Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Three potentially unwanted programs


  • Please log in to reply
11 replies to this topic

#1 marktheknife

marktheknife

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 03 August 2014 - 03:14 PM

I have avast's free antivirus program (ver 2014.9.0.2021) running on my windows 7 PC. A scan found the following files:

 

File C:\Users\...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6RUG3FR0\BiTool[1].dll is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LHDI8OK4\bi_downloader[1].exe|>$PLUGINSDIR\bi_client.exe is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LHDI8OK4\bi_downloader[1].exe is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\nsaD7DB.tmp|>$PLUGINSDIR\bi_client.exe is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\nsaD7DB.tmp is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\nspE044.tmp|>$PLUGINSDIR\bi_client.exe is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\nspE044.tmp is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\nsrDA5A.tmp|>$PLUGINSDIR\bi_client.exe is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\nsrDA5A.tmp is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\Users\...\AppData\Local\Temp\bitool.dll is infected by Win32:Somoto-J [PUP], Moved to chest
File C:\$Recycle.Bin\S-1-5-21-3064537455-4013464278-3525699491-1000\$R0VHZHI.exe is infected by Win32:InstallCore-HG [PUP], Moved to chest
File E:\...\Downloads\ZipOpenerSetup.exe is infected by Win32:InstallCore-HG [PUP], Moved to chest

 

Also the file C:\Users\...\AppData\Local\Temp\is357113909\Setup-D502DD2B71B5.exe, which it says is associated with the threat Webcake-A

 

 

Avast has tried to quarantine the files it found. I haven't noticed any unusual behavior from my computer, but I'd like to know how to find and remove any other files associated with these malware programs (they seem to be mostly adware from what I can find). I doubt avast completely got rid of them all. Any help would be appreciated. Thanks.



BC AdBot (Login to Remove)

 


#2 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 04 August 2014 - 03:37 PM

Hi marktheknife and :welcome:

 

Download Screen317 Security Check HERE and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so

Please download MiniToolBox HERE to your desktop to run it.
Checkmark the following boxes:
* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

 

Thank you!



#3 marktheknife

marktheknife
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 04 August 2014 - 09:10 PM

Thanks for your help, Alex&Vanco. FYI, since my post I uninstalled avast and installed Norton 360 (I had an extra license from another PC). Norton's system scan reported no issues.

 

The contents of checkup.txt from securitycheck are pasted below, and next is result.txt from minitoolbox. Please let me know next steps. Thanks.

 

 

 Results of screen317's Security Check version 0.99.86  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Norton 360    
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 65  
 Adobe Flash Player 14.0.0.145  
 Mozilla Firefox (31.0)
 Google Chrome 35.0.1916.153  
 Google Chrome 36.0.1985.125  
 Google Chrome Plugins...  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 13% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 

 

 

 

MiniToolBox by Farbar  Version: 21-07-2014
Ran by *** (administrator) on 04-08-2014 at 22:11:21
Running from "E:\HTPC\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================




========================= Event log errors: ===============================

Application errors:
==================
Error: (08/04/2014 09:43:53 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/04/2014 09:41:24 PM) (Source: Application Hang) (User: )
Description: The program NetBak.exe version 4.3.2.611 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: b60

Start Time: 01cfaf4e64b6d205

Termination Time: 640

Application Path: C:\Program Files\QNAP\NetBak\NetBak.exe

Report Id: 87597baa-1c41-11e4-970e-bc5ff4a48665

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary avast! VM Monitor.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary aswStm.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary aswSP.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary aswSnx.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary avast! Revert.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary aswRdr.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary aswMonFlt.

System Error:
The system cannot find the file specified.
.

Error: (08/04/2014 09:17:03 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary avast! VM Monitor.

System Error:
The system cannot find the file specified.
.


System errors:
=============
Error: (08/04/2014 09:42:07 PM) (Source: Service Control Manager) (User: )
Description: The NPVR Recording Service service failed to start due to the following error:
%%2

Error: (08/03/2014 06:51:13 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer NEW-HOST
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8698AF7A-F7C8-497A-A331-573C00D01BEF}.
The master browser is stopping or an election is being forced.

