Next Live-B Virus

There has already been a topic posted on this, but i am still suspicious after following the steps that i may still have it. I am also suspicious about two registries called “Anchor Free” and “Troll Tech”, plus minor suspicions for “AWWD”, “lllfonic” and “kde.org”. Anyway the virus is called Next Live-B, from the infected file nengine.dll, and i have had a root kit in the past, I currently have used Avast Full System Scan, Boot Scan, Root Kit Detection, FRST64 and ComboFix.

The log files to FRST64 are attached below, forgot to collect the others!

Next Live-B is not a virus but Adware

Clean your browsers with Adwcleaner, and attach the log http://www.bleepingcomputer.com/download/adwcleaner/

then follow instructions here and attach Malwarebytes and OTL logs http://forum.avast.com/index.php?topic=53253.0

malware experts are in bed now so it will take some hours before they are online :wink:

@L00K3

I’m on it …

I will look at your FRST logs …

Let’s start …

1. Enable disabled software via MSConfig.

You have been disabled ‘ApnUpdater’ for Ask toolbar. Enable that…
MSCONFIG\startupreg: ApnUpdater => “C:\Program Files (x86)\Ask.com\Updater\Updater.exe”

2. Uninstall the bad PUP software

Start > Control Panel > Add and Remove programs
From there uninstall/remove the following:

  • Ask Toolbar
  • YTD Toolbar v8.6

3. Removal via FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION! C:\Program Files (x86)\Mobogenie C:\Program Files (x86)\Common Files\Spigot C:\Program Files (x86)\YTD Toolbar C:\Program Files (x86)\Ask.com C:\Users\Lukey\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx C:\Users\Lukey\AppData\Local\Temp\*.exe HKLM-x32\...\Run: [mobilegeni daemon] - C:\Program Files (x86)\Mobogenie\DaemonProcess.exe HKLM-x32\...\Run: [SearchSettings] - "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" HKU\S-1-5-21-941276063-2311695754-2057552664-1000\...\Winlogon: [Shell] expstart.exe [925184 2011-09-29] () <==== ATTENTION URLSearchHook: HKCU - YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\8.6\ytdToolbarIE64.dll (Spigot, Inc.) URLSearchHook: HKCU - YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\8.6\ytdToolbarIE.dll (Spigot, Inc.) URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) SearchScopes: HKCU - DefaultScope {E63032F6-4714-43AC-BDA0-DB5CFBCA94C6} URL = http://au.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms} SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=RbHR3Lray3nzLyBhQLXbGj3Pl8w?q={searchTerms} SearchScopes: HKCU - {BEEA3427-01BF-46F3-9B88-A8FBD03ED6E9} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYAU&apn_uid=AD900CF9-33AD-4F2C-906F-6D1500B14201&apn_sauid=C2354E52-E6EF-40A0-A889-112783F855EA BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) BHO-x32: YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\8.6\ytdToolbarIE.dll (Spigot, Inc.) Toolbar: HKLM - YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\8.6\ytdToolbarIE64.dll (Spigot, Inc.) Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) Toolbar: HKLM-x32 - YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\8.6\ytdToolbarIE.dll (Spigot, Inc.) CHR HKLM-x32\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\Lukey\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx [2012-12-10] CMD: typo C:\ComboFix.txt End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


Re-check:

Re-run FRST, just hit the Scan button and post me fresh created FRST.txt button

This is the log, along with two OTL logs following (Was going to send in last post but the log was 642KB, past the upload limit).

and aka you said the log was on the desktop, the log is in the same directory as the main exe, aka on my USB.

v.v.v

v.v.v

v.v.v

Hi,
I do not need OTL log when I have FRST logs.

Will do tomorrow morning!

Here is the logs…

Magna‚ the second log is there‚ aka Ubuntu rocks‚ aka windows sucks plus Microsoft took the convenience to disable my backup features after I accidently deleted a file!