Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found Series of CT1561552 Strings in Firefox about:config file.


  • Please log in to reply
11 replies to this topic

#1 bonnie848

bonnie848

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 02 June 2014 - 04:48 PM

Found Series of CT1561552 Strings in Firefox about:config file.

 

Seen a post on this site recommending to someone to use AWCleaner. I downloaded and used the cleaner, and sure enough it found these entries along with some other stuff. I clicked on the button to fix the problems, and it seems to have cleared up the entries in the Firefox about:config file. I still have the AWCleaner log files if needed.

 

I'm just wondering if there might be other Malware on my computer at this point. My experience with computers is probably intermediate level, but I know little about removing malware, so I'm hoping someone here can help.

 

Thanks,

Bonnie



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:06 PM

Posted 02 June 2014 - 06:39 PM

Use the programs below to scan for and remove adware and malware.

 

Malwarebytes Anti-Malware Free

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now
  • After the update completes, click  Scan Now
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required if malware is found
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more. (if a restart is required)
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.
  • Free Virus Scan | Online Virus Scanner from ESET
  • Click the esetonlinebtn.png button in the link above.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Use CCleaner to cleanup the temporary files, logs, cookies, etc. Use the default settings. Pay attention while

installing and UNcheck offers of toolbars such as Yahoo. No need to use the Registry Cleaner tool and it has 

the potential of causing another problem. CCleaner - PC Optimization and Cleaning - Free Download


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 03 June 2014 - 03:18 PM

Wow. This Eset has been running for 3 hours already, and is only about 1/4 of the way done according to the process bar. It has already found 13 infected files. I am continuing to let it run; if I should stop, please let me know.

 

Here are the results of the mbam scan:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/3/2014
Scan Time: 12:58:14 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.03.05
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: robert

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299919
Time Elapsed: 9 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 5
PUP.Optional.OptimumInstaller.A, C:\Users\robert\Downloads\Express_Installer (1).exe, No

Action By User, [43ceadc7daa1de58ee57c38c847ddc24],
PUP.Optional.OptimumInstaller.A, C:\Users\robert\Downloads\Express_Installer (2).exe, No

Action By User, [2de478fc502bf83ef352d976e021847c],
PUP.Optional.OptimumInstaller.A, C:\Users\robert\Downloads\Express_Installer.exe, No Action

By User, [6aa711638af1cb6bdd6862edea1741bf],
PUP.Optional.Amonetize.A, C:\Users\robert\Downloads\Peter Lynch One Up On Wall Street Audio

Book Rar__3515_i637783166_il845587.exe, No Action By User,

[c64b5b197a017cba8a0fef52ec149b65],
PUP.Optional.Amonetize, C:\Users\robert\Downloads\tvappSetup__2600_i714058424_il355.exe, No

Action By User, [828f215384f7ae88da219ba8b54bdb25],

Physical Sectors: 0
(No malicious items detected)


(end)

***
 



#4 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 03 June 2014 - 03:33 PM

Right after I emailed you, of course the Eset scanner completed.

 

Here are the results of that scan:

 

C:\AdwCleaner\Quarantine\C\Users\robert\AppData\Local\Tbccint\Community Alerts\Alert.dll.vir    a variant of Win32/Toolbar.Conduit.Y potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\robert\AppData\Local\Temp\Hotspot_Shield\tbHots.dll.vir    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted - quarantined
C:\Users\robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSJ2A84S\hotspot_shield[1].exe    a variant of Win32/Conduit.SearchProtect.N potentially unwanted application    deleted - quarantined
C:\Users\robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HVHS1Y3Y\statisticsstub[1].exe    Win32/Toolbar.Conduit potentially unwanted application    deleted - quarantined
C:\Users\robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q3Z7NLPS\Hotspot_Shield[1].exe    Win32/Toolbar.Conduit.R potentially unwanted application    deleted - quarantined
C:\Users\robert\AppData\Local\Temp\conduitinstaller.exe    Win32/Toolbar.Conduit potentially unwanted application    deleted - quarantined
C:\Users\robert\Downloads\Chanalyzer-Installer.msi    a variant of MSIL/Packed.Confuser.G potentially unwanted application    deleted - quarantined
C:\Users\robert\Downloads\DVDStyler-2.5b2-win32.exe    Win32/Somoto.E potentially unwanted application    deleted - quarantined
C:\Users\robert\Downloads\Express_Installer (1).exe    a variant of Win32/AdWare.iBryte.AD application    cleaned by deleting - quarantined
C:\Users\robert\Downloads\Express_Installer (2).exe    a variant of Win32/AdWare.iBryte.AD application    cleaned by deleting - quarantined
C:\Users\robert\Downloads\Express_Installer.exe    a variant of Win32/AdWare.iBryte.AD application    cleaned by deleting - quarantined
C:\Users\robert\Downloads\Peter Lynch One Up On Wall Street Audio Book Rar__3515_i637783166_il845587.exe    a variant of Win32/Amonetize.AS potentially unwanted application    deleted - quarantined
C:\Users\robert\Downloads\tvappSetup__2600_i714058424_il355.exe    a variant of Win32/Amonetize.AS potentially unwanted application    deleted - quarantined
 



