User Tag List

Possible Malware

This is a discussion on Possible Malware within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, I may have possible malware on my laptop I wanted to get checked out. I just came to get


 
 
Thread Tools Search this Thread
Old 04-22-2016, 09:20 AM   #1
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



Hi, I may have possible malware on my laptop I wanted to get checked out. I just came to get a pop up blocker for Chrome because I get a lot of pop ups and nothing to block them, but someone told me to come and check for malware. Thank you!

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16773 BrowserJavaVersion: 11.91.2
Run by Ania at 11:37:39 on 2016-04-22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2429.408 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Update\1.3.29.5\GoogleCrashHandler.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Ruiware\WinPatrol\WinPatrol.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_91\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_91\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WinPatrol] c:\program files\ruiware\winpatrol\winpatrol.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{E835AFF3-8243-4C30-9182-AEA11563E940} : DHCPNameServer = 192.168.0.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\49.0.2623.112\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ania\appdata\roaming\mozilla\firefox\profiles\8948li1w.default\
FF - prefs.js: browser.startup.homepage - google.ca
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=mcafee&type=A110US0&p=
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\update\1.3.29.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.8.0_77\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_77\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.41212.0\npctrlui.dll
FF - plugin: c:\program files\winamp detect\npwachk.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_21_0_0_213.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2015-8-14 49776]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2015-8-14 209432]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2015-8-14 812720]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2015-8-14 449384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2015-8-14 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2015-8-14 81168]
R2 avast! Antivirus;Avast Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2015-8-14 226440]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-3-19 21504]
R3 aswStmXP;Avast StreamFilter Driver;c:\windows\system32\drivers\aswStmXP.sys [2015-8-14 165104]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-9-2 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-12 103608]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2015-7-9 327296]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2015-1-23 23456]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2009-12-30 27192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2014-4-12 772296]
.
=============== Created Last 30 ================
.
2016-04-22 14:07:24 9302992 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a1a3676f-38aa-4378-b593-5a5cf9635169}\mpengine.dll
2016-04-22 14:01:13 15872 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2016-04-22 14:00:36 501760 ----a-w- c:\windows\system32\kerberos.dll
2016-04-22 00:48:24 -------- d-----w- c:\programdata\Package Cache
2016-04-20 20:03:59 50632 ----a-w- c:\program files\mozilla firefox\updated\browser\components\browsercomps.dll
2016-04-20 20:03:59 19912 ----a-w- c:\program files\mozilla firefox\updated\AccessibleMarshal.dll
2016-04-20 20:03:59 109000 ----a-w- c:\program files\mozilla firefox\updated\breakpadinjector.dll
2016-04-16 02:28:07 1253376 ----a-w- c:\windows\system32\msxml3.dll
2016-04-16 02:20:41 2048 ----a-w- c:\windows\system32\tzres.dll
2016-04-16 01:55:52 290816 ----a-w- c:\program files\common files\system\ole db\msdaora.dll
2016-04-16 01:55:52 180224 ----a-w- c:\windows\system32\msorcl32.dll
2016-04-16 01:55:52 105472 ----a-w- c:\windows\system32\mtxoci.dll
2016-04-16 01:02:10 206336 ----a-w- c:\windows\system32\ncrypt.dll
2016-04-16 01:02:08 72704 ----a-w- c:\windows\system32\secur32.dll
2016-04-16 01:02:07 57344 ----a-w- c:\windows\system32\samlib.dll
2016-04-16 01:02:01 486912 ----a-w- c:\windows\system32\samsrv.dll
2016-04-16 01:02:00 1259520 ----a-w- c:\windows\system32\lsasrv.dll
