Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Folder named Spacekace found in my C drive


  • Please log in to reply
16 replies to this topic

#1 SeekerOfD

SeekerOfD

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 08 January 2015 - 02:23 PM

Hey,

 

I was looking for something in my C drive and noticed a folder named Spacekace in literally C:\Spacekace. I didn't recognise it, so I googled it and found some obscure topics about it being a potential threat. The folder contains 1 log file with lots of lines and what seems to be downloads for setup_FileViewerPro_2015.exe. I have no idea what FileViewerPro is and have never attempted to download it.

 

Just suspicious about the whole thing and was wondering if you guys could help me check it out?

 

I could post the log too if you'd like?

I'm running an Asus G55V with W7.



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 08 January 2015 - 04:41 PM

FileViewPro lets you open videos, music, photos, documents, and much more. FileViewPro lets you open any document you get. It allows to view, edit, and share your photos, watch any video including DVDs, play any music or audio file, and open all common file types. With FileViewPro, you no longer need to waste your time searching for a new program for every file you need to open.

About FileViewPro

It is typically bundled with other free software (often without the knowledge or consent of the user) that you download from the Internet.

As such, most bundled software is generally classified as a Potentially Unwanted Program (PUP) and usually can be removed from within its program group Uninstall shortcut in Start Menu > All Programs or by using Programs and Features (Add/Remove Programs) in Control Panel, so always check there first. With most adware/junkware it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In most cases, using the uninstaller of the adware not only removes it more effectively, but it also restores many changed configuration settings.

Alternatively, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo will do a more thorough job of searching for and removing related registry entries, files and folders.

Remove anything else (newly installed programs) you do not recognize.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 08 January 2015 - 04:46 PM

Only after doing the above...continue as follows:

Please download and use the following tools from your desktop (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log file will be created and saved to the root directory, C:\RKill.log. Copy and paste the contents of RKill.log in your next reply.

Important: Do not reboot your computer until you complete the next step.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will start to update its database...please wait until complete.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[RX].txt) will open in Notepad (where the largest value of # represents the most recent report).
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.


Close all open programs and shut down any protection/security software to avoid potential conflicts.

3. Double-click on JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.
.
4. As a final step, download, install and perform a THREAT SCAN with Malwarebytes Anti-Malware 2.0. Be sure to print out and follow these instructions.

When done, please post the complete results of your Malwarebytes scan for review.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button or double-click on that specific Scan log entry to open.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location but you will have to name it.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2...immediately after a scan)
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location but you will have to name it.
-- Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

How do I access and save logs from Malwarebytes Anti-Malware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 SeekerOfD

SeekerOfD
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 10 January 2015 - 09:32 AM

I looked for Fileviewerpro and didn't find any program. I'm well aware of PUP and actively avoid them which is strange as to how this appeared. Here are the logs. MBAM was already installed on my system and the license has already expired although the scan still functions fine.

 

 

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/10/2015 02:35:11 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Pejman\AppData\Local\Temp\ocr2DF2.tmp\bin\rubyw.exe (PID: 1660) [UP-HEUR]
 * C:\Users\Pejman\AppData\Local\Temp\ocr2DF2.tmp\bin\rubyw.exe (PID: 1660) [T-HEUR]
 * C:\Users\Pejman\AppData\Local\Temp\ocr673A.tmp\bin\rubyw.exe (PID: 3560) [UP-HEUR]
 * C:\Users\Pejman\AppData\Local\Temp\ocr673A.tmp\bin\rubyw.exe (PID: 3560) [T-HEUR]
 
4 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * C:\Windows\System32\user32.dll : 1,008,640 : 11/26/2014 03:52 PM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
 +-> C:\Windows\SysWOW64\user32.dll : 833,024 : 11/26/2014 03:52 PM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/21/2010 04:24 AM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/21/2010 04:24 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 01/10/2015 02:36:21 PM
Execution time: 0 hours(s), 1 minute(s), and 10 seconds(s)
 
 
 
 
 
 
# AdwCleaner v4.107 - Report created 10/01/2015 at 14:42:48
# Updated 07/01/2015 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Pejman - PEJMAN-PC
# Running from : C:\Users\Pejman\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Users\Pejman\AppData\Local\CrashRpt
Folder Deleted : C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio
Folder Deleted : C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfpebmajhhopeonhlcgidhclcccjcik
File Deleted : C:\Users\Pejman\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
File Deleted : C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage
File Deleted : C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
File Deleted : C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v31.0 (x86 en-GB)
 
