Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brother installed program from a Google ad, malicious programs included


  • Please log in to reply
10 replies to this topic

#1 FRiNKEL

FRiNKEL

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 AM

Posted 25 March 2013 - 01:20 AM

Hello! I just came home from a vacation I went on (wasn't really much of a vacation though, long story short there were some rude people that sort of ruined it for me) to find out that there is now malware on the family computer, and I'm the only tech-savvy guy in this house, so I'm also the one that has to find a way to remove it!

 

To sum up what he basically did, he wanted a video recording application that was, I quote, "better than fraps." So, instead of waiting a few minutes to ask his tech-savvy brother who knows a few good recording applications, or even waiting to ask for approval on a program, what does he do? HE DOWNLOADS THE FIRST THING HE SEES ON A GOOGLE AD. (Sorry for the unnecessary caps lock, just sort of pissed off.) The program he downloaded was named ezvid (obviously, don't download it.) He said he likes it. I don't think it was worth the cruddy malware, myself. Looking at my Task Manager window, I see a few new foreign programs that don't look like they belong...

- OtShot (which is now alerting me it was "unable to load skin" or something)

- "DefaultTabSearch.exe" and an additional tab labeled "DefaultTab Update Service"

- "Optimizer Pro Smart Scan" and "Optimizer Pro Speed Guard"

- (This one REALLY, REALLY pissed me off when iI saw it) Search Protect by Conduit

- PEV.DAT (just seems a bit foreign and not-belonging-on-my-task-manager-ish)

- (May be legit, but seems unfamiliar to my eyes) WMI Provider Host

 

I tried to run dds.com, however the scan never finished spite waiting about 5-10 minutes, and so I decided (hoping that I do not receive a reply that says "WHAT DID YOU DOOO NOW YOU BROKE YOUR COMPUTER" for doing this) to close it out via Task Manager.

 

Please help me out here. I should also note that I am running 64-bit Windows 8.


Edited by FRiNKEL, 25 March 2013 - 02:17 AM.

"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:14 PM

Posted 25 March 2013 - 08:07 AM

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run
  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply
  • Due to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient

===================================================

RKILL
  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

===================================================

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    esetsmartinstaller_enu.png

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button

===================================================

Junkware Removal Tool by thisisu
  • Please download Junkware Removal Tool
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • TDSSKiller log
  • RKILL log
  • ESET log
  • Junkware removal tool log


 



#3 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 AM

Posted 27 March 2013 - 11:35 AM

I've completed running all of the files. It makes me a slight bit more comfortable that it might've been just adware that was installed. Some of the programs (like Optimizer Pro) really put a fright in me, as pseudo computer cleaners and rogues aren't exactly known to be friendly.

 

TDSSKiller log, last 6 lines (No objects were found, fortunately):

Spoiler

 

RKill log:

Spoiler

 

ESET Online Scan Results (apparently I put a few on myself without knowing as well, eheheh):

Spoiler

 

And finally, JRT's log:

Spoiler


Edited by FRiNKEL, 27 March 2013 - 11:36 AM.

"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:14 PM

Posted 27 March 2013 - 11:41 AM

Malwarebytes

Please download Malwarebytes Anti-Malware and save it to your desktop. If you already have it installed launch the program and update the database.

  • Make sure you are connected to the Internet and double-click on the it to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

===================================================

Farbar's MiniToolBox
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the MiniToolBox.jpg icon to launch the program
  • Make sure the following options are checked:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices
    • List Users, Partitions and Memory size.

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply

===================================================

Farbar's Service Scanner

Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================

AdwCleaner by Xplode - Search for Adware
  • Please download AdwCleaner by Xplode onto your desktop.
  • Security softwares may flag it as malicious.This is a false positive and can be ignored.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • Click YES if you receive a warning for reboot
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================

Autoruns
 
  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply



  • Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Malwarebytes log
  • MiniToolBox log
  • Farbar's Service Scanner log
  • AdwCleaner log
  • Autoruns log


 



#5 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 AM

Posted 27 March 2013 - 02:13 PM

Finished!

Also, if you don't mind, I also decided to install the HOSTS Anti-PUP/Adware file that AdwCleaner offered, I know my family and I know they're probably not going to pay attention to what they're going to install.

 

Unfortunately, it appears that the length of the logs has made me unable to post all of them in this post. So, to compensate, I copypasted them into Pastebin. I hope you do not mind. Please let me know if you'd like me to actually post them (in which case I'll post it in the series of multiple posts), otherwise you can view them here:

 

http://pastebin.com/qc0xgNmr


"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:14 PM

Posted 27 March 2013 - 08:44 PM

Current issues?



#7 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 AM

Posted 27 March 2013 - 08:52 PM

Nothing appears to be going awry at this time. Pretty much all of the programs foreign to my computer I saw in the Task Manager have disappeared.

There is, however, one program that has not been caught that was installed with the junkware, a program called OtShot, so I assume at this point that it's a program that plays nice and I can simply uninstall without issues.


Edited by FRiNKEL, 27 March 2013 - 08:55 PM.

"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:14 PM

Posted 27 March 2013 - 08:56 PM

You can uninstall it.
 
That looks good

Remove temporary and junk files

Download Temp file cleaner from HERE.Launch it,it will close all running programs

click on START,it should ask for reboot.If TFC locks up the system,run it in safemode
 

Create a new restore point

Follow this guide to turn off and turn on your restore points

Windows XP

Vista & windows 7

Windows 8

Turn off your system restore-It deletes old infected restore points.Turn on system restore and create a new restore point

Update JAVA and Flash player

Uninstall old versions of java and flash player from control panel-Add or remove programs.Download the latest version from here

http://java.com/en/ & http://www.adobe.com/support/flashplayer/downloads.html

Antivirus recommendations

Update your antivirus frequently.Two free antivirus that i would suggest are

Microsoft security essentials or Avast.You can select either one of them.

If you have a paid one,make sure to update it frequently.Do not use multiple security softwares.

Informative guides that could prevent you from being infected again

How did I get infected?

Best Practices for Safe Computing - Prevention of Malware Infection

Simple and easy ways to keep your computer safe and secure on the Internet


Safe surfing :)



#9 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 AM

Posted 27 March 2013 - 11:11 PM

Thank you! I'll make sure to be careful and encourage my family, either friendly or forcefully, to watch what they're downloading.


"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:14 PM

Posted 27 March 2013 - 11:16 PM

:welcome:



#11 Jugdish50

Jugdish50

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 13 May 2013 - 08:01 AM

DISREGARD PLEASE - I figured out a system restore couldn't hurt so I did that and set it two days ago before this started. Seems okay and otshot folder now seems gone permanently.... I hope. And will definitely be more careful in the future.

 

________________________________________________________________________________________________________

 

 

 

HELP please! I am not the most tech savvy guy... I may have the same issue as the previous post but not sure if I need to follow all the steps you outline.  Yesterday, I added this "otshot" program by mistake when trying to search for another program just like Frinkel's brother did but I should know better.

 

Anyway, I keep getting this message now upon starting up: "unable to load skin" or something.  I went into my Program Files and tried to remove the otshot folder but am not able - I get a damn "access denied" message! How can access be denied? It is my computer!

I keep trying over and over again.  How can I get rid of this?  Have they completely infected my computer?

 

Thanks so much for any help you can offer.


Edited by Jugdish50, 13 May 2013 - 11:44 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users