Error: (08/03/2014 03:09:00 PM) (Source: Service Control Manager) (User: )
Description: The NPVR Recording Service service failed to start due to the following error:
%%2

Error: (08/02/2014 09:35:52 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer NEW-HOST
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8698AF7A-F7C8-497A-A331-573C00D01BEF}.
The master browser is stopping or an election is being forced.

Error: (07/31/2014 08:05:49 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer NEW-HOST
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8698AF7A-F7C8-497A-A331-573C00D01BEF}.
The master browser is stopping or an election is being forced.

Error: (07/31/2014 06:48:25 PM) (Source: Service Control Manager) (User: )
Description: The NPVR Recording Service service failed to start due to the following error:
%%2

Error: (07/29/2014 09:52:36 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

Error: (07/22/2014 07:56:02 PM) (Source: Service Control Manager) (User: )
Description: The NPVR Recording Service service failed to start due to the following error:
%%2

Error: (07/20/2014 00:09:55 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LM Remote KeyMap Blaster Service service.

Error: (07/20/2014 00:09:25 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LM Remote KeyMap Blaster Service service.


Microsoft Office Sessions:
=========================
Error: (08/04/2014 09:43:53 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/04/2014 09:41:24 PM) (Source: Application Hang)(User: )
Description: NetBak.exe4.3.2.611b6001cfaf4e64b6d205640C:\Program Files\QNAP\NetBak\NetBak.exe87597baa-1c41-11e4-970e-bc5ff4a48665

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary avast! VM Monitor.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary aswStm.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary aswSP.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary aswSnx.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary avast! Revert.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary aswRdr.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:21:17 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary aswMonFlt.

System Error:
The system cannot find the file specified.

Error: (08/04/2014 09:17:03 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary avast! VM Monitor.

System Error:
The system cannot find the file specified.



=========================== Installed Programs ============================
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Amazon Instant Video Addin for Media Center (HKLM-x32\...\{588FCF00-CB07-47F3-AD5A-3A33235A1EFD}) (Version: 1.2.0.28240 - sharepointsnapple.com)
Apple Software Update (HKLM-x32\...\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}) (Version: 2.1.1.116 - Apple Inc.)
AutoHotkey 1.1.14.01 (HKLM\...\AutoHotkey) (Version: 1.1.14.01 - Lexikos)
AutoIt v3.3.8.1 (HKLM-x32\...\AutoItv3) (Version:  - AutoIt Team)
Bonjour (HKLM\...\{B91110FB-33B4-468B-90C2-4D5E8AE3FAE1}) (Version: 2.0.2.0 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 36.0.1985.125 - Google Inc.)
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
Harmony Browser Plug-in (HKLM-x32\...\{634F79E1-2A41-4C40-9E8D-89EC740AC9D6}) (Version: 2.0 - Logitech)
Hulu Desktop (HKCU\...\HuluDesktop) (Version: 0.9.14 - Hulu LLC)
HuluDesktopIntegration (HKLM-x32\...\{B3D84D4A-DE51-42A1-964B-E80013272D55}) (Version: 1.0.0.0 - Teknowebworks LLC)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1281 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.18.10.3071 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 3.0.0.63463 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{12914061-EB9B-4AE7-AC7E-0B8A607C7DF4}) (Version: 2.3.1338 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)
Intel® Trusted Connect Service Client (Version: 1.24.738.1 - Intel Corporation) Hidden
Java 7 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.650 - Oracle)
Java Auto Updater (x32 Version: 2.1.65.20 - Oracle, Inc.) Hidden
LAV Filters 0.58.0 (HKLM-x32\...\lavfilters_is1) (Version: 0.58.0 - Hendrik Leppkes)
MakeMKV v1.8.4 (HKLM-x32\...\MakeMKV) (Version: v1.8.4 - GuinpinSoft inc)
mcBackup 3.0 (HKLM-x32\...\{0D770166-5365-4EAF-81DE-16142D141B2B}) (Version: 1.0.0 - The Digital Lifestyle.com)
MCE Reset Toolbox (HKLM-x32\...\MCE Reset Toolbox 12.2.1.0) (Version: 12.2.1.0 - ACSDigital)
MCE Reset Toolbox (Version: 12.2.1.0 - ACSDigital) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mobile Mouse Server (HKLM-x32\...\{F0E9BAAE-87A4-4BA9-8D6A-1C679BD5E21A}) (Version: 3.0.0 - RPA Tech, Inc)
Mozilla Firefox 31.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
My Channel Logos (HKLM\...\{89D880D9-0525-4D01-AA3A-48B91F35E27A}) (Version: 2.06 -  My Channel Logos)
Netflix in Windows Media Center (HKLM-x32\...\{0CA72D12-F6C6-4D43-A2A0-41F5AA17E2B6}) (Version: 3.3.101.0 - Microsoft Corporation)
Norton 360 (HKLM-x32\...\N360) (Version: 21.4.0.13 - Symantec Corporation)
QNAP NetBak Replicator (HKLM-x32\...\NetBak) (Version: 4.3.2.0611 - QNAP Systems, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6482 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Songler 2.1.1.0 (HKLM-x32\...\{534879A5-4E8E-41F2-A9D0-E982573304C2}) (Version: 2.1.1.0 - MillieSoft)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
Spotify (HKCU\...\Spotify) (Version: 0.9.10.22.gf87988f9 - Spotify AB)
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 2.3.2 - Krzysztof Kowalczyk)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Widevine Media Optimizer Chrome 6.0.0 (HKCU\...\optimizer_chrome) (Version: 6.0.0.12442 - Widevine Technologies)
Widevine Media Optimizer Chrome 6.0.0 (HKLM-x32\...\optimizer_chrome) (Version: 6.0.0.12442 - Widevine Technologies)
XBMC (HKCU\...\XBMC) (Version:  - Team XBMC)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 7884.3 MB
Available physical RAM: 5822.33 MB
Total Pagefile: 15766.79 MB
Available Pagefile: 13771.27 MB
Total Virtual: 4095.88 MB
Available Virtual: 3971.14 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:59.53 GB) (Free:21.08 GB) NTFS
2 Drive d: (DEADWOOD_SEASON_3_DISC_5) (CDROM) (Total:5.92 GB) (Free:0 GB) UDF
3 Drive e: (Data) (Fixed) (Total:931.51 GB) (Free:854.85 GB) NTFS
4 Drive f: (PATRIOT) (Removable) (Total:28.85 GB) (Free:28.77 GB) FAT32

