Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 20 Posts

·
Registered
Joined
·
44 Posts
Discussion Starter · #1 ·
I recently bought a new ASUS laptop with windows 8 and I'm suddenly struggling with tons of ads in all of my internet browsers. There's an edeals ad on certain words on every webpage and new tabs will open with warnings and advertisements.

Here's what I have done so far:
-Ran Malwarebytes
-Ran Adware Removal
-Uninstalled any program that I didn't recognize
-Reset Chrome and uninstalled all extensions

Nothing has worked. Please help me!
 

·
Registered
Joined
·
1,859 Posts
Hello and Welcome to TSF.

We need to have a series of reports to determine the presence of malware. Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #3 ·
Well I'm definitely having problems following the directions. DDS wouldn't run and came up with:

"DDS is not meant to run in 'Compatibility Mode'. The program shall now exit."

and gmer says:

"C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process"

I disabled windows defender and I made sure CCleaner and Malwarebytes were both not running. But gmer still shows that message.

Anyways I followed another thread that told me to use FRST so I attached the logs I got from using that to scan.
 

Attachments

·
Registered
Joined
·
1,859 Posts
Hello,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.


I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

=========================================================


CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

=========================================================


Please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #5 ·
Ok I removed uTorrent and I'll be reading those articles tonight.

Here is the AdwCleaner log:

# AdwCleaner v4.108 - Report created 21/01/2015 at 10:42:24
# Updated 17/01/2015 by Xplode
# Database : 2015-01-18.1 [Live]
# Operating System : Windows 8.1 (64 bits)
# Username : Quinton - DEAN-PC
# Running from : C:\Users\Quinton\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Users\Quinton\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\Quinton\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\superfish.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Superfish - Visual Search and Image Recognition

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Google Chrome v39.0.2171.99


*************************

AdwCleaner[R1].txt - [1292 octets] - [17/01/2015 14:51:34]
AdwCleaner[R2].txt - [1408 octets] - [21/01/2015 10:40:26]
AdwCleaner[S1].txt - [1369 octets] - [17/01/2015 14:54:19]
AdwCleaner[S2].txt - [1283 octets] - [21/01/2015 10:42:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1343 octets] ##########
 

·
Registered
Joined
·
1,859 Posts
Hello again,

Please do the following.

  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
start
ProxyServer: [S-1-5-21-1459034380-298225683-2569479206-1001] => http=127.0.0.1:25094
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3306061&SearchSource=48&CUI=UN84085539623910320&UM=2", "hxxp://search.conduit.com/?ctid=CT3306061&SearchSource=48&CUI=UN27066316432125271&UM=2", "hxxp://start.mysearchdial.com/?f=1&a=ir_14_10_CH&cd=2XzuyEtN2Y1L1QzuyB0AyBzytCzy0CtAyBzz0EtB0A0DtAtBtN0D0Tzu0SyBzyyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzz0D0E0A0Fzz0DtG0ByCzy0CtGyBtDyC0EtGtDtA0DtAtGtD0B0C0AtByD0F0BtD0C0DtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0DtC0DyDyBzy0EtG0E0FyBtDtG0F0Ezy0AtGtAyByByCtGyD0ByCtCyEyByB0CtB0ByDyD2Q&cr=782726450&ir=", "hxxp://start.mysearchdial.com/?f=1&a=MSD3_14_10_CH&cd=2XzuyEtN2Y1L1QzuyB0AyBzytCzy0CtAyBzz0EtB0A0DtAtBtN0D0Tzu0SyBzyyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyCzyyBzztAzz0BtBtG0D0CyCtBtGtA0C0D0EtGtBtAyEzztGtC0EtAyD0FtBzzzyzytD0DtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0DtC0DyDyBzy0EtG0E0FyBtDtG0F0Ezy0AtGtAyByByCtGyD0ByCtCyEyByB0CtB0ByDyD2Q&cr=789629596&ir="
2014-11-07 07:48 - 2014-11-07 07:48 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-24 07:20 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
EmptyTemp:
end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