2016-04-16 00:59:11 1316864 ----a-w- c:\windows\system32\ole32.dll
2016-04-16 00:59:10 1208568 ----a-w- c:\windows\system32\ntdll.dll
2016-04-16 00:58:08 2070016 ----a-w- c:\windows\system32\win32k.sys
2016-04-12 16:43:11 19912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2016-04-12 16:43:10 50632 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
2016-04-12 16:43:10 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2016-04-12 16:43:10 109000 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2016-04-12 16:43:03 282568 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2016-04-12 16:43:02 392136 ----a-w- c:\program files\mozilla firefox\firefox.exe
2016-04-12 16:43:02 3466856 ----a-w- c:\program files\mozilla firefox\d3dcompiler_47.dll
2016-04-12 16:43:02 330184 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2016-04-12 16:43:02 191432 ----a-w- c:\program files\mozilla firefox\gmp-clearkey\0.1\clearkey.dll
2016-04-12 16:43:00 10437576 ----a-w- c:\program files\mozilla firefox\icudt56.dll
.
==================== Find3M ====================
.
2016-04-22 00:40:38 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-04-22 00:01:35 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-04-07 19:20:24 797376 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-04-07 19:20:24 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-04-06 14:18:42 374944 ------w- c:\windows\system32\MpSigStub.exe
2016-03-24 20:40:04 1815552 ----a-w- c:\windows\system32\jscript9.dll
2016-03-24 20:36:45 367616 ----a-w- c:\windows\system32\html.iec
2016-03-24 20:34:33 1129984 ----a-w- c:\windows\system32\wininet.dll
2016-03-24 20:33:40 424960 ----a-w- c:\windows\system32\vbscript.dll
2016-03-24 20:33:40 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2016-03-24 20:33:10 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2016-03-24 20:32:42 11776 ----a-w- c:\windows\system32\mshta.exe
2016-03-24 20:32:27 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2016-03-10 18:09:00 53120 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-03-10 18:08:56 126336 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-03-10 18:08:52 24448 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-03-02 16:22:13 812720 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2016-03-01 08:58:06 365536 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2016-02-06 02:17:05 3609024 ----a-w- c:\windows\system32\ntkrnlpa.exe
2016-02-06 02:17:04 3556800 ----a-w- c:\windows\system32\ntoskrnl.exe
2016-02-06 02:12:18 19968 ----a-w- c:\windows\system32\seclogon.dll
2016-02-06 02:12:15 783872 ----a-w- c:\windows\system32\rpcrt4.dll
2016-02-06 02:11:17 49664 ----a-w- c:\windows\system32\csrsrv.dll
2016-02-06 02:11:09 34304 ----a-w- c:\windows\system32\atmlib.dll
2016-02-06 02:11:07 802304 ----a-w- c:\windows\system32\advapi32.dll
2016-02-06 00:33:58 297472 ----a-w- c:\windows\system32\atmfd.dll
2016-02-06 00:32:15 64000 ----a-w- c:\windows\system32\smss.exe
2016-02-05 04:13:44 875720 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2016-02-05 04:13:44 536776 ----a-w- c:\windows\system32\msvcp120_clr0400.dll
2016-02-03 1733 89600 ----a-w- c:\windows\system32\olepro32.dll
2016-02-03 1733 564736 ----a-w- c:\windows\system32\oleaut32.dll
2016-02-03 17:05:25 67072 ----a-w- c:\windows\system32\asycfilt.dll
2016-01-30 03:09:19 324608 ----a-w- c:\windows\system32\sdohlp.dll
2016-01-30 03:09:17 323072 ----a-w- c:\windows\system32\sbe.dll
2016-01-30 03:09:17 153088 ----a-w- c:\windows\system32\sbeio.dll
2016-01-30 03:09:11 429056 ----a-w- c:\windows\system32\EncDec.dll
2016-01-30 03:09:11 293376 ----a-w- c:\windows\system32\psisdecd.dll
2016-01-30 03:09:11 217600 ----a-w- c:\windows\system32\psisrndr.ax
2016-01-30 03:08:43 80896 ----a-w- c:\windows\system32\MSNP.ax
2016-01-30 03:08:34 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2016-01-30 03:08:31 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2016-01-30 03:08:11 57344 ----a-w- c:\windows\system32\iasads.dll
2016-01-30 03:08:11 48128 ----a-w- c:\windows\system32\iasdatastore.dll
2016-01-30 03:08:11 119296 ----a-w- c:\windows\system32\iasrecst.dll
2016-01-30 01:32:16 17408 ----a-w- c:\windows\system32\iashost.exe
.
============= FINISH: 11:39:35.86 ===============
Attached Files
File Type: txt attach.txt (11.1 KB, 59 views)
Green972 is offline  
Sponsored Links
Advertisement
 
Old 04-22-2016, 02:43 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Back up important files before we start.