 
-\\ Google Chrome v39.0.2171.95
 
 
-\\ Chromium v
 
 
*************************
 
AdwCleaner[R0].txt - [2364 octets] - [10/01/2015 14:38:28]
AdwCleaner[S0].txt - [2309 octets] - [10/01/2015 14:42:48]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2369 octets] ##########
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Home Premium x64
Ran by Pejman on 10-Jan-15 at 14:51:21.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\Pejman\AppData\Roaming\mozilla\firefox\profiles\u9kq9d8i.default\minidumps [1 files]
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Users\Pejman\appdata\local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 10-Jan-15 at 14:54:37.70
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
 
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10-Jan-15
Scan Time: 3:04:43 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.01.10.11
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Pejman
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404045
Time Elapsed: 17 min, 26 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 33
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\APPID\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, No Action By User, [ffc4d91c1a6faa8c3ea369b5ac57c63a], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, No Action By User, [ffc4d91c1a6faa8c3ea369b5ac57c63a], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, No Action By User, [ffc4d91c1a6faa8c3ea369b5ac57c63a], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, No Action By User, [ffc4d91c1a6faa8c3ea369b5ac57c63a], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{8BA772A8-AC4F-4954-9B5E-433CA6DC506F}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{108F5878-71F9-4B5C-9EC0-58CEC29E8124}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{27588682-6FCC-4061-B2BB-7176E03359B8}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{2EEFF6A3-9828-48F2-A7BF-1A5365D7DA32}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{38F830AF-C844-48BD-86CF-75AB9A5C3FC2}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{4CA33941-B476-46A4-94EB-3DBA21B2D76D}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{57C854B7-3DE0-406B-83F1-D218481BD1FA}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{6390CA4B-8D70-47EA-90F5-21E2FEADD997}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{794DC34A-1D5E-4205-80BE-FC9D8E19E7F8}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{7E23FCAB-83EE-4012-B6A0-1EC68554956F}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{888C8994-107B-4CFB-9E42-7AA96230C1E0}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{9FD6DE57-31C7-4EB4-87AF-495DEEA4ECBD}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{DBEFF714-9A11-45DC-80FC-B86EAE86641A}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{DEFC8918-B440-4CEB-8BFD-140AE24DCABB}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{108F5878-71F9-4B5C-9EC0-58CEC29E8124}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{27588682-6FCC-4061-B2BB-7176E03359B8}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2EEFF6A3-9828-48F2-A7BF-1A5365D7DA32}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{38F830AF-C844-48BD-86CF-75AB9A5C3FC2}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{4CA33941-B476-46A4-94EB-3DBA21B2D76D}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{57C854B7-3DE0-406B-83F1-D218481BD1FA}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{6390CA4B-8D70-47EA-90F5-21E2FEADD997}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{794DC34A-1D5E-4205-80BE-FC9D8E19E7F8}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7E23FCAB-83EE-4012-B6A0-1EC68554956F}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{888C8994-107B-4CFB-9E42-7AA96230C1E0}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9FD6DE57-31C7-4EB4-87AF-495DEEA4ECBD}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DEFC8918-B440-4CEB-8BFD-140AE24DCABB}, No Action By User, [8c37ed083950e3537072120c82817090], 
PUP.Optional.MixiDJ.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{A105B30B-D103-4781-B18C-E8DF93B6EBD0}, No Action By User, [cdf67d788009c670c65163bc27dc39c7], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DBEFF714-9A11-45DC-80FC-B86EAE86641A}, Quarantined, [8c37ed083950e3537072120c82817090], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{8BA772A8-AC4F-4954-9B5E-433CA6DC506F}, Quarantined, [8c37ed083950e3537072120c82817090], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.OpenCandy, C:\Users\Pejman\AppData\Roaming\PowerISO\Upgrade\PowerISO6.exe, No Action By User, [80439263cabfeb4b405b4b6a36cf44bc], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 10 January 2015 - 06:29 PM

Your Malwarebytes Anti-Malware log shows "No action taken" for PUP detections. Malwarebytes will not automatically remove these detections unless you have the Non-Malware Protection settings configured to do so.

In Malwarebytes 2.0 the default action for these detections is "Warn user about detections". This means you are only alerted to the detections and can choose to ignore them, create exclusions, or treat it as malware...you need to change the settings in order to remove those items. If you changed those settings previously, then double-check and make sure they were saved correctly.