·
Registered
Joined
·
44 Posts
Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by Quinton at 2015-01-21 18:06:54 Run:1
Running from C:\Users\Quinton\Desktop\Fix
Loaded Profiles: Quinton (Available profiles: Quinton)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
ProxyServer: [S-1-5-21-1459034380-298225683-2569479206-1001] => http=127.0.0.1:25094
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3306061&SearchSource=48&CUI=UN84085539623910320&UM=2", "hxxp://search.conduit.com/?ctid=CT3306061&SearchSource=48&CUI=UN27066316432125271&UM=2", "hxxp://start.mysearchdial.com/?f=1&a=ir_14_10_CH&cd=2XzuyEtN2Y1L1QzuyB0AyBzytCzy0CtAyBzz0EtB0A0DtAtBtN0D0Tzu0SyBzyyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzz0D0E0A0Fzz0DtG0ByCzy0CtGyBtDyC0EtGtDtA0DtAtGtD0B0C0AtByD0F0BtD0C0DtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0DtC0DyDyBzy0EtG0E0FyBtDtG0F0Ezy0AtGtAyByByCtGyD0ByCtCyEyByB0CtB0ByDyD2Q&cr=782726450&ir=", "hxxp://start.mysearchdial.com/?f=1&a=MSD3_14_10_CH&cd=2XzuyEtN2Y1L1QzuyB0AyBzytCzy0CtAyBzz0EtB0A0DtAtBtN0D0Tzu0SyBzyyDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyCzyyBzztAzz0BtBtG0D0CyCtBtGtA0C0D0EtGtBtAyEzztGtC0EtAyD0FtBzzzyzytD0DtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0DtC0DyDyBzy0EtG0E0FyBtDtG0F0Ezy0AtGtAyByByCtGyD0ByCtCyEyByB0CtB0ByDyD2Q&cr=789629596&ir="
2014-11-07 07:48 - 2014-11-07 07:48 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-24 07:20 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
EmptyTemp:
end
*****************

HKU\S-1-5-21-1459034380-298225683-2569479206-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Chrome StartupUrls deleted successfully.
C:\ProgramData\DP45977C.lfl => Moved successfully.
C:\ProgramData\SetStretch.cmd => Moved successfully.
EmptyTemp: => Removed 821.8 MB temporary data.


The system needed a reboot. 

==== End of Fixlog 18:07:05 ====

Ok it seems like all the ads are now gone from my browser. If you don't mind, could you give me an overview of what the problem was and how I might have infected my computer with the adware?
 

·
Registered
Joined
·
1,859 Posts
Hello again.

Ok it seems like all the ads are now gone from my browser. If you don't mind, could you give me an overview of what the problem was and how I might have infected my computer with the adware?
There are many ways your computer could get infected with Adware. Adware can come bundled with shareware or other downloadable software.
Another method of distributing Adware involves tricking you by displaying deceptive pop-up ads that may appear as regular Windows notifications with links which look like buttons reading Yes and No. No matter which "button" that you click on, a download starts, installing Adware on your system. Adware installs on your computer through a trojan and may infect your system without your knowledge or consent.

=========================================================

Please do the following.

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #9 ·
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\direct3dminimalMonitor.exe a variant of Win32/Adware.Pirrit.R application
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\wizardwpcmigTask.exe a variant of Win32/Adware.Pirrit.Q application
Operating memory a variant of Win32/Adware.Pirrit.R application


It seems like most of the ads are gone except they still show up on this website (Tech Support Forum | Experts Online now for FREE Support!)
 

·
Registered
Joined
·
1,859 Posts
Hello again,

It seems like most of the ads are gone except they still show up on this website (Tech Support Forum | Experts Online now for FREE Support!)
Can you send a screenshot about it?

=========================================================

Please do the following.

  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\direct3dminimalMonitor.exe
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\wizardwpcmigTask.exe
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #11 ·
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-01-2015 01
Ran by Quinton at 2015-01-27 12:59:59 Run:2
Running from C:\Users\Quinton\Desktop\Fix
Loaded Profiles: Quinton & (Available profiles: Quinton)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\direct3dminimalMonitor.exe
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\wizardwpcmigTask.exe
*****************

C:\Users\Quinton\AppData\Local\wizardwpcmigTask\direct3dminimalMonitor.exe => Moved successfully.
C:\Users\Quinton\AppData\Local\wizardwpcmigTask\wizardwpcmigTask.exe => Moved successfully.

==== End of Fixlog 12:59:59 ====

Ok my PC didn't need to restart. As far as the ads go, they are all back. Malwarebytes hasn't detected anything still.
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #12 ·
I ran Malwarebytes again today and realized that eDeals was in my program files. Even though I uninstalled it and reset my browser settings, it didn't work.
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #14 ·
It's happening in Chrome and Internet Explorer, which are the only two browsers I have. The same ads pop up on every page, sometimes new tabs open to places like www.adshost.net or something, and words are underlined in blue with ads attached to them.

I scanned my PC several times after the scan where I found malicious items and MBAM couldn't find anything. Here's the earlier scan where I have already quarantined the possible threats.


Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 1/30/2015
Scan Time: 1:58:30 PM
Logfile: MBAM_Log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.30.07
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Quinton

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 359788
Time Elapsed: 9 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.EDealPop.A, C:\Program Files (x86)\eDealPop\eDealPop.exe, 1152, Delete-on-Reboot, [0f8077861277a98d729b1e70f60d35cb]

Modules: 1
PUP.Optional.eDealsPop.A, C:\Program Files (x86)\eDealPop\msvcr100.dll, Delete-on-Reboot, [c7c812ebe1a8181eecc0aad2c53e5da3],

Registry Keys: 1
PUP.Optional.eDealsPop.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\eDeals_is1, Quarantined, [c7c812ebe1a8181eecc0aad2c53e5da3],

Registry Values: 1
PUP.Optional.EDealPop.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|eDealPop, "C:\Program Files (x86)\eDealPop\eDealPop.exe", Quarantined, [0f8077861277a98d729b1e70f60d35cb]

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.eDealsPop.A, C:\Program Files (x86)\eDealPop, Quarantined, [c7c812ebe1a8181eecc0aad2c53e5da3],

Files: 6
PUP.Optional.EDeals.A, C:\Windows\Temp\UptUpdater.exe, Quarantined, [eda206f7ea9fff373891c3942ad6d030],
PUP.Optional.EDealPop.A, C:\Program Files (x86)\eDealPop\eDealPop.exe, Quarantined, [0f8077861277a98d729b1e70f60d35cb],
PUP.Optional.eDealsPop.A, C:\Program Files (x86)\eDealPop\msvcp100.dll, Quarantined, [c7c812ebe1a8181eecc0aad2c53e5da3],
PUP.Optional.eDealsPop.A, C:\Program Files (x86)\eDealPop\msvcr100.dll, Quarantined, [c7c812ebe1a8181eecc0aad2c53e5da3],
PUP.Optional.eDealsPop.A, C:\Program Files (x86)\eDealPop\unins000.dat, Quarantined, [c7c812ebe1a8181eecc0aad2c53e5da3],
PUP.Optional.eDealsPop.A, C:\Program Files (x86)\eDealPop\unins000.exe, Quarantined, [c7c812ebe1a8181eecc0aad2c53e5da3],

Physical Sectors: 0
(No malicious items detected)


(end)
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #15 · (Edited)
Ok now I just uninstalled Google Chrome and all of its browsing data. Afterwards I opened up Internet Explorer and it seems like all of the adware is gone. Could the adware be in Chrome?

NEVERMIND the ads just aren't showing on this forum.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
So what you are now saying is that you still have ads in IE, correct?

If so, please send me a screen shot of what you're seeing. Tekir06 asked for one earlier and I don't see that you sent one.

To get a screen shot, when you see the ad, press the Prt Scr button on your keyboard.
Now open Windows Paint. Right click in the open area and select Paste.

Save it to your desktop then please attach it in your next reply.
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #17 · (Edited)
Yes. I am also having ads in IE.

I used Gyazo to take the screenshots; I hope you don't mind.

