Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in my program files(x86) folder?


  • Please log in to reply
27 replies to this topic

#1 KaidensMommy

KaidensMommy

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 01:44 PM

There is a file in my program files (x86) folder titled "Mozilla Firefoxsafeguard-secure-search.xml." I have no idea what this is? Is it a virus?

Edited by Queen-Evie, 31 December 2014 - 02:37 PM.
moved from Windows 8 to the appropriate forum


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 31 December 2014 - 02:10 PM

Do you have AVG antivirus?



#3 KaidensMommy

KaidensMommy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 02:17 PM

No I have windows defender. Now that I'm looking there seems to be a bunch of files I'm not sure where they came from? When I try to run a full scan using windows defender it won't ever finish anymore. I'll let it run for hours and it never gets done and I end up cancelling it. I run quick scans but they never find anything.



#4 JohnC_21

JohnC_21

  • Members
  • 24,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 31 December 2014 - 02:27 PM

I would not recommend using Windows Defender for an Antivirus. There are many free options that are better than Defender. I would do the following.

 

Download and Run AdwCleaner. Post the logs after it has run.

 

Download and install Malwarebytes. Make sure you uncheck the option to use the paid trial version. Update the database and do a Scan.



#5 KaidensMommy

KaidensMommy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 02:34 PM

OK...I downloaded adware cleaner and clicked to run the scan so its doing it now. I will let that run then do the malwarebytes. Then I'll post the logs. Thanks for your help!



#6 KaidensMommy

KaidensMommy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 02:45 PM

Heres the log from the adware cleaner:

# AdwCleaner v4.106 - Report created 31/12/2014 at 14:38:19
# Updated 21/12/2014 by Xplode
# Database : 2014-12-30.1 [Live]
# Operating System : Windows 8  (64 bits)
# Username : Kris - MYCOMPUTER
# Running from : C:\Users\Kris\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\SecTaskMan
Folder Deleted : C:\ProgramData\Driver Support
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileOpener
Folder Deleted : C:\Program Files (x86)\File Type Assistant
Folder Deleted : C:\Users\Kris\AppData\Local\FileTypeAssistant
Folder Deleted : C:\Users\Kris\AppData\Local\SecTaskMan
Folder Deleted : C:\Users\Kris\AppData\Local\Vosteran
Folder Deleted : C:\Users\Kris\AppData\Roaming\DigitalSites
Folder Deleted : C:\Users\Kris\AppData\Roaming\WSE_Vosteran
Folder Deleted : C:\Users\Kris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Driver Support
File Deleted : C:\Users\Public\Desktop\FileOpener.lnk
File Deleted : C:\Users\Kris\AppData\Local\Temp\DriverSupport.exe
File Deleted : C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\4l0umnnr.default-1416515374341\user.js
File Deleted : C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\4l0umnnr.default-1416515374341\searchplugins\Vosteran.xml

***** [ Scheduled Tasks ] *****

Task Deleted : Digital Sites
Task Deleted : Driver Support-RTMRules
Task Deleted : Driver Support-RTMScan
Task Deleted : Driver Support-RTMScanRunOnce
Task Deleted : Driver Support-RTMUpdater
Task Deleted : ProgramRefresh-ATFST
Task Deleted : ProgramUpdateCheck

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}
Key Deleted : HKCU\Software\Bitberry Software
Key Deleted : HKCU\Software\Bitberry
Key Deleted : HKCU\Software\FileTypeAssistant
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\DriverSupport
Key Deleted : HKCU\Software\Vosteran Browser
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Digital Sites
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\File Opener Packages
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16921

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v34.0 (x86 en-US)

[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("browser.search.defaultenginename", "Vosteran");
[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine", "Vosteran");
[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.hmpgUrl", "hxxp://Vosteran.com/?f=1&a=vst_ggfc_15_01_other&cd=2XzuyEtN2Y1L1Qzu0AyE0D0BtAtD0EzytBzy0C0BzztDyBzytN0D0Tzu0StCtDzyyDtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzy[...]
[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.newTabUrl", "hxxp://Vosteran.com/?f=2&a=vst_ggfc_15_01_other&cd=2XzuyEtN2Y1L1Qzu0AyE0D0BtAtD0EzytBzy0C0BzztDyBzytN0D0Tzu0StCtDzyyDtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtB[...]
[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.prtnrId", "WSE_Vosteran");
[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.srchPrvdr", "Vosteran");
[4l0umnnr.default-1416515374341\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.tlbrSrchUrl", "hxxp://Vosteran.com/?f=3&a=vst_ggfc_15_01_other&cd=2XzuyEtN2Y1L1Qzu0AyE0D0BtAtD0EzytBzy0C0BzztDyBzytN0D0Tzu0StCtDzyyDtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyE[...]