Now, let's get started, shall we?

Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 04-22-2016, 04:19 PM   #3
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



Hi, thank you for your help, here are the logs:

# AdwCleaner v5.112 - Logfile created 22/04/2016 at 19:04:24
# Updated 17/04/2016 by Xplode
# Database : 2016-04-19.5 [Server]
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (X86)
# Username : Ania - TOSHIBA
# Running from : C:\Users\Ania\Desktop\AdwCleaner.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\GameTreatWidget.GameTreatWidget.1
[-] Key Deleted : HKCU\Software\Mail.Ru
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Mail.Ru
[-] Key Deleted : HKLM\SOFTWARE\Mail.Ru
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DoNotAskAgain]
[#] Value Deleted : HKU\S-1-5-21-3737380363-3276772875-767451433-1003\Software\Microsoft\Internet Explorer\SearchScopes [DoNotAskAgain]

***** [ Web browsers ] *****

[-] [C:\Users\Ania\AppData\Roaming\Mozilla\Firefox\Profiles\8948li1w.default\prefs.js] Deleted : user_pref("CT3287822_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1365371404102,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1433 bytes] - [22/04/2016 19:04:24]
C:\AdwCleaner\AdwCleaner[R0].txt - [928 bytes] - [13/08/2015 16:34:08]
C:\AdwCleaner\AdwCleaner[S0].txt - [997 bytes] - [13/08/2015 16:36:50]
C:\AdwCleaner\AdwCleaner[S1].txt - [1778 bytes] - [22/04/2016 18:00:13]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1723 bytes] ##########
Attached Files
File Type: txt FRST.txt (27.7 KB, 39 views)
File Type: txt Addition.txt (32.6 KB, 39 views)
Green972 is offline  
Sponsored Links
Advertisement
 
Old 04-23-2016, 01:59 PM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,

Thanks for the logs.

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

==========================================================

I see you have P2P software ( Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features

=========================================================

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S3 Tosrfcom; no ImagePath
2012-04-17 23:18 - 2015-08-19 02:12 - 0001057 _____ () C:\Users\Ania\AppData\Roaming\vso_ts_preview.xml
CMD: bitsadmin /reset /allusers
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 04-23-2016, 03:36 PM   #5
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



I use CCleaner to remove duplicate Windows restore points, and occasionally to clean up browser stuff but never use the registry option. Do you still want me to remove CCleaner?
I also noticed I have multiple copies of Java updates old/new in add/remove programs, is there anything I can do about that?
I removed Vuze, I downloaded it many years ago, don't use it now. I understand the risk.


Here is the fixlog:





Fix result of Farbar Recovery Scan Tool (x86) Version:18-04-2016
Ran by Ania (2016-04-23 18:11:58) Run:3
Running from C:\Users\Ania\Desktop
Loaded Profiles: Ania (Available Profiles: Ania)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S3 Tosrfcom; no ImagePath
2012-04-17 23:18 - 2015-08-19 02:12 - 0001057 _____ () C:\Users\Ania\AppData\Roaming\vso_ts_preview.xml
CMD: bitsadmin /reset /allusers
EmptyTemp:

*****************

Restore point was successfully created.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
Tosrfcom => service removed successfully.
C:\Users\Ania\AppData\Roaming\vso_ts_preview.xml => moved successfully

========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.0.6001 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 633.5 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 18:16:32 ====
Green972 is offline  
Old 04-24-2016, 11:21 PM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello

Quote:
Do you still want me to remove CCleaner?
No, I do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner.
Quote:
I also noticed I have multiple copies of Java updates old/new in add/remove programs, is there anything I can do about that?
If you want to remove Java updates old version.

=====================================================

Please do the below steps and please tell me How is the machine behaving now? What problems do you still have?

STEP 1

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

STEP 2

Launch Malwarebytes Anti-Malware

On the Dashboard, click the Scan Now button.
A check for database updates will be performed.
After the update check completes, a Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 04-25-2016, 03:58 PM   #7
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



Malwarebytes scan showed no threats. So I guess I'll remove CCleaner then..?
Machine is running fine, except that I get pop ups while browsing internet which was my original problem. I have Adblocker installed but it does nothing.
I came here asking for a pop up blocker, and someone told me to get checked for Malware..which I guess I don't have? I do scan regularly. I just need a good pop up blocker for Chrome..or do I need to go back and ask the "other browsers" section of the forum? where I originally posted? :/

/also, are all my other programs good, avast, malwarebytes, superantispyware?