========================= Users: ========================================

User accounts for \\HTPC

***                  Administrator            Guest                    


**** End of log ****
 



#4 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 05 August 2014 - 04:18 AM

Ok.

Upload this Netbak.exe which is in C:\Program Files\QNAP\NetBak\NetBak.exe

here - https://www.virustotal.com/en/

Paste the link of result.

 

Please download AdwCleaner by Xplode HERE onto your desktop.

    Close all open programs and internet browsers.
    Double click on AdwCleaner.exe to run the tool.
    Click on Scan.
    After the scan is complete click on "Clean"
    Confirm each time with Ok.
    Your computer will be rebooted automatically. A text file will open after the restart.
    Please post the content of that logfile with your next answer.
    You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Please download Junkware Removal Tool HERE to your desktop.

    Shut down your protection software now to avoid potential conflicts.
    Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    Post the contents of JRT.txt into your next message.

 

Start AdwCleaner and click Uninstall and it will disappear.

 

Download Delfix HERE and save it to your desktop.

    Ensure Remove disinfection tools is checked.
    Also place a checkmark next to:
    Create registry backup
    Purge system restore
Click the Run button.

 

 

Download Malwarebytes' Anti-Malware Free 2.0.2 HERE to your desktop.
    - Do not accept the Free Trial Version at this time -
    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

 

OR:

Open MalwareBytes Anti-Malware and then click on History

On the left column, select Application Logs. Select the most recent log among the list, it is usually the one on the top (or sort by date) and open it.

Go to the bottom left corner to Export and select Text File (*.txt)
Save it to the desktop

 

Please download the ESET Online Scanner HERE and save it to your Desktop.
Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
    Start esetsmartinstaller_enu.exe with administartor privileges.
    Select the option Yes, I accept the Terms of Use and click on Start.
    Make sure that the option Remove found threats is checked, and the option Scan archives is checked.
    Now click on Advanced Settings and select the following:
        Scan for potentially unwanted applications
        Scan for potentially unsafe applications
        Enable Anti-Stealth Technology
    Click on Start. The virus signature database will begin to download. This may take some time.
    When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
    When completed select Uninstall application on close if you so wish
    Now click on Finish

 Thank you!