*************************

AdwCleaner[R0].txt - [5903 octets] - [31/12/2014 14:31:46]
AdwCleaner[S0].txt - [4805 octets] - [31/12/2014 14:38:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4865 octets] ##########
 



#7 JohnC_21

JohnC_21

  • Members
  • 24,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 31 December 2014 - 02:51 PM

You were infected with what is known as a PUP Potentially Unwanted Program (Vosteran) . Not a true virus. I would now run Malwarebytes and post the logs.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:32 AM

Posted 31 December 2014 - 03:37 PM

The Mozilla Firefoxsafeguard-secure-search.xml file can be safely deleted if none of the security tools detect/remove it.

It is generally seen with another file (FF SearchPlugin) in this location...C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml.

Even if you do not use AVG, be aware that AVG Secure Search and AVG Security Toolbar are also commonly bundled as an option with other free software users may download and install. Many folks overlook that option since it is pre-checked by default and they unknowingly install it. For example, the toolbar is bundled with PDFCreator.

That is why JohnC_21 asked you about using AVG.

Wen JohnC_21 has finished cleaning things up, be sure to read...About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 KaidensMommy

KaidensMommy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 03:54 PM

I did the malwarebytes scan and it says "5 non-malware items detected." Should I click the "apply actions" button? I chose to export the log to a text file...here it is:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/31/2014
Scan Time: 2:49:13 PM
Logfile: Malwarebytes Log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.31.05
Rootkit Database: v2014.12.30.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: Kris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 334794
Time Elapsed: 38 min, 43 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUP.Optional.Vosteran, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY|AppPath, C:\Program Files (x86)\WSE_Vosteran\\, , [f36efb6e90ec64d2521fa04561a31fe1]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 4
PUP.Optional.InstallCore, C:\Users\Kris\AppData\Roaming\1H1Q1V1N1N1O1R\File Opener Packages\uninstaller.exe, , [91d05019acd00b2b390df1122fd307f9],
PUP.Optional.InstalLCore, C:\Users\Kris\AppData\Local\Temp\is765589038\52614A36_stp.EXE, , [164b19505a2236006235acb02adbf10f],
PUP.Optional.InstallCore, C:\Users\Kris\AppData\Local\Temp\is765589038\5D4B7A38_stp\uninstaller.exe, , [e08144259ddf92a43f07fb085da5837d],
PUP.Optional.Bundler, C:\Users\Kris\Downloads\FileOpenerSetup.exe, , [76eb2742017b4aec26d9b5c1a065f50b],

Physical Sectors: 0
(No malicious items detected)


(end)



#10 JohnC_21

JohnC_21

  • Members
  • 24,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 31 December 2014 - 04:01 PM

Yes, you can delete those.

 

Turn Windows Defender Off.

 

Next you can download the Junkware Remval Tool to your desktop. Right click the exe file and select Run As Administrator. After scanning you will get a JRT.txt log on the desktop. Post the contents in your next post.



#11 KaidensMommy

KaidensMommy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 04:15 PM

Here's what it quarantined:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/4/2014
Scan Time: 7:05:25 PM
Logfile:
Administrator: No

Version: 2.00.0.1000
Malware Database:
Rootkit Database:
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: Kris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 249236
Time Elapsed: 25 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics:
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 4
PUP.Optional.InstallBrain.A, HKLM\SOFTWARE\WOW6432NODE\InstallIQ, Quarantined, [df7a9c8ae39877bf713fe7807f83b24e],
PUP.Optional.Linksicle.A, HKLM\SOFTWARE\WOW6432NODE\Linksicle, Quarantined, [ce8b0f175f1cad8905595911f80abf41],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-468490974-1933433917-3704064218-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [f8612bfb5b2040f6894981ec0ef49d63],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-468490974-1933433917-3704064218-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, Quarantined, [29307ea87a0145f1ae624e36b44f25db],

Registry Values: 2
PUP.Optional.Linksicle.A, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|linksicle@linksicle.com, C:\Program Files (x86)\Mozilla Firefox\extensions\linksicle@linksicle.com, Quarantined, [7edb2ef8a3d887af2936db8f679b17e9]
PUP.Optional.InstallCore.A, HKU\S-1-5-21-468490974-1933433917-3704064218-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0H1L1J1L1S1R1N, Quarantined, [29307ea87a0145f1ae624e36b44f25db]

