help people with internet search and protect them from malicious sites. When it is installed it hijacks your DNS, keeps track of you and installs advertisement into your browsing. People claim that it is almost impossible to get Sendori off computer. I have Sendori and think it is the reason I’ve had so much adware type malware and Trojans. I read that it makes a computer more vulnerable to attack. It creates spyholes.
I think the Hosts files are a database or could they be more malicious? The 800 plus lines of text are like this:
[Hosts File Contents] :HKLM 127.0.0.1 00aaf101a7.gougava.asia # hosts anti-adware / pups
Many of them say download like this one:
[Hosts File Contents] :HKLM 127.0.0.1 download.wajam.com # hosts anti-adware / pups
The Hosts program on my computer said its’ size was 3 gigs. So my next thought is could those sites be loaded onto my computer? Also anti-malware programs show Hosts to be actively booting up in start up.
One other thing that bothers me is that I thought it was a sign of malware if it is in the system root system32. This is a line of code from that Hosts:
[Hosts File Path] :HKLM DataBasePath=%SystemRoot%\System32\drivers\etc
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Please go to c:\WINDOWS\system32\drivers\etc there you can see one file called hosts. Open that one then it will ask you which program do you want to open with. Select Notepad. Now it will open the Hosts file...

Copy everything inside that one and replay to me....

I think those entry's in Hosts are safe.. All those will be blacklisted sites... Anyway let me check it... Please send me the details.:)
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Cannot find the Hosts file. I did full search in windows system32 drivers, in WindowsOld
I only found a few short references to Hosts in a few files. I'll send those to you in a few minutes. These are a few logs from the last few days.

The first one is from RogueKiller IP addresses belong to Sendori. lots of Hosts data base? in report and it shows system32 drivers and Host But the etc is mystery to me. Is this a place I should look for to find Hosts folder?
[attachment=3593]

Startup list from HiJackThis 2-14-13 Sendori is in running programs
and Hosts Anti-Adware_PUPs is in the startup programs
[attachment=3590]

SuperAntiSpyware and the two Trojans
[attachment=3591]

Regrun log on Feb. 14
[attachment=3592]
 

Attachments

  • startuplist hosts in HiJackthis.txt
    6.8 KB · Views: 202
  • SUPERAntiSpyware Scan Log - 02-14-2013 - 22-23-00log.txt
    7.9 KB · Views: 96
  • 2-14-regrunlog.txt
    247.5 KB · Views: 426
  • RKreport[1]_S_02152013_02d1144.txt
    3.1 KB · Views: 129

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi,

All those Host File Entry's are safe only... All those websites are unsafe website and it is blocking those unsafe website in the Host... No need to worry about it.. It is safe only......... :)
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Thank you. Without your help I would have taken this to who knows where. So this is a major relief.
I was able to find the entries. 2 of them. They say that they are copyrighted by Microsoft. Is this part of Windows 8? The scanners I used said compatible with Windows 8. Should I send the two samples I found to the companies that flagged them, so they know it is a false positive?
Here's what they say. One has just these words and is over 800 kb's. Perhaps a lot of hidden files may be why it is flagged?

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

127.0.0.1 localhost
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
It is Host file... The enters are normal only.. It is the Default Entry in Windows Vista, 7 and 8....

In Windows XP it will be looks like bellow. :D Nothing to worry about it...
Code:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


Hosts File in my computer is as Follow.... Don't worry the one on your computer is fine and it is safe to go... :)



Code:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
127.0.0.1 localhost
127.0.0.1 hl2rcv.adobe.com
127.0.0.1 adobeereg.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 3dns.adobe.com
127.0.0.1 3dns-1.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-4.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-1.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 adobe-dns-4.adobe.com
127.0.0.1 adobe-dns-5.adobe.com
127.0.0.1 hh-software.com
127.0.0.1 www.hh-software.com
127.0.0.1 activate.adobe.de
127.0.0.1 practivate.adobe.de
127.0.0.1 ereg.adobe.de
127.0.0.1 activate.wip3.adobe.de
127.0.0.1 wip3.adobe.de
127.0.0.1 3dns-3.adobe.de
127.0.0.1 3dns-2.adobe.de
127.0.0.1 adobe-dns.adobe.de
127.0.0.1 adobe-dns-2.adobe.de
127.0.0.1 adobe-dns-3.adobe.de
127.0.0.1 ereg.wip3.adobe.de
127.0.0.1 activate-sea.adobe.de
127.0.0.1 wwis-dubc1-vip60.adobe.de
127.0.0.1 activate-sjc0.adobe.de
127.0.0.1 wwis-dubc1-vip60.adobe.de
127.0.0.1 hl2rcv.adobe.de    localhost
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Now that I know what the hosts files are I've been able to get a lot of information from search. I find that as long as the IP is 127.0.0.1 everything is fine. The # hosts anti-adware / pups on mine were probably added by some program and must be what threw the scanners off. Also I read that with an editor I can add block sites myself and not have to use an adblock program. I've been dying to block double click's advertisements.
I'm sorry I sent you on this futile chase. Thank you again. With major relief I can now put my credit card back online... :)
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
In spite of the long wait time, you have been very co-operative with me. I would like to appreciate you for your technical expertise . Without that we wouldn’t have fixed the issue so soon.

Is there anything else that I can assist you with? How's everything working now?
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Thank you. That long wait time was often because I had to research everything so I could figure out the meaning of things. Any technical expertise I had/have is very recently gained. Now I have a clean computer and a whole lot of new knowledge to help me keep it clean.

This computer works like it did when I first purchased it. I intend on keeping it this way. Thank you again all is fine here. MalwareTips has become a major parking place for me. I intend on keeping it that way.
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.




Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link




Keep your system updated
  • Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here


I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.


Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.


Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.


Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

<hr />
What's next?
  1. Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
  2. Learn how to avoid malware by reading this article <a href="http://malwaretips.com/blogs/how-to-easily-avoid-pc-infections/">How to easily avoid malware</a>
  3. Be an active member in the MalwareTips community! :)
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Kuttus, thank you again.
Soory I didn't get back sooner. I was without internet connection as first my WiFi button refused to turn WiFi on so I plugged into Internet and after a day plug in connection went too. Windows said the problem was the DNS. I did test the connection with a very old computer and everything except my notebook computer was fine. Out of options I did a restore which didn't work so did another restore to even earlier point and Internet now works really well.
From what I have read I do't trust Sendori and as I understand it has your DNS so I uninstalled it.
I'm now working on setting up browsers and computer as you suggest. I've done several deep scans with different scanners and all is doing fine and running clean computer.
 

MidniteQue

New Member
Thread author
Verified
Feb 4, 2013
38
Internet is working perfectly fine. I've added Dr. Web for a free month, uninstalled Vipre and keep Malwarebytes for second scanner. I have the addons you suggest on Chrome browser. Checking out the Firefox browser but think I prefer Chrome.
My understanding is that it is a lot easier to keep Malware out of computer than to get it out. I could have never gotten this computer to the 'gotten it out stage' without your help. Ever so grateful, thank you.
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
You are most welcome. It is my pleasure to assist you at any time...... Please feel free to ping MT if you need any more assistance in the future.......

Yes you are right it is better to avoid infections get into computer. We can't predict what one infection will do... So safe online.... :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top