SpyWare BeWare! ASAP
March 25, 2017, 12:52:30 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: 1 2 [3] 4   Go Down
  Print  
Author Topic: Problems in bank site  (Read 4246 times)
0 Members and 1 Guest are viewing this topic.
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #30 on: April 02, 2013, 07:27:05 AM »

Hi dudu0987

today i made an experience and the bank site was working ok.

That's good news, the DDS log shows the hosts file entries are now gone - we're making good progress now. thumbsup


Ensure mbam is still disabled.


OTL Script

We need to run an OTL Fix

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the textbox. Do not include the word Code
Code:
:files
C:\ProgramData\SaveByclick
C:\Users\All Users\SaveByclick
C:\Users\Todos os Usuários\SaveByclick
C:\Users\WGSA II\Downloads\PDFCreator-1_6_1_setup.exe
C:\Users\WGSA II\Downloads\PDFCreator-1_6_2_setup.exe
ipconfig /flushdns /c

:commands
[EMPTYTEMP]
[CREATERESTOREPOINT]
  • Then click the Run Fix button at the top.
  • Click .
  • OTL may ask to reboot the machine. Please allow it to do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
.


Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

The log can also be found here:

  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when the application is started.
.
Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



AdwCleaner

Download a new copy of new copy of Adwcleaner from HERE & save it to your desktop.

  • Right click AdwCleaner.exe & choose "Run as administrator" to run it.
  • Click Search.
  • A logfile will automatically open after the scan has finished.
  • Close the adwCleaner window, click ok to the prompt.
  • Post the contents of that logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[R1].txt.
Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #31 on: April 02, 2013, 08:21:27 AM »

mbam found nothing.

the logs follow below.

OTL log:

All processes killed
========== FILES ==========
C:\ProgramData\SaveByclick folder moved successfully.
File\Folder C:\Users\All Users\SaveByclick not found.
File\Folder C:\Users\Todos os Usuários\SaveByclick not found.
C:\Users\WGSA II\Downloads\PDFCreator-1_6_1_setup.exe moved successfully.
C:\Users\WGSA II\Downloads\PDFCreator-1_6_2_setup.exe moved successfully.
< ipconfig /flushdns /c >
Configura‡Æo de IP do Windows
Libera‡Æo do Cache do DNS Resolver bem-sucedida.
C:\Users\WGSA II\Desktop\cmd.bat deleted successfully.
C:\Users\WGSA II\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Todos os Usuários
 
User: Usuário Padrão
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: WGSA II
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 27126193 bytes
->Java cache emptied: 1380282 bytes
->FireFox cache emptied: 11370018 bytes
->Google Chrome cache emptied: 89955536 bytes
->Flash cache emptied: 602 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 528447 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 124,00 mb
 
Restore point Set: OTL Restore Point
 
OTL by OldTimer - Version 3.2.69.0 log created on 04022013_090138

Files\Folders moved on Reboot...
C:\Users\WGSA II\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
_______________________________________________________________________________________________________________________________

MBAM log

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Versão da Base de Dados:  v2013.04.02.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16521
WGSA II :: WGSAII-PC [limitado]

Proteção: Não permitir

02/04/2013 09:12:49
mbam-log-2013-04-02 (09-12-49).txt

Tipo de Verificação:  Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos  | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados:  213712
Tempo decorrido: 2 minuto(s), 57 segundo(s)

Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)

Arquivos Detectados: 0
(Não foram detectados ítens maliciosos)

(fim)
_________________________________________________________________________________________________________________________

ADWCLEANER log

# AdwCleaner v2.115 - Relatório criado em 02/04/2013 às 09:17:25
# Atualizado em 17/03/2013 por Xplode
# Sistema Operacional : Windows 7 Home Premium Service Pack 1 (64 bits)
# Usuário : WGSA II - WGSAII-PC
# Modo de Boot : Normal
# Executado de : C:\Users\WGSA II\Desktop\adwcleaner.exe
# Opção [Verificar]


***** [Serviços] *****


***** [Arquivos/Pastas] *****

Pasta Encontrado : C:\Users\WGSA II\AppData\Roaming\pdfforge

***** [Registro] *****

Chave Encontrada : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32
Chave Encontrada : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Chave Encontrada : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Chave Encontrada : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

***** [Navegadores] *****

-\\ Internet Explorer v10.0.9200.16521

[OK] Registro está limpo.

-\\ Mozilla Firefox v19.0.2 (pt-BR)

Arquivo : C:\Users\WGSA II\AppData\Roaming\Mozilla\Firefox\Profiles\kv6pfm87.default\prefs.js

Encontrada : user_pref("extensions.50c9efa381a52.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]

-\\ Google Chrome v26.0.1410.43

Arquivo : C:\Users\WGSA II\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Arquivo está limpo.

*************************

AdwCleaner[R1].txt - [2183 octets] - [26/03/2013 10:48:26]
AdwCleaner[R2].txt - [1634 octets] - [02/04/2013 09:17:25]
AdwCleaner[S1].txt - [7303 octets] - [18/01/2013 15:51:45]

########## EOF - C:\AdwCleaner[R2].txt - [1754 octets] ##########
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #32 on: April 02, 2013, 11:26:16 AM »

Hi

How are things running now?