Launch Malwarebytes, and click the Detection and Protection Option section. Under Non-Malware Protection, you will see PUP with a drop down box to the right which allows you to select the action you want Malwarebytes to take. Select: Treat detections as malware

Detection.png

After doing that, rescan again with Malwarebytes
  • Make sure that everything detected is checked and then click the Remove Selected button.
  • Then click the Logs tab and copy/paste the contents of the new report in your next reply.
Note: Another reason for "No action taken" can occur if you forget to click "Remove Selected" and instead just click "Save Logfile" or save the report before having Malwarebytes remove the threats.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 SeekerOfD

SeekerOfD
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 11 January 2015 - 09:07 AM

Ah yeah sorry, forgot to apply it. 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11-Jan-15
Scan Time: 2:33:43 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.01.11.06
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Pejman
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 406698
Time Elapsed: 25 min, 21 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 32
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\APPID\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, Quarantined, [0d156b8bb4d5b6805d0a52cd8083f20e], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, Quarantined, [0d156b8bb4d5b6805d0a52cd8083f20e], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, Quarantined, [0d156b8bb4d5b6805d0a52cd8083f20e], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{14B1B6D0-D25F-4418-94E3-EC2B5AEE9756}, Quarantined, [0d156b8bb4d5b6805d0a52cd8083f20e], 
PUP.Optional.MixiDJ.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{A105B30B-D103-4781-B18C-E8DF93B6EBD0}, Quarantined, [d151a6502564e155e6b73fe0df24ac54], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{108F5878-71F9-4B5C-9EC0-58CEC29E8124}, Quarantined, [6db50aecea9f063067011d02bd46f907], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\TypeLib\{8BA772A8-AC4F-4954-9B5E-433CA6DC506F}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{27588682-6FCC-4061-B2BB-7176E03359B8}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{2EEFF6A3-9828-48F2-A7BF-1A5365D7DA32}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{38F830AF-C844-48BD-86CF-75AB9A5C3FC2}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{4CA33941-B476-46A4-94EB-3DBA21B2D76D}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{57C854B7-3DE0-406B-83F1-D218481BD1FA}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{6390CA4B-8D70-47EA-90F5-21E2FEADD997}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{794DC34A-1D5E-4205-80BE-FC9D8E19E7F8}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{7E23FCAB-83EE-4012-B6A0-1EC68554956F}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{888C8994-107B-4CFB-9E42-7AA96230C1E0}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{9FD6DE57-31C7-4EB4-87AF-495DEEA4ECBD}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{DBEFF714-9A11-45DC-80FC-B86EAE86641A}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{DEFC8918-B440-4CEB-8BFD-140AE24DCABB}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{108F5878-71F9-4B5C-9EC0-58CEC29E8124}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{27588682-6FCC-4061-B2BB-7176E03359B8}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2EEFF6A3-9828-48F2-A7BF-1A5365D7DA32}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{38F830AF-C844-48BD-86CF-75AB9A5C3FC2}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{4CA33941-B476-46A4-94EB-3DBA21B2D76D}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{57C854B7-3DE0-406B-83F1-D218481BD1FA}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{6390CA4B-8D70-47EA-90F5-21E2FEADD997}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{794DC34A-1D5E-4205-80BE-FC9D8E19E7F8}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7E23FCAB-83EE-4012-B6A0-1EC68554956F}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{888C8994-107B-4CFB-9E42-7AA96230C1E0}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9FD6DE57-31C7-4EB4-87AF-495DEEA4ECBD}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DEFC8918-B440-4CEB-8BFD-140AE24DCABB}, Quarantined, [91911dd9abde2a0c4e1a021d5ba8d729], 
PUP.Optional.Delta.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{8BA772A8-AC4F-4954-9B5E-433CA6DC506F}, Quarantined, [34ee52a42a5f2313590f9689e91af50b], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.OpenCandy, C:\Users\Pejman\AppData\Roaming\PowerISO\Upgrade\PowerISO6.exe, Quarantined, [a181678fdbaea88e53054c6a59ac5ea2], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 11 January 2015 - 09:15 AM

Please perform a scan with emsisoft_emergency_kit.pnglogo.png

  • Download Emsisoft Emergency Kit and save the file to your Desktop.
  • Extract the contents to C:\EEK as shown here.
  • Double click the desktop-shortcut (EmsisoftEmergencyKit.exe) icon to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
    .
  • When the program opens select Emergency Kit Scanner.
    rxYDlQ1.png
    .
  • If prompted to download the latest definition files, select Yes.
    dQaKPnk.png
    .
  • Once the update is complete click "Scan".
  • Enable "PUPs" detection (1) and click on "Full Scan" (2).
  • Be patient...this is a comprehensive scan and can take some time to complete.
  • If adware/malware was detected, check all the items and select Quarantine detected objects, then click OK.
    g5ojhHp.png
    .
  • When finished, click Logs > Scan at the top to view the Scan log which is listed by date.
  • Highlight the log by clicking on it, then click View details to open it in Notepad. The logfile will be named in the following format: a2scan_Date-Time.txt (YYMODY)
  • Alternatively you can click Export and save the log to your Desktop, then open it by double-clicking on it.
  • Copy and paste the contents of that logfile in your next reply.

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 SeekerOfD

SeekerOfD
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 12 January 2015 - 07:15 AM

Just as a note, the screenshots you posted are relatively outdated. Here is my log.
 
Emsisoft Emergency Kit - Version 9.0
Last update: 11-Jan-15 7:55:40 PM
User account: Pejman-PC\Pejman
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 11-Jan-15 7:56:05 PM
Value: HKEY_USERS\S-1-5-21-1426801200-2228353580-73760859-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1426801200-2228353580-73760859-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
C:\Program Files (x86)\Recursion\RealTimeStatTracker\rtst_run_dx86.exe detected: Gen:Variant.Graftor.155620 (B)
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revo.uninstaller.pro.3.x.(x64)-patch.rar -> revo.uninstaller.pro.3.x.(x64)-patch.exe detected: Dropped:Trojan.Generic.12484938 (B)
C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\File System\002\t\00\00000000 -> (NSIS o) -> lzma_solid_nsis0000 detected: Gen:Application.Bundler.DefaultTab.1 (B)
 
Scanned 503578
Found 6
 
Scan end: 12-Jan-15 2:26:54 AM
Scan time: 6:30:49
 
C:\Users\Pejman\AppData\Local\Google\Chrome\User Data\Default\File System\002\t\00\00000000 Quarantined Gen:Application.Bundler.DefaultTab.1 (B)
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revo.uninstaller.pro.3.x.(x64)-patch.rar Quarantined Dropped:Trojan.Generic.12484938 (B)
C:\Program Files (x86)\Recursion\RealTimeStatTracker\rtst_run_dx86.exe Quarantined Gen:Variant.Graftor.155620 (B)
Value: HKEY_USERS\S-1-5-21-1426801200-2228353580-73760859-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1426801200-2228353580-73760859-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Quarantined Setting.DisableTaskMgr (A)
 
Quarantined 6


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 12 January 2015 - 12:11 PM

Nothing of significant concern showing in your log(s)...and no obvious signs of a major malware infection.

Your scan log(s) show that most of the detections were for Potentially Unwanted Programs (PUPs) / Potentially Unwanted Applications (PUAs) which do not fall in the same category as malicious files such as viruses, Trojans, worms, rootkits and bots. In most cases they are related to junk software, toolbars, add-ons/plug-ins, browser extensions and related registry entries bundled with other software (often without the knowledge of the user) you download from the Internet.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts, including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
-- Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 SeekerOfD

SeekerOfD
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 13 January 2015 - 07:06 AM

I ran TFC, deleted about 4 gigs of temp files. Haven't cleaned it in awhile it seems.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 13 January 2015 - 07:12 AM

You should be good to go.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 SeekerOfD

SeekerOfD
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 13 January 2015 - 02:56 PM

A chrome extension of mine (Speed dial 2) was deleted. This extension has survived previous scans on this forum so I don't imagine it has anything malicious plus it's pretty well known. Was there anything wrong with it?

 

Also, was FileViewerPro ever detected?



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 13 January 2015 - 03:31 PM

The extension was most likely removed because you ran AdwCleaner from C:\Users\Pejman\Downloads\AdwCleaner.exe instead of the Desktop. There have been some recent reports about that and the developer has been notified.

As for FileViewerPro...it doesn't appear any of the tools considered it a PUP. You can just delete the folder containing it by right-clicking on it and choosing delete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 SeekerOfD

SeekerOfD
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 14 January 2015 - 07:30 AM

Ah didn't realise running it from certain locations made a difference. FileViewerPro was never on my system I don't think, I could never find any traces of it aside from that text file mentioning it's download.

 

Either way, thanks for all the help quietman! Lock this thread if you want to.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 AM

Posted 14 January 2015 - 07:57 AM


You're welcome. :thumbup2:

Best Practices for Safe Computing - Prevention of Malware Infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users