Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus/adware not gone?


  • Please log in to reply
8 replies to this topic

#1 dragonfly5465

dragonfly5465

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 05 October 2014 - 06:19 AM

A while ago my computer was infected and I thought that the infection was removed after using malwarebytes and adwcleaner.

 

But whenever I run adwcleaner I get the following results:

 

# AdwCleaner v3.311 - Report created 05/10/2014 at 10:57:43
# Updated 30/09/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : lisa - LISA-PC
# Running from : C:\Users\lisa\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Found : C:\Users\lisa\AppData\LocalLow\HPAppData
Folder Found : C:\Users\lisa\AppData\Roaming\HPAppData
 
***** [ Scheduled Tasks ] *****
 
Task Found : Scheduled Update for Ask Toolbar
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16575
 
 
-\\ Google Chrome v
 
[ File : C:\Users\lisa\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Found [Extension] : hbcennhacfaagdopikcegfcobcadeocj
Found [Extension] : icdlfehblmklkikfigmjhbmmpmkmpooj
Found [Extension] : mhkaekfpcppmmioggniknbnbdbcigpkk
Found [Extension] : pfndaklgolladniicklehhancnlgocpp
 
*************************
 
The items under file/folders are new today, but the items under chrome always come back and the Ask update came back a few weeks ago (I thought I had got rid of Ask, but it just won't go!!!!)
 
Also I've started getting popups on some websites, they come from the side bar and when I close them there's a little tab left at the side of the page to open it again.
 
I've run malwarebytes (free) and it says there is no infection, but malwarebytes keeps disappearing off my laptop and I have to re-install every time I want to run it, and the original log that showed what virus I had is no longer there, I think there was a browser hack on chrome, and I remeber the name 'spigot' coming up.
 
Thank you for any help you can give.
 
Lisa 


BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 PM

Posted 05 October 2014 - 08:44 AM

You can reset Google Chrome.

Google Chrome gives you the option to reset your browser settings in one easy click. In some cases, programs that you install can change your Chrome settings without your knowledge. You may see additional extensions and toolbars or a different search engine. Resetting your browser settings will reset the unwanted changes caused by installing other programs. However, your saved bookmarks and passwords will not be cleared or changed.

Reset your browser settings:

  1. Click the Chrome menu on the browser toolbar.
  2. Select Settings.
  3. Click Show advanced settings and find the "Reset browser settings” section.
  4. Click Reset browser settings.
  5. In the dialog that appears, click Reset.

 

The AdwCleaner log doesn't show that you allowed it to remove the adware.

Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
You will be prompted to restart your computer. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Run the ESET Online Scanner.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Use CCleaner to cleanup the caches, temporary files, cookies, etc. Pay attention while installing and UNcheck offers of toolbars...especially Yahoo.

No need to use the Registry Cleaning Tool and it has the potential to cause a problem if used.

CCleaner - PC Optimization and Cleaning - Free Download


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 dragonfly5465

dragonfly5465
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 05 October 2014 - 09:11 AM

Thank you for the reply.

 

I did remove the adware but I posted the above info first, here's the log file;

 

# AdwCleaner v3.311 - Report created 05/10/2014 at 12:25:46
# Updated 30/09/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : lisa - LISA-PC
# Running from : C:\Users\lisa\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\lisa\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\lisa\AppData\Roaming\HPAppData
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16575
 
 
-\\ Google Chrome v
 
[ File : C:\Users\lisa\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Extension] : hbcennhacfaagdopikcegfcobcadeocj
Deleted [Extension] : icdlfehblmklkikfigmjhbmmpmkmpooj
Deleted [Extension] : mhkaekfpcppmmioggniknbnbdbcigpkk
Deleted [Extension] : pfndaklgolladniicklehhancnlgocpp
 
*************************
 
AdwCleaner[R0].txt - [8936 octets] - [23/03/2014 19:11:10]
AdwCleaner[R10].txt - [2267 octets] - [25/09/2014 17:01:38]
AdwCleaner[R11].txt - [2430 octets] - [05/10/2014 10:57:43]
AdwCleaner[R1].txt - [8996 octets] - [23/03/2014 20:46:00]
AdwCleaner[R2].txt - [934 octets] - [04/04/2014 20:57:40]
AdwCleaner[R3].txt - [1052 octets] - [16/04/2014 18:07:13]
AdwCleaner[R4].txt - [1173 octets] - [07/05/2014 14:21:21]
AdwCleaner[R5].txt - [2461 octets] - [21/05/2014 16:52:46]
AdwCleaner[R6].txt - [1701 octets] - [27/06/2014 20:17:29]
AdwCleaner[R7].txt - [2260 octets] - [14/07/2014 17:54:08]
AdwCleaner[R8].txt - [2137 octets] - [15/08/2014 13:58:57]
AdwCleaner[R9].txt - [2080 octets] - [05/09/2014 10:49:37]
AdwCleaner[S0].txt - [9053 octets] - [23/03/2014 21:02:00]
AdwCleaner[S10].txt - [1776 octets] - [05/10/2014 12:25:46]
AdwCleaner[S1].txt - [994 octets] - [04/04/2014 23:27:16]
AdwCleaner[S2].txt - [1114 octets] - [16/04/2014 18:11:33]
AdwCleaner[S3].txt - [1235 octets] - [07/05/2014 15:26:52]
AdwCleaner[S4].txt - [2554 octets] - [21/05/2014 17:45:23]
AdwCleaner[S5].txt - [1772 octets] - [27/06/2014 20:20:21]
AdwCleaner[S6].txt - [2341 octets] - [14/07/2014 18:07:36]
AdwCleaner[S7].txt - [2096 octets] - [15/08/2014 14:14:49]
AdwCleaner[S8].txt - [2102 octets] - [05/09/2014 10:58:16]
AdwCleaner[S9].txt - [2223 octets] - [25/09/2014 18:02:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S10].txt - [2376 octets] ##########
 
 
I'll get stared on the rest now.