#5 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 03 June 2014 - 04:40 PM

Sorry Buddy215 I was so taken back by how long the Eset scan was taking, I forgot to say thank you for helping me.



#6 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:06 PM

Posted 03 June 2014 - 07:16 PM

MBAM doesn't show that you deleted what it found. If that is true then you need to run it again and choose to

remove what it found.

....When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

In most cases, a restart will be required if malware is found

Wait for the prompt to restart the computer to appear, then click on Yes.

 

Do one more scan using the program below.

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

EDIT: I didn't receive any message from you.


Edited by buddy215, 03 June 2014 - 07:24 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 03 June 2014 - 09:09 PM

Ran MBAM again, it didn't find anything. Here's the log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/3/2014
Scan Time: 9:40:48 PM
Logfile: mbam-6-3-eve.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.04.01
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: robert

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298673
Time Elapsed: 11 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Here is JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by robert on Tue 06/03/2014 at 21:55:24.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-3434975647-2719533202-2998227652-1000\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{25DA73D2-CBE0-43A5-8BFA-F757F5E69864}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Empty Folder] C:\Users\robert\appdata\local\{02E3F298-9D2B-46DE-9C89-BED183C482FA}



~~~ FireFox

Emptied folder: C:\Users\robert\AppData\Roaming\mozilla\firefox\profiles\a6758pul.default-1395446646891\minidumps [15 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 06/03/2014 at 22:00:47.36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I don't know what you mean, "EDIT: I didn't receive any message from you."

 

Thanks again for your help.

 

Bonnie



#8 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 03 June 2014 - 09:31 PM

I just noticed that when I open another new tab in Firefox, it loads: https://www.google.com/?gws_rd=ssl in the address bar. I've never seen /?gws_rd=ssi before let alone https for google.



#9 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:06 PM

Posted 04 June 2014 - 06:20 AM

I was referring to....Right after I emailed you, of course the Eset scanner completed.

 

That is Google search page. If you prefer seeing a blank page you can. Open and clear a new tab. Then go

to Preferences and choose the General tab. Change the home page to about:blank and choose the Use Current Pages button.

 

Any other problem? The scans found a lot of adware. That is common these days as just about every free add-on and

program attempts to install adware. Some even do it during updates.

 

There is one website that sponsors a lot of popular program downloads that do not contain the bundled adware. You can

also choose to install their program for keeping the programs updated, too. Ninite - Install or Update Multiple Apps at Once


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 04 June 2014 - 08:29 AM

My fault, I said "email" when I should have said replied here.

 

I thought the suffix on the end of the google search was strange. I've always had it set to google, but first time I ever noticed the suffix after the google.com/

 

So everything looks good then?

 

Thank you for your quick response Buddy and all your help, and for the tip on the updater site.



#11 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:06 PM

Posted 04 June 2014 - 08:50 AM

You are welcome....AdwCleaner should be uninstalled by you. It can only be updated by a new install.

 

When I open Google search I see the same as you do.

 

Unless you notice your searches are being misdirected or more ads popping up than usual, I would say you

are good to go. Happy surfing!


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 04 June 2014 - 02:26 PM

Thank you so much Buddy!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users