Edited by Alex&Vanko, 05 August 2014 - 04:22 AM.


#5 marktheknife

marktheknife
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 10 August 2014 - 04:39 PM

Thanks for the additional instructions.

 

Netbak isn't malware or unwanted. It's a backup program that runs with the QNAP NAS that I use to backup the computers on my network. See this descrption from QNAP. I didn't upload it to the website you suggested because I don't think it needs to be checked/scanned. Below are the logs for adwcleaner, JRT, delfix, malwarebytes and ESET. It looks like the ESET scanner automatically deleted the installer for ccleaner (obviously not malware), along with a program for installing codecs (this is an HTPC). Thanks again for your help, Alex&Vanco.

 

 

# AdwCleaner v3.304 - Report created 10/08/2014 at 10:53:41
# Updated 08/08/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : *** - HTPC
# Running from : E:\HTPC\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\***\AppData\Roaming\DSite

***** [ Scheduled Tasks ] *****

Task Deleted : DSite

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\InstallCore

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fpz39q2c.WMC\prefs.js ]


[ File : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\prefs.js ]


-\\ Google Chrome v36.0.1985.125

[ File : C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1425 octets] - [10/08/2014 10:51:04]
AdwCleaner[S0].txt - [1266 octets] - [10/08/2014 10:53:41]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1326 octets] ##########
 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by *** on Sun 08/10/2014 at 11:00:44.09
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ FireFox

Emptied folder: C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\sn7ik5fj.default\minidumps [10 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/10/2014 at 11:06:07.65
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

# DelFix v10.8 - Logfile created 10/08/2014 at 11:12:56
# Updated 29/07/2014 by Xplode
# Username : *** - HTPC
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...


~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #168 [Scheduled Checkpoint | 08/07/2014 07:34:56]

New restore point created !

########## - EOF - ##########
 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/10/2014
Scan Time: 11:17:45 AM
Logfile: malwarebytes.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.10.04
Rootkit Database: v2014.08.04.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Adelman

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 286559
Time Elapsed: 4 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

 

E:\HTPC\Downloads\Advanced_x64Components_v420.exe    Win32/DownWare.L potentially unwanted application    deleted - quarantined
E:\HTPC\Downloads\ccsetup416.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
 



#6 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 11 August 2014 - 12:10 PM

Ok. I did not know about QNAP.Yes we hit installers not installed program.You can uninstall ESET online scanner as a program from Programs and Features.Also Malwarebytes if you don`t want it.

 

You should defragment your hard disk.Do NOT defrag if SSD!

I see Piriform has free defrag program - http://www.piriform.com/defraggler/download

How to use it

Another is Auslogics - http://www.auslogics.com/en/software/disk-defrag/

After install from Main window set tick for drive C: and E; and click defrag button.

 

Download HitmanPro x64 HERE from onto your desktop.

Double-click on the file named HitmanPro.exe.It will be updated.When the program starts you will be presented with the start screen.Click on the Next button.Accept to store a copy of the program to your computer and click Next and it will start to scan.
When it has finished it will display a list of all the malware that the program found.Below next to button buy now is option Save log.Save it to your desktop and paste it here.

 

Thank you!



#7 marktheknife

marktheknife
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 27 August 2014 - 10:36 PM

Sorry for the delay. i didn't run a defrag program because my OS is on an SSD. it looks like hitman found only some tracking cookies. Log is below.

 

 

HitmanPro 3.7.9.221
www.hitmanpro.com

   Computer name . . . . : HTPC
   Windows . . . . . . . : 6.1.1.7601.X64/2
   User name . . . . . . : HTPC\***
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2014-08-27 23:24:39
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 48s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 53

   Objects scanned . . . : 1,098,676
   Files scanned . . . . : 18,270
   Remnants scanned  . . : 207,515 files / 872,891 keys

Cookies _____________________________________________________________________

   C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.tbs.com
   C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Cookies:emjcd.com
   C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Cookies:synacor.112.2o7.net
   C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\0RRE2833.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\27FCNPF3.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\35C41YKJ.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\56CWE7O4.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\DGESPDXD.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\DK6UKCCA.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\MG1SHEAR.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\MLZKFENX.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\VI69FGIE.txt
   C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\WQCJISD9.txt
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ad.360yield.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ad.mlnadvertising.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ad.yieldmanager.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ads.pointroll.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ads.undertone.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ads.yahoo.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:adtechus.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:advertising.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:apmebf.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:at.atwola.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:atdmt.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:casalemedia.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:collective-media.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:doubleclick.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:fastclick.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:invitemedia.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:kontera.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:linksynergy.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:media6degrees.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:mediaplex.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:network.realmedia.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:oracle.112.2o7.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:pcworldcommunication.122.2o7.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:pointroll.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:questionmarket.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:realmedia.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:revsci.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:ru4.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:serving-sys.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:specificclick.net
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:stats.adotube.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:tacoda.at.atwola.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:track.prd.inpwrd.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:trackalyzer.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:tribalfusion.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:www.googleadservices.com
   C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\sn7ik5fj.default\cookies.sqlite:xiti.com


#8 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 28 August 2014 - 06:48 AM

Ok apply action for these cookies.You can uninstall HitmanPro as a program.Let`s see ESET result.

The path to the log file is "C:\Program Files\ESET\EsetOnlineScanner\log.txt" (on 64-bit systems this directory will be "C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt")

Avast has tried to quarantine the files it found
Moved to chest

Potentially harmful files are stored in a safe and completely isolated place called the avast! Virus Chest. This area quarantines infected or otherwise suspicious files away from the rest of the operating system so they cannot cause damage to your other files or your computer. When files are in the Virus Chest, they are not accessible to any outside process, software application or virus and also cannot be run there. There is no danger in storing files there.

 

About this Somoto:

Agree and download Dr.WEB CureIt HERE on your desktop.
Start the application.
Choose objects for scan.
Set ticks in all checkboxes
Below choose files and folders for scan.
Set ticks in checkboxes in all your drives/C,D,E etc./
Do a scan and post the result as screenshot.

 

Thank you!



#9 marktheknife

marktheknife
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 30 August 2014 - 01:28 PM

I posted ESET results above. They're below the malwarebytes log.

 

It looks like Dr. Web didn't find anything. I can't post the entire log in this window; each time I do, Firefox crashes. I think it's just too many lines of text. I've pasted the beginning and end of the log below. Seems like there's nothing really left to worry about at this point, don't you think?

 

 

=============================================================================
Dr.Web Scanner SE for Windows v9.1.1.08010
© Doctor Web, Ltd., 1992-2013
Scan session started 2014/08/30 11:59:04
Module location : C:\Users\***\AppData\Local\Temp\9884B238-3DDFF9E3-31A12CD1-8E73BF4\
=============================================================================

OPTION [Automatic Apply Actions] NO
OPTION [Turn Off Computer After Scan] NO
OPTION [Use Sound Alerts] NO

OPTION [Block Network] NO
OPTION [Protect Process] NO
OPTION [Protect Raw Disk] NO

Using language: "English"
Available instances: 6
Instances used: 6
Platform: Windows 7 Premium x64/WOW (Build 7601), Service Pack 1
API Version: 2.2
Scanning Engine version: 9.1.1.7210
Virus Finding Engine version: 7.0.10.8210
Total 200 virus bases are loaded from C:\Users\***\AppData\Local\Temp\9884B238-3DDFF9E3-31A12CD1-8E73BF4

 

 

Total 160536804097 bytes in 137106 files scanned (188562 objects)
Total 136877 files (188326 objects) are clean
There are no infected objects detected
Total 236 files are raised error condition
Scan time is 00:39:11.739



#10 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 30 August 2014 - 02:07 PM

I know the log is too long.So it is clean!



#11 marktheknife

marktheknife
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 30 August 2014 - 02:11 PM

So I guess I'm good for now. Thanks for your help. What kind of apps do you suggest with real-time scanning that could pick up on stuff like this in the future?

#12 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 30 August 2014 - 02:19 PM

Avast is good for PUP`s,also ESET and malwarebytes of course.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users