#4 dragonfly5465

dragonfly5465
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 05 October 2014 - 12:02 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.0 (10.05.2014:1)
OS: Windows Vista ™ Home Premium x86
Ran by lisa on 05/10/2014 at 15:20:54.26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\low rights\elevationpolicy\{a5aa24ea-11b8-4113-95ae-9ed71deaf12a}"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9"
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{500DEC27-D186-4385-B486-73F6E913B51D}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\lisa\Local Settings\Application Data\cre"
Successfully deleted: [Empty Folder] C:\Users\lisa\appdata\local\{7DD54E00-9A38-4322-8AAD-58BC38CDDC12}
Successfully deleted: [Empty Folder] C:\Users\lisa\appdata\local\{A3C0E722-A3CD-4121-87C2-D42376F5B448}
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05/10/2014 at 15:27:08.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ESET was accidental turned off half way thought so ill run it again tomorrow. 
Before being turned off it detected something called Win32/installeRex.L, this looks like its in 'calibre ebook manager', will I have to get rid of this program? I hope not because I really like it.


#5 buddy215

buddy215

  • BC Advisor
  • 12,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 PM

Posted 05 October 2014 - 12:11 PM

I use calibre in Linux. Eset will likely just remove the malware....not the entire calibre manager. You could of downloaded 

the malware along with calibre. Depending on from where you got the download.

 

EDIT: the malware could have come with a book you downloaded, too. The malware is described as a downloader

trojan. So it could be responsible for some or all of the adware.


Edited by buddy215, 05 October 2014 - 12:28 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 dragonfly5465

dragonfly5465
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 06 October 2014 - 10:49 AM

ESET scan:
 
C:\Users\All Users\InstallMate\{D60B9838-9ECE-45DD-A736-D6EC0DE8BACE}\Custom.dll Win32/InstalleRex.L potentially unwanted application
C:\ProgramData\InstallMate\{D60B9838-9ECE-45DD-A736-D6EC0DE8BACE}\Custom.dll Win32/InstalleRex.L potentially unwanted application deleted - quarantined
C:\Windows\Temp\IObitAppsToolbar.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application deleted - quarantined
 
and I've run CCleaner. (couldn't find any report to post)
 
When downloading Calibre I wasn't paying attention and agreed to use a 'download helper', (wouldn't usually do something stupid like that), I think this may be were it came from.
 
Also, I've noticed noticed programs that I thought had been uninsulated (Iobit) still in my program files.


#7 buddy215

buddy215

  • BC Advisor
  • 12,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 PM

Posted 06 October 2014 - 11:58 AM

You are probably right about the downloader....makes sense.

 

I wouldn't want any IObit files on my comp either. Suggest you check your Add/ Remove list...that may be what you are

referring to....and attempt to uninstall IObit's programs. See if Ask is mentioned in those programs, too.

 

You can use Revo Free Uninstaller to remove IObit.

Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems

 

What do you think....is the adware gone or are you still seeing something like Ask?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 dragonfly5465

dragonfly5465
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 06 October 2014 - 12:45 PM

no, It's not in add/remove list, It's in C:\program files\iobit, it's only 628 mb and looks like mostly text documents, empty files and old data base. Is it just leftover files from when I removed the program?  can I just manually delete the files?

 

Should I be concerned that ESET didn't delete/quarantine this

 

C:\Users\All Users\InstallMate\{D60B9838-9ECE-45DD-A736-D6EC0DE8BACE}\Custom.dll Win32/InstalleRex.L potentially unwanted application

 

Thanks so much for your help I really do appreciated it 



#9 buddy215

buddy215

  • BC Advisor
  • 12,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:34 PM

Posted 06 October 2014 - 01:11 PM

Sure, you can manually delete IObits leftovers.

 

I see what you mean by ESET taking action on one Installer Rex. L. file and not the other. Maybe if you rerun

ESET it will remove or not list it. Or, if you can locate manually and remove.

 

Concerning MBAM....If it is still not behaving, showing on desktop....I suggest uninstalling completely and reinstall.

To uninstall Malwarebytes Anti-Malware from your computer, please use our Malwarebytes Clean Uninstall Tool,  mbam-clean.exe. This tool was created to completely remove all traces of the program from your computer. 

To use the utility:

  1. Download and run mbam-clean.exe
  2. Restart your computer when prompted. 

Note: This tool will completely remove any settings you have configured, your license information, and anything else related to Malwarebytes Anti-Malware. If you need to save any of these, please do not run this tool.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users