Junkware Removal Tool results:




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.5 (04.20.2016)
Operating System: Windows Vista (TM) Home Premium x86
Ran by Ania (Administrator) on Mon 04/25/2016 at 18:10:12.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 21

Failed to delete: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0G5NQU0 (Temporary Internet Files Folder)
Failed to delete: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NWZTIZJA (Temporary Internet Files Folder)
Failed to delete: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLV1136F (Temporary Internet Files Folder)
Failed to delete: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\377U8C9R (Temporary Internet Files Folder)
Failed to delete: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5WRL93DS (Temporary Internet Files Folder)
Failed to delete: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FSUMGPC4 (Temporary Internet Files Folder)
Failed to delete: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R6J8MUPY (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Roaming\Mozilla\Firefox\Profiles\8948li1w.default\searchplugins\wot-safe-search.xml (File)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\377U8C9R (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5WRL93DS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MEKLFV8 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GCVAJ7P (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A23ZCE18 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FSUMGPC4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ania\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R6J8MUPY (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MEKLFV8 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GCVAJ7P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A23ZCE18 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0G5NQU0 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NWZTIZJA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLV1136F (Temporary Internet Files Folder)



Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 04/25/2016 at 18:12:47.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attached Files
File Type: txt malwarebytes scan log.txt (1.0 KB, 35 views)
Green972 is offline  
Old 04-26-2016, 12:13 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,
Quote:
So I guess I'll remove CCleaner then..?
No, It's not necessary. I do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner.
Quote:
I came here asking for a pop up blocker, and someone told me to get checked for Malware..which I guess I don't have?
I have not seen a suspicious file or folder up to this time.
Quote:
I just need a good pop up blocker for Chrome..
Sometimes, it can be difficult to fix Chrome. Whenever something gets into it, it's very difficult to fix. Most of the tools we use cannot find or see the area of Chrome that is affected.
Quote:
or do I need to go back and ask the "other browsers" section of the forum? where I originally posted? :/
Not now. It's not over yet, we're going to do.

=========================================================

Let's move on Please do the below steps.

STEP 1

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.

STEP 2

Launch FRST and when it opens, place a check in the box next to 'Shortcut.txt'
Click Scan
When it has finished, 2 logs will have been produced. Please attach the Shortcut.txt
__________________
tekir06 is offline  
Old 04-26-2016, 12:04 PM   #9
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



Eset log:





C:\ProgramData\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll a variant of Win32/InstalleRex.T potentially unwanted application
C:\ProgramData\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll a variant of Win32/InstalleRex.T potentially unwanted application
C:\ProgramData\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll a variant of Win32/InstalleRex.T potentially unwanted application
C:\Users\All Users\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll a variant of Win32/InstalleRex.T potentially unwanted application
C:\Users\All Users\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll a variant of Win32/InstalleRex.T potentially unwanted application
C:\Users\All Users\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll a variant of Win32/InstalleRex.T potentially unwanted application
C:\Users\Ania\AppData\LocalLow\Sun\Java\jre1.7.0_55\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe a variant of Win32/CompuTrace.A potentially unsafe application
Attached Files
File Type: txt Shortcut.txt (41.4 KB, 46 views)
Green972 is offline  
Old 04-26-2016, 11:56 PM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,

Win32:InstallMate is a program that contains adware, installs toolbars or will display pop-up advertisements on the computer. Win32:InstallMate got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker.

========================================================

Please do the below steps

STEP 1

Please go to: VirusTotal

Click the Choose File button.
Please copy/paste the following bolded text into the 'File name:' box:

C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe

Click Open then click the Scan it! button just below.
This will scan the file. Please be patient.
If you get a message saying File already analyzed: click Reanalyse
Once scanned, copy and paste the URL from your browser address bar in your next reply.