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.OpenCandy, C:\Users\Kris\AppData\Roaming\OpenCandy, Quarantined, [8dcc170fafcc979ff72295bfa959b34d],
PUP.Optional.OpenCandy, C:\Users\Kris\AppData\Roaming\OpenCandy\FBD950AE91D54F6AA3C554C69F1F8A4D, Quarantined, [8dcc170fafcc979ff72295bfa959b34d],
PUP.Optional.OpenCandy, C:\Users\Kris\AppData\Roaming\OpenCandy\OpenCandy_FBD950AE91D54F6AA3C554C69F1F8A4D, Quarantined, [8dcc170fafcc979ff72295bfa959b34d],

Files: 6
PUP.Optional.OpenCandy, C:\$Recycle.Bin\S-1-5-21-468490974-1933433917-3704064218-1002\$RAF3X25.exe, Quarantined, [a6b367bfec8f112506b5da5da0649070],
PUP.Optional.InstallQ, C:\$Recycle.Bin\S-1-5-21-468490974-1933433917-3704064218-1002\$RRFBHX4.exe, Quarantined, [50094fd786f5d2645da90d1d7b85946c],
PUP.Optional.OpenCandy, C:\Users\Kris\Downloads\InternationalPrimoPDF(1).exe, Quarantined, [fd5c9c8a1269bb7bad0e0e29af55e21e],
PUP.Optional.InstallQ, C:\Users\Kris\Downloads\expertpdf7_14244_ST.exe, Quarantined, [d782dc4ac5b67bbbc244dc4e1fe1b749],
PUP.Optional.Softonic.A, C:\Users\Kris\Downloads\SoftonicDownloader_for_microsoft-excel.exe, Quarantined, [b6a3170f1c5f22141a7731e754ad8c74],
PUP.Optional.PCPerformer.A, C:\Windows\System32\roboot64.exe, Quarantined, [47128a9cd0ab5bdbeaa0e1862ed43ec2],

Physical Sectors: 0
(No malicious items detected)


(end)



#12 JohnC_21

JohnC_21

  • Members
  • 24,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 31 December 2014 - 04:20 PM

Now Run Junkware Removal Tool in my previous post.



#13 KaidensMommy

KaidensMommy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 AM

Posted 31 December 2014 - 04:34 PM

Here's the Junkware Removal Log that came up:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8 x64
Ran by Kris on Wed 12/31/2014 at 16:23:27.90
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Kris\appdata\local\pc_drivers_headquarters"



~~~ Event Viewer Logs were cleared


 

Should I delete those quarantined items from the malwarebytes?



#14 JohnC_21

JohnC_21

  • Members
  • 24,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 AM

Posted 31 December 2014 - 04:46 PM

I would keep those in the quarantined section for a few days. If everything is running fine then you can delete them. Things are looking good. One more thing.

 

Instructions courtesy of Buddy215 a BC advisor. Edit: Make sure Defender is still off.

 

Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

After you run Eset

 

Download and Install CCleaner if you do not have it. Opt out of any optional programs it asks you to install.  You can use it to delete Temp files but do not use the registry cleaner. After installing go to Tools on the left and click Uninstall. It will show a list of your programs. In the lower right click the button "Save to text file" and copy the contents of the text file and paste in your next post.


Edited by JohnC_21, 31 December 2014 - 04:50 PM.


#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:32 PM

Posted 31 December 2014 - 06:03 PM

Hi -

I would not recommend using Windows Defender for an Antivirus. There are many free options that are better than Defender. I would do the following.

I am mot exactly sure why the above statement was made, as I only use the free M/soft installed version on my Windows 8.1.

 

If you wish to pay for an upmarket program I would understand, but for free versions, I have had NO Problems with it, and it finds, and removes infections......

Currently I have 3 items in the Quarantine area, and that is as well as running AdwCleaner,  ESET On Line, Sophos Online , MBAM ,  MBAR and TDSS at regular times.

 

The Inbuilt Firewall is also used, and only "frequent" scans with the above extras keep me very clean ! ! !

 

 

I also only download Temp File Cleaner by Old Timer as it is a dedicated Temp File Cleaner only .........
1 .Download TFC from the download link above and save the file on your desktop.
2 .Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
3 .Double-click on the TFC icon.
4 .When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
5 .When done, press OK > Exit, and reboot your computer and finish the cleanup
No log is produced or expected.
Note: After removing temp files, the computer may show to be slow than usual, but it will improve once the cache is rebuild.


Edited by noknojon, 31 December 2014 - 06:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users