What is Search Donkey? Tasklist doesn't work.

G

GreenAce92

Member
Hey guys,

I use to work for a computer repair gig at the University I attended and one of the tricks I ccame across was using tasklist in the command prompt to determine the file name of the malicious software that I was trying to remove. Then I would use task kill /f /i name of process.

I can't do that in Windows Vista Basic

I get an error message stating "command module not found"

I can't seem to find this ad donkey thing

When using firefox which is the browser it hijacked, I keep getting many ads. New windows pop up saying stuff for example "this ip address says you need to update"

Anyway, the computer isn't mine. I'd like to fix it though.

(Ahh lost my cursor (using android device))

I ran Malware Bytes, 286 found
CCleaner as well

This computer belongs to a person in the military so it has that junk symantec that always dusplays the errors but never fixes them.

I can't remove that. Need to remain low key. What can I try?

I have ran CCleaner and Malqare Bytes
 
Please post the malwarebytes log and a hijackthis log so we can see what's on the system.
 
Well if the ad problem still persists, does that not indicate that the adware was not removed?

Is vista command prompt supposed to also support the task list command?
 
Can you please just post the logs I asked for?

To run hijackthis.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Vista and Windows 7 users must right click on the hijackthis icon and click on run as. If the run as option doesn't appear then press and hold the shift key while right clicking on the icon to get it to appear.


Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces
 
Okay, I realize this response is late.

I share this computer with the other users who have significantly less knowledge than the little that I believe to have so, not only have I not had access to that computer recently but they don't even realize that anything is wrong.

Even when Symatec and AvG continuously pop up and show .tmp files as problems.

I will do this tonight, the logs you requested, I have to find the old ones, on the first malware scan 286 I think were found then 5 on the next.

I looked into search donkey, I think it is am Ellectable plug in with useful features for a user, I checked the plugins of the browser and search donkey is shown there. Something about being able to highlight and possibly bookmark things easier or something.
 
I am having a difficult time finding the Malware Bytes log files. Not only is Vista different from say Windows 7 in regards to the 'folder architecture' (made it up) by for example 'C:\Documents and Settings' doesn't exist rather C:\Users and C:\AppData, anyway...

When I tried using this link to find the malware bytes log files, I couldn't find them.

I tried searching the .txt file results
No luck either

But I did run hijackthis

Results below

not yet- computer is acting verrryyy slow. need to start new. re-boot.
 
To post the malwarebytes do this.

Open malwarebytes, click on the logs tab, open the log that you just completed and copy and paste the contents in your next reply.
 
Huh, probably should have removed user info, but... names are just names right?

As I said this computer isn't mine so Mary is not me.
 
Since the pc has the zero access rootkit please do the following.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

tdssstartscan_zps32a151cd.jpg


TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

2663-2-eng.png


To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

2663_3_en.png


Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.

And then.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
performance is better, no annoying pop ups from symantec

Although I don't know if the rootkit problem was resolved

thank you for the help
 
Some more work to do.

1.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Delete.
•Confirm each time with OK
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

2.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Killall::

Reglock::

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

3.

I need to see a log that combofix produces but doesn't show you. Navigate to C:\Qoobox and in that folder will be a file named add-remove programs.txt Open that file and copy and paste the contents back here.
 
You need to perform the script again, it didn't work correctly.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Reglock::

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]




3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Then

Please uninstall the following programs.

Java 7 Update 13
Java Auto Updater
Java(TM) 6 Update 37
Java(TM) 6 Update 7
McAfee Security Scan Plus

Then go here to download the latest version of Java.

www.java.com


One question for you though. I see you have symantec endpoint protection installed. Does it start up when windows boots? The reason I'm asking is because it should have been listed in the combofix log at the very beginning.
 
I bought myself a computer so I'm just removing all of the work I have done on the other computer and fixing problems I have amassed like the C:\Windows\System32 problem that pops up upon login.

Thank you for the help and attention
 
You must log in or register to reply here.
Back
Top