========================================================

STEP 2


Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
C:\ProgramData\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll
C:\ProgramData\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll
C:\ProgramData\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll
C:\Users\All Users\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll
C:\Users\All Users\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll
C:\Users\All Users\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll
C:\Users\Ania\AppData\LocalLow\Sun\Java\jre1.7.0_55\java_sp.dll
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 04-27-2016, 11:35 AM   #11
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



https://www.virustotal.com/en/file/1...is/1461781985/




Fix result of Farbar Recovery Scan Tool (x86) Version:18-04-2016
Ran by Ania (2016-04-27 14:23:45) Run:5
Running from C:\Users\Ania\Desktop
Loaded Profiles: Ania (Available Profiles: Ania)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\ProgramData\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll
C:\ProgramData\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll
C:\ProgramData\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll
C:\Users\All Users\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll
C:\Users\All Users\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll
C:\Users\All Users\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll
C:\Users\Ania\AppData\LocalLow\Sun\Java\jre1.7.0_55\java_sp.dll
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
EmptyTemp:
*****************

Restore point was successfully created.
"C:\ProgramData\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll" => not found.
"C:\ProgramData\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll" => not found.
"C:\ProgramData\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll" => not found.
"C:\Users\All Users\InstallMate\{8FB99712-87F4-4F51-ADBA-CFD6545AB5E4}\_Setupx.dll" => not found.
"C:\Users\All Users\InstallMate\{9D648FBA-6670-4ED3-AC38-2E524687AD4C}\_Setupx.dll" => not found.
"C:\Users\All Users\InstallMate\{A46BF738-B714-4D8D-AF66-FF367F88D5CE}\_Setupx.dll" => not found.
"C:\Users\Ania\AppData\LocalLow\Sun\Java\jre1.7.0_55\java_sp.dll" => not found.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.0.6001 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 395.7 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 14:24:13 ====
Green972 is offline  
Old 04-27-2016, 11:36 PM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,

Did you do a process related _Setupx.dll and InstallMate ? For example, Remove found threats with ESET Online Scanner or Manuel remove ?

Please do the below steps.

STEP 1

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

STEP 2

Please download SystemLook from one of the link below and save it to your Desktop.

SystemLook (32-bit)

Double-click SystemLook.exe to run it. (Vista/Win7/Win8 users, right-click > Run as Administrator)
Copy/paste the contents of the following codebox into the main textfield:
Code:
:folderfind
InstallMate 

:filefind
_Setupx.dll
Click the Look button to start the scan.
Please be patient, as it may take a while.
When finished, a Notepad file will open with the results of the scan.
Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
__________________
tekir06 is offline  
Old 04-28-2016, 12:52 PM   #13
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



No, I did not remove the threats from Eset scan because that was not in the instructions so I wasn't sure if I was supposed to do that or not, do you want me to scan with Eset again and remove all threats?



Fix result of Farbar Recovery Scan Tool (x86) Version:18-04-2016
Ran by Ania (2016-04-28 15:22:31) Run:7
Running from C:\Users\Ania\Desktop
Loaded Profiles: Ania (Available Profiles: Ania)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe
EmptyTemp:
*****************

Restore point was successfully created.
"C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe" => not found.
EmptyTemp: => 534 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 15:22:57 ====




SystemLook 30.07.11 by jpshortstuff
Log created at 15:32 on 28/04/2016 by Ania
Administrator - Elevation successful

========== folderfind ==========

Searching for "InstallMate "
C:\FRST\Quarantine\C\ProgramData\InstallMate d------ [18:20 27/04/2016]
C:\ProgramData\InstallMate d------ [15:34 20/03/2012]
C:\Users\All Users\InstallMate d------ [15:34 20/03/2012]

========== filefind ==========

Searching for "_Setupx.dll"
No files found.

-= EOF =-
Green972 is offline  
Old 04-29-2016, 12:26 AM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,

Ok. No problem. Please do the below steps.