AdwCleaner

  • Right click AdwCleaner.exe & choose "Run as administrator" to run it.
  • Click the question mark ? in the top left corner >  Options
  • Place a checkmark in the /DisableAskDetection box
  • Click OK
  • Click Delete.
  • Click OK to the prompt.
  • The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.
  • Post the contents of the logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[s1].txt.
Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #33 on: April 02, 2013, 12:46:05 PM »

well... the site i was trying to access is running ok. it seems the problems is solved. no more errors to report.

follows the adwcleaner report.

# AdwCleaner v2.115 - Relatório criado em 02/04/2013 às 13:40:14
# Atualizado em 17/03/2013 por Xplode
# Sistema Operacional : Windows 7 Home Premium Service Pack 1 (64 bits)
# Usuário : WGSA II - WGSAII-PC
# Modo de Boot : Normal
# Executado de : C:\Users\WGSA II\Desktop\adwcleaner.exe
# Opção [Remover]
# Parâmetro usado : /DisableAskDetection


***** [Serviços] *****


***** [Arquivos/Pastas] *****

Pasta Removido : C:\Users\WGSA II\AppData\Roaming\pdfforge

***** [Registro] *****

Chave Removida : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32
Chave Removida : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Chave Removida : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Chave Removida : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Chave Removida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

***** [Navegadores] *****

-\\ Internet Explorer v10.0.9200.16521

[OK] Registro está limpo.

-\\ Mozilla Firefox v19.0.2 (pt-BR)

Arquivo : C:\Users\WGSA II\AppData\Roaming\Mozilla\Firefox\Profiles\kv6pfm87.default\prefs.js

Removida : user_pref("extensions.50c9efa381a52.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]

-\\ Google Chrome v26.0.1410.43

Arquivo : C:\Users\WGSA II\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Arquivo está limpo.

*************************

AdwCleaner[R1].txt - [2183 octets] - [26/03/2013 10:48:26]
AdwCleaner[R2].txt - [1823 octets] - [02/04/2013 09:17:25]
AdwCleaner[S1].txt - [7303 octets] - [18/01/2013 15:51:45]
AdwCleaner[S2].txt - [1780 octets] - [02/04/2013 13:40:14]

########## EOF - C:\AdwCleaner[S2].txt - [1840 octets] ##########
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #34 on: April 03, 2013, 12:00:00 PM »

Hi

Please attach the following file to your next post:

C:\Users\WGSA II\Desktop\MBR.dat


Also follow the instructions below.


HxD

Please download HxD from here & save it to your desktop.

  • Right click HxDen.zip and choose extract all...
  • Follow the wizard to extract the files
  • Open the folder HxDen
  • Right click on HxD.exe and choose "Run as Administrator"
  • Agree to any UAC prompt
  • Click OK to the prompt.
  • Click Extras > Open Disk...
  • Under Physical disks, Click Hard Disk 1 > Click OK
  • Highlight the content of Sector 0 only



  • With the text highlighted, click Edit > Copy
  • Click File > New
  • Click Edit > Paste Insert > Click OK to the prompt.
  • Click File > save as...
  • Save the file as MBRhxD.dat and save it to your desktop
.
Attach MBRhxD.dat to your next post.



Attached to your next reply:
  • MBR.dat
  • MBRHxD.dat
Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #35 on: April 03, 2013, 12:36:47 PM »

follow mbr.dat, renamed as mbr.txt cause the dat extension is not allowed.

when i try to copy sector 0, the message "out of memory" prompts.

some new problem. using chrome, i can not open "extensions". when i try to access extensions, the google.com page is opened and the "ask.fm" page is opened just like image attached.
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #36 on: April 03, 2013, 12:56:01 PM »

Hi

Close some of your running programs and windows and try HxD again.

Compress (zip) the file to attach it.
Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #37 on: April 03, 2013, 01:06:52 PM »

the files added to zip.
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #38 on: April 03, 2013, 01:17:02 PM »

Hi

Sorry, MBRHxD.dat is zero bytes (empty).

Ensure you see the text appear when you click Edit > Paste Insert before saving.

Please try again.

Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #39 on: April 03, 2013, 01:23:39 PM »

following the file.
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #40 on: April 03, 2013, 01:28:23 PM »

Thank you - That worked.

I'll repost when we've had chance to look at it, otherwise is the computer still running well?
Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #41 on: April 03, 2013, 01:33:18 PM »

as i told before, everything looks all right, but chrome, where i can not access "extensions".
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #42 on: April 03, 2013, 03:50:20 PM »

Hi

Your MBR is fine you'll be pleased to know.  thumbsup


In the Chrome omnibox, copy & paste the following and see if it gives you access to your extensions list:

chrome://extensions

Click enter on your keyboard
Logged

dudu0987
Newbie
*
Offline Offline

Date Registered:September 12, 2011, 01:49:02 PM
Posts: 26


« Reply #43 on: April 03, 2013, 03:57:01 PM »

this i have already tried and have not worked. i have tried the same at the private mode.
Logged
melboy
Moderator
Hero Member
*****
Offline Offline

Date Registered:April 02, 2009, 02:56:03 AM
Posts: 756



« Reply #44 on: April 03, 2013, 04:11:07 PM »

Hi

Try reinstalling chrome.

http://support.google.com/chrome/bin/answer.py?hl=en&answer=95346
Logged

Pages: 1 2 [3] 4   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!