Gyazo - 9e6a2511c45262a63e7574507da8f569.png

The screenshot above shows the ads I get when I'm on amazon and the screenshot immediately below is one of the pop-up windows that appear whenever I click anywhere on the page.

Gyazo - 60eabbfe87b8a0331070788d1f8424f9.png

The screenshot below shows how edeals attaches ads to certain words on most websites I visit.

Gyazo - fe4ed211f0604d3ea6e2235e2fcb178f.png

Here's another screenshot:

http://gyazo.com/e36b986e7bd80c1a5c122c84d775eebd
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #18 · (Edited)
I tried running AdwCleaner and then running MBAM immediately after to see if it could pick up the programs reinstalling the adware. (I have no idea how this all works)

But I did manage to find some new files. Here is the log:

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 2/5/2015
Scan Time: 11:50:42 AM
Logfile: MBAM_Log.txt
Administrator: Yes
Version: 2.00.4.1028
Malware Database: v2015.02.05.08
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Quinton
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 356106
Time Elapsed: 5 min, 51 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 2
Adware.Pirrit, C:\Users\Quinton\AppData\Local\contextualusbceipProt\contextualusbceipProt.exe, 1148, Delete-on-Reboot, [68746eacd7b32412e9fdb5638d754ab6]
Adware.Pirrit, C:\Users\Quinton\AppData\Local\contextualusbceipProt\pathlocalsplSched.exe, 5304, Delete-on-Reboot, [fddf23f73951b58113d4d246df23fc04]
Modules: 0
(No malicious items detected)
Registry Keys: 5
Adware.Pirrit, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\contextualusbceipProt.exe, Quarantined, [68746eacd7b32412e9fdb5638d754ab6],
Adware.Pirrit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CONTEXTUALUSBCEIPPROT.EXE, Quarantined, [68746eacd7b32412e9fdb5638d754ab6],
Adware.Pirrit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CONTEXTUALUSBCEIPPROT.EXE, Quarantined, [68746eacd7b32412e9fdb5638d754ab6],
Adware.Pirrit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PATHLOCALSPLSCHED.EXE, Quarantined, [fddf23f73951b58113d4d246df23fc04],
Adware.Pirrit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PATHLOCALSPLSCHED.EXE, Quarantined, [fddf23f73951b58113d4d246df23fc04],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 3
Adware.Pirrit, C:\Users\Quinton\AppData\Local\contextualusbceipProt\contextualusbceipProt.exe, Delete-on-Reboot, [68746eacd7b32412e9fdb5638d754ab6],
Adware.Pirrit, C:\Users\Quinton\AppData\Local\contextualusbceipProt\pathlocalsplSched.exe, Delete-on-Reboot, [fddf23f73951b58113d4d246df23fc04],
Trojan.Agent, C:\Users\Quinton\AppData\Local\Temp\Quarantine.exe, Quarantined, [d9038c8e8307989e7517f92218ea8c74],
Physical Sectors: 0
(No malicious items detected)

(end)

I was actually wondering what contextualusbceipProt.exe was before I realized it was a virus. I still have an contextualusbceipProt folder in my AppData folder. Should I delete it? the problem is that it has msvcp.dll files...and I think they are important or something. Take a look:

Gyazo - c2634112ced6be06d2aae6ed53f3dc92.png

Thank you guys so much for your help, by the way.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello qdeanc,

You're welcome and thank you for the screen shot and additional info.

It was good thinking on your part to be cautious about deleting that folder when you saw it had msvcp.dll in it - always better to be safe than sorry - but that file when needed, does not belong in that location. The legit placement for that file would be the system32 folder. :smile:

In this case, that folder does not exist by default so please go ahead and delete it, it may be why this keeps coming back.

If you still have ads, please run a new scan with FRST64 and send me the new FRST.txt
 

·
Registered
Joined
·
44 Posts
Discussion Starter · #20 ·
Well it has been a few days and the ads are gone. AdwCleaner can't pick up anything.

I think it is safe to say my problem has been solved!
 
1 - 20 of 20 Posts
Status
Not open for further replies.
Top