STEP 1

Double-click SystemLook.exe to run it. (Vista/Win7/Win8 users, right-click > Run as Administrator)
Copy/paste the contents of the following codebox into the main textfield:
Code:
:filefind
autochk.exe
Click the Look button to start the scan.
Please be patient, as it may take a while.
When finished, a Notepad file will open with the results of the scan.
Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

STEP 2

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
Folder: C:\ProgramData\InstallMate
Folder: C:\Users\All Users\InstallMate
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 04-29-2016, 10:03 AM   #15
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



SystemLook 30.07.11 by jpshortstuff
Log created at 12:23 on 29/04/2016 by Ania
Administrator - Elevation successful

========== filefind ==========

Searching for "autochk.exe"
C:\Windows\System32\autochk.exe --a---- 643072 bytes [13:53 20/03/2012] [06:27 11/04/2009] 10761177A6EBE45843F443E99509F5E7
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe --a---- 642560 bytes [08:34 19/03/2012] [07:33 19/01/2008] 2FC5BE79B51714B479809358E4908FC3
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6002.18005_none_e3df6655bee2ee3b\autochk.exe --a---- 643072 bytes [13:53 20/03/2012] [06:27 11/04/2009] 10761177A6EBE45843F443E99509F5E7

-= EOF =-
Attached Files
File Type: txt Fixlog.txt (12.3 KB, 28 views)
Green972 is offline  
Old 04-29-2016, 02:10 PM   #16
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,

How is the machine behaving now? What problems do you still have?
__________________
tekir06 is offline  
Old 04-29-2016, 02:25 PM   #17
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



Everything is running fine. Do I still have malware?
Just need a recommendation for a pop up blocker for Chrome and that is all :)
Green972 is offline  
Old 04-29-2016, 02:44 PM   #18
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,
Quote:
Everything is running fine.
I'm glad to hear that.
Quote:
Just need a recommendation for a pop up blocker for Chrome and that is all :)
I have no idea about this. If you want, you can get help from our Internet Browsers forum.

==========================================================

Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows Vista

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 04-29-2016, 03:21 PM   #19
Registered Member
 
Join Date: Mar 2013
Location: Canada, ON
Posts: 420
OS: Windows 10



Just read over the basic programs needed for a safe pc, do I need Spywareblaster or Spywareguard?

I currently have Avast, Malwarebytes, SuperAntiSpyware.

I also don't have any Firewall programs installed just use Windows Firewall I guess unless Avast has a Firewall protection as well that is enabled, but whatever I'm using seemed to pass the Firewall scan/test I checked..so am I good?


/ Thank you very much for your help!
Green972 is offline  
Old 04-30-2016, 03:01 PM   #20
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello CK007,
Quote:
Just read over the basic programs needed for a safe pc, do I need Spywareblaster or Spywareguard?
They all suggestions. You might want to use also recommended ones.
Quote:
I also don't have any Firewall programs installed just use Windows Firewall I guess unless Avast has a Firewall protection as well that is enabled, but whatever I'm using seemed to pass the Firewall scan/test I checked..so am I good?
__________________
tekir06 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Android Malware Hides as Microsoft Word File, Steals and Emails User Data to Attacker
Android Malware Hides as Microsoft Word File, Steals and Emails User Data to Attacker - Softpedia
JMH3143 Computer Security News 0 10-30-2015 10:39 PM
CoreBot malware evolves overnight into virulent banking Trojan
CoreBot malware evolves overnight into virulent banking Trojan | ZDNet
JMH3143 Computer Security News 0 09-11-2015 07:35 PM
Jun27 New Banking Malware Uses Network Sniffing for Data Theft
New Banking Malware Uses Network Sniffing for Data Theft | Security Intelligence Blog | Trend Micro
JMH3143 Computer Security News 0 06-28-2014 05:37 PM
Police arrest three over ransom malware attacks
The UK’s Police Central e-Crime Unit (PCeU) has announced the arrest of three of three people in connection with alleged ransom malware attacks against PC users. In what counts as the first significant arrests for this type of malware made in the UK, the two men and a woman were picked up in...
Glaswegian Computer Security News 0 12-13-2012 01:00 PM
Customised malware attacks grow increasingly widespread
The rising popularity of custom malware and the inability of antivirus software to keep pace poses potent challenges for enterprises trying to keep their systems secure. It's no secret that the goal of modern malware writers is to create attack software that is stealthy and flows undetected for...
Glaswegian Computer Security News 0 03-21-2011 01:35 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:25 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts