Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dynamo Combo and Yontoo.C malware infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 Protokaw

Protokaw

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 13 January 2015 - 10:36 PM

Hello, and first thank you for the read. And continuing on the fight against malware as well as spreading overall knowledge and good practices.
My systems has been hit by the Dynamo Combo and Yontoo.C malwares.From your experience and advice, I'd like to know if you think I should reformat my computer based on these steps I've done to try and remove the Dynamo Combo. If I were to do it all again, I would've just downloaded Malwarebytes and ensured it took care of everything. Now I am in quite unsure that I may still have bits of Dynamo Combo lurking around ready to steal my passwords. 
If it helps this was my activity log on the day it happened:
***********************System Specs:************************

System OS: Windows 7
Antivirus/malware: Norton Security

 
***********************Steps - The day I got infected:************************

(1) Suspicious behaviour: I downloaded CamStudio. I noticed Dynamo Combo toolbar in my google search, accidentally clicked the bar and the ads. I'm not sure if this was a problem. My web browser was extremely sluggish and kept crashing. 
(2) Norton Detections: My Norton detected Yontoo.C virus as well as a Trojan that came from dynamocombo.dll and blocked both. I have a suspicion that Yontoo.C may have come from the ads that were generated from Dynamo Combo?
** At this point I googled how to remove Dynamo Combo to achieve the steps below. I knew for sure Norton didn't pick up every bit of Dynamo Combo because the websites listed file names that Norton still didn't quarantine after a full system scan: **
(3) Uninstall Dynamo Combo Program: I manually uninstalled Dynamo Combo from Add/Remove Programs (the toolbar on Google was immediately removed). I'd like to note there were two instances of "Dynamo Combo" listed in my Add/Remove programs. In my haste I did not check the properties of each of these. I removed the first entry of "Dynamo Combo" and I noticed the second one disappeared once it was uninstalled. Again, I don't know if this is significant, but this detail still bugs me.

(4) Reset Web Browser extensions: I reset extension settings for all web browsers.  (Although I'd like to note Dynamo Combo never showed itself even before I uninstalled it, as an extension. Is that normal?) 
(5) Check System Configuration > Services & System Configuration > Startup Through msconfig I checked for suspicious services and startup services that the websites suggested. I'll admit I didn't check every single service - especially since there were a LOT of Microsoft services. I did a "Hide all Microsoft services". Which brings me to my next question... is it possible for malware to fake the Manufacturer name (Run > msconfig> Services)? That certainly makes me uncomfortable. I don't mean the service name, I mean the manufacturer name such as "Adobe Systems Incorporated" or "Microsoft Corporation". I thought these had to be digitally signed.
(6) Check Windows Task Manager > Processes: I also tried to google any suspicious looking names and check their origin (i.e. is it from C:/windows/system32?). Is it enough to right click the process > properties, and ensure the processes are coming from c:/windows/system32. Or can a virus FAKE the location origin as well?
(7) Check Windows Task Manager > Services: Just googled a few of the names. How extensive should I be? Can viruses "hide" themselves from the services, processes menus? 
(8) Windows Registries: I'd like to point out I did check the windows registries but I didn't change anything. Websites suggested I check for certain names but I didn't find the ones they listed. I'd like to point out the next step DID quarantine 2-3 registries though.
(9) Install MalwareBytes: I installed and ran Malware Bytes - and it detected the 64c2f02d_stp.exe lurking in my users/temp/local/ that my Norton could NOT pick up. It also quarantined one or two Registry key files and 2-3 other files.

 
Would you like the Norton and Malware Bytes logs? 
***********************NORTON LOGS:************************
(1) Dynamo Combo: Norton only  auto-blocked this virus
 

dynamocombo.compatibilitychecker.dll:

  • Launched: No
  • Threat name: Trojan.Gen.2Locate
  • File location: ...\ dynamo combo\bin\plugins\ dynamocombo.compatibilitychecker.dll (Norton status: Blocked
  • File Thumbprint - SHA:Not available
  • File Thumbprint - MD5:Not available
  • Concern: I thought Dynamo Combo was merely a adware? If so, why does it have a trojan involved?
  • Norton did NOT remove the actual Dynamo Combo from my C:/Program Files. Why? I had to manually remove it from Add/Remove Programs

 
 
 
(2) Yontoo.C: Norton detected and quarantined this file
 

 
 

Filename: Yontoo.C
Full Path: Not Available
____________________________
 
Source: External Media
 
____________________________
 
File Actions
 
File: ...appdata\local\temp\ yontoolayers.pem No Action Required
File: ...appdata\local\temp\ yontooffclient.xpi No Action Required
File: ...appdata\local\temp\ yontoolayers.crx No Action Required
File: ...appdata\local\temp\ launchie.vbs No Action Required
File: ...appdata\local\virtualstore\program files (x86)\yontoo\ yontoolayers.crx No Action Required
File: c:\program files (x86)\yontoo\ yontoolayers.crx No Action Required
____________________________
 
Registry Actions: (there were many)
 
Registry change: HKEY_USERS\S-1-5-21.....\Software\ SecretSauce No Action Required
....
...
many many more (do you need to see all of them?)
...
____________________________
 
Suspicious Actions
 
Service change: Update MossNet No Action Required
Service change: Update MossNet No fix attempted
____________________________
 
 
File Thumbprint - SHA: Not available
File Thumbprint - MD5: Not available

  • Concern: Where did Yontoo.C come from? Was it from clicking around the Dynamo Combo Ads by accident?

 

 
***********************Malware Bytes Log************************

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled //is this a problem?
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 3

  • PUP.Optional.Sanbreel.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\....., Quarantined, 
  • PUP.Optional.InstallCore.A, HKU\S-1-5-2.....\SOFTWARE\INSTALLCORE\1I1T...., Quarantined, 
  • PUP.Optional.InstallCore.A, HKU\S-1-5-21.....\SOFTWARE\INSTALLCORE, Quarantined, 
Registry Values: 1
  • PUP.Optional.InstallCore.A, HKU\S-1-5-21-....\SOFTWARE\INSTALLCORE|tb, ...Quarantined, 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 3
  • PUP.Optional.BPlug, C:\.....\AppData\Local\Temp\is195539...\3F43A633_stp.EXE, Quarantined, 
  • PUP.Optional.BPlug, C:\....\AppData\Local\Temp\is195539...\64C2F02D_stp.EXE, Quarantined, 
  • PUP.Optional.Sanbreel.A, C:\Windows\System32\drivers\{....Gw64.sys, Quarantined, 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

 

***********************Aftermath************************
Since I did part of this manually and part of this with malware bytes. Should I be concerned that there are still lurking bits of Dynamo Combo, Yontoo.C or any other malware bits? What are the biggest concerns I should have? I would immediately assume trojans (backdoors), and keyloggers as those are the best ways to gain access to my personal passwords.
Some thoughts and suggested solutions:

(1) Will I have to reformat my computer? This seems the only sure way to delete all infected files. Although if I backed up infected files into my external hard-drive that really wouldn't solve anything...  
(2) Backing up into Linux external hard drive: I had been suggested also to change my external hard-drive to a linux OS before backing up my files. While that protects the external hard-drive, I would ultimately be backing them back into the original local machine which would be Windows OS.
(3) Using virtual box with linux to log into bank etc...: That works. But if I have a keylogger on my main OS I'm still compromised. 
(4) Dual booting or keeping a separate laptop with just linux OS: I think this is very safe. But how often do people keep a separate machine just to do banking etc...?
While I can definitely research on how to do any of the solutions listed above, I don't want to blindly be doing things without reason.

hxxp://botcrawl.com/dynamo-combo-virus-removal/]hxxp://botcrawl.com/dynamo-combo-virus-removal/(link is external)  Mod Edit:  Disabled link - Hamluis.

I also just came across this site and it looks like it was published two days ago. I didn't perform "CClearner", but other than that it looks like the steps I performed were quite similar.As a side note, this Dynamo Combo seems quite new. With articles on how to remove dating from Dec 2014 and even some in January 2015. 
Thanks everyone for your guidance. Hoping that others can read this and remove accordingly the first time round. 
Proto


Edited by hamluis, 14 January 2015 - 06:24 AM.


BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:15 PM

Posted 13 January 2015 - 11:18 PM

Hello  Protokaw -
(1) Will I have to reformat my computer? - Generally NO
(2) Backing up into Linux external hard drive - Personal choice only at this time
DynamoCombo.CompatibilityChecker.dll - A.K.A. PUP.Optional.Sanbreel.A

Most Antivirus / Antimalware programs have their own listing for each "problem".

Yontoo.C : Norton detected and quarantined this file - Once quarantined it can not hurt you -
Most other items detected are PUPs (Potentially Unwanted Programs) and not much more ........
"Trojan.Gen.2" is a random name, and will also show bogus alerts like >> Activate antivirus protection to prevent data loss and avoid the theft of your credit card details.
Typical "Trojan.Gen.2 Warning : Your PC is still infected with dangerous viruses."

Please start here -

Please download RKill by Grinler to your desktop

  • If you have an old version, please delete it first
  • Right click on the new Red icon and select Run as Administrator
  • A black DOS box will appear for a short time and then disappear.
  • This is normal and indicates the tool ran successfully.
  • At most the tool will usually run for about 2 minutes
  • Please Copy and Paste the small log back here.

Do not reboot your computer until you complete the next step.

Now :

  • Download AdwCleaner by Xplode from Here or Here and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
     * Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button (only once)
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button
  • A report (AdwCleaner[R0].txt) will open in Notepad for your review.
  • Check the listed removals and see if you are OK with them.
  • If you have questions, post the Report log back here.
     Next
  • Click on the Clean button only once for accuracy
  • Press OK to agree, and OK when asked to close all programs and follow the onscreen prompts.
  • Press OK finally to allow AdwCleaner to Restart the computer and complete the removal process.
  • After rebooting, a log report (AdwCleaner[S0].txt) will open automatically.
  • **Copy and Paste the contents of that log in your next reply.**
  • NOTE - To restore an item that has been deleted by accident : Open the program again,
  • Go to Tools (top left) > Quarantine Manager > check what you want restored > now click on Restore.

 

 

After reboot and posting the log, please download  JRT - Junkware Removal Tool to your desktop.
* Temporarily Disable your Antivirus now to avoid potential conflicts.
* Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
* The tool will open and start scanning your system.
* Please be patient as this can take a while to complete depending on your system's specifications.
* On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
* Post the contents of JRT.txt into your next message.Next -
Note: With most Adware / Junkware / PUPs it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In many cases, using the uninstaller of the adware not only removes the adware more effectively, but it also restores any changed configuration. After uninstallation, then you can run specialized tools like AdwCleaner and JRT to fix any remaining entries they may find.
 

 

I note that you have Malwarebytes Anti-Malware installed.

Please make sure the program is Fully updated, run a scan, and post the log back here.

Remove all problems that Malwarebytes Anti-Malware finds (Remove or Quarantine), as you see fit.

 

To be sure -

Download Malwarebytes Anti-Rootkit (A.K.A. MBAR) from HERE

  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait if the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain.
  • If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs if produced, they will be in the MBAR folder..... mbar-log.txt and system-log.txt

If nothing is found, it will say No Malware Found, and can be deleted.

 

 

Thank You -


Edited by noknojon, 13 January 2015 - 11:21 PM.


#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:15 PM

Posted 14 January 2015 - 06:40 AM

Note : In addition to removal of most listed adware programs, here is a bit more detail for you .......

 

A Potentially Unwanted Program (PUP) is a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually containing adware or bundled with other free third-party software to include toolbars, add-ons/plug-ins and browser extensions.

PUPs are considered unwanted because they can cause undesirable system performance or other problems and are sometimes installed without the user's consent since they are often included when downloading legitimate programs. PUPs may also be defined somewhat differently by various security vendors and may or may not be detected/removed based on that definition.

 

In general, we like to remove PUPs {Potentially Unwanted Programs} / PUMs {Potentially Unwanted Modifications} / PUAs {Potentially Unwanted Add-ons} first, then to get a clear run at any other problems.

 

That fact adds to confusion and a lot of complaints from end users asking why a detection was not made on a particular file (program) they are having issues with.

 

Text is adapted from quietman7 our main Moderator involved in collection and detection of adware / malware / general infections ....... and general removal methods .



#4 Protokaw

Protokaw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 18 January 2015 - 05:00 AM

Hello Noknojon:
 
Thank you for your reply and your thorough explanation on what a PUP, PUM and PUA is. This is very good knowledge to have for a general user.
 
A kind reminder of my system specs:
OS: Windows 7
 
Anti-virus / anti-malware already installed:
  • Norton Security
  • Malware Bytes

 

 
================================START================================= 
 
STEP 1 RKILL LOGS:
Rkill 2.7.0 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/18/2015 12:58:02 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 01/18/2015 01:00:08 AM
Execution time: 0 hours(s), 2 minute(s), and 6 seconds(s)
 

 

@noknojon: Question 1 - Is it normal that my windows defender is disabled? Was it Norton Security that disabled it, because you cannot have two antivirus running live? Or is it the works of the Dynamo Combo malware?
 
 

STEP 2: AdwCleaner LOGS:
 
# AdwCleaner v4.108 - Report created 18/01/2015 at 01:06:07
# Updated 17/01/2015 by Xplode
# Database : 2015-01-13.2 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : <placeholder_name> - <name>
# Running from : C:\Users\<placeholder_name>\Downloads\AdwCleaner (1).exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Found : C:\Users\<placeholder_name>\AppData\Local\Google\Chrome\User Data\Default\Extensions\chklaanhfefbnpoihckbnefhakgolnmc
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v29.0.1 (en-US)
 
 
-\\ Google Chrome v
 
[C:\Users\<placeholder_name>\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\placeholder_name>\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN10506&l=dis&prt=NS&chn=retail&geo=CA&ver=22&locale=en_CA&gct=sb&qsrc=2869
 
*************************
 
AdwCleaner[R0].txt - [1708 octets] - [18/01/2015 01:06:07]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1768 octets] ##########
 

 

 
@noknojon: Question 2 - Wow those are some registry files, in my LOCAL TEMP folder, and still some remaining things in Chrome? is that all from Dynamo Combo as well? 
 
@noknojon: Question 3 - I  haven't removed any of these yet. Which ones are safe to remove?
 
 
STEP3: Junkware removal tool: 
No steps taken.
 
@noknojon: Question 4 - Will it be necessary to dwnload and run this one at this time?  I asked around my friends have heard or used of rkill and the adwcleaner but not this one.
 
STEP 4: MALWARE bytes LOG:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 18/01/2015
Scan Time: 1:25:53 AM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.01.18.05
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: <placeholder_name>
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347828
Time Elapsed: 9 min, 23 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

 
 
STEP 5: Malware Bytes ANTI ROOT KIT
No steps taken.
 
@noknojon: Question 5 - I was not clear, did you want me to install another Malware Bytes installer? Or was running Malware Bytes MBAM.exe above in STEP 4, good enough?
 
 
============================== END OF STEPS TAKEN =========================================
 
 
Some Questionable Files I noticed afterwards:
 
Some files I noticed in C:\Users\<placeholder_name>\AppData\Local\Temp once I installed rkill.exe and adwcleaner.exe. The date modified is today's date!
 
  • Quarantine.exe - Why do I have an executable file... where did this come from?
  • jusched.log
  • AdobeARM.log
  • FXAPIDebugLogFile.txt - blank
  • adwcleaner.db
  • sqlite3.dll 
  • FOLDER: WPDNSE - empty
  • FOLDER: _MEI22422 - looks like a Chrome browser folder...
  • FOLDER: Low - empty

 

 

Anything look suspicious here?I looked specifically in this folder because I *used* to have a Dynamo Combo folder here.  I can't seem to find the folder anymore, I'm guessing it deleted itself? I also had a separate folder that contained Dynamo Combo's installer files (when I posted my Malware Bytes log in my first post, it deleted 

C:\....\AppData\Local\Temp\is195539...\64C2F02D_stp.EXE
 
Comments:
noknojon wrote:

Note: With most Adware / Junkware / PUPs it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In many cases, using the uninstaller of the adware not only removes the adware more effectively, but it also restores any changed configuration. After uninstallation, then you can run specialized tools like AdwCleaner and JRT to fix any remaining entries they may find.

@noknojon: Thanks for confirming this. Someone told me I should NOT have removed the Dynamo Combo from Add/Remove and should've just come straight to Bleeping Computer. 

 

How does it look? I wasn't comfortable downloading rkill.exe and adwcleaner.exe as I have NOT heard of these programs before. I did a bit of googling each day when you posted your solution, which is why I did not reply to you straight away. I tried to read as many articles as possible about them. I'm still not entirely comfortable given that I was hit by Dynamo Combo and Yontoo.C by downloading Camstudio. 

 

I do appreciate your kind help, as well as the other Bleeping Computer malware experts' help, to help us common users fight against malware.

 

Thank you in advance,

 

Proto-Kaw



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:15 PM

Posted 18 January 2015 - 03:23 PM

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual  << (it is not disabled, just not needed at this time

 

C:\....\AppData\Local\Temp\is195539...\64C2F02D_stp.EXE is just a Temp File and so it can be removed.

Developed by SuperWeb LLC, Dynamo Combo is a rogue browser plug-in claiming to improve the Internet browsing experience by enabling coupons, comparison shopping, and other similar functions.
Always check browser Add-Ons / Plug-Ins as many are just rogues along for a ride.
Generally looking st your reply, hit Clean for AdwCleaner program to remove any extras.
 

Question 1 - Yes, Norton Security .......

Question 2 + 3 - Generally answered above .....

 

Junkware removal tool: is another small cleaner to empty what was missed .....

 

Malwarebytes Anti-Malware was just to Install if not installed, or Update if installed ....... Scan was clean .........

 

 

Please download Temp File Cleaner by Old Timer
1 .Download TFC from the download link above and save the file on your desktop.
2 .Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
3 .Double-click on the TFC icon.
4 .When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
5 .When done, press OK > Exit, and reboot your computer and finish the cleanup
No log is produced or expected.........
Note: After removing temp files, the computer may show to be slow than usual, but it will improve once the cache is rebuild.

 

How are the problems now -

Thanks .



#6 Protokaw

Protokaw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 18 January 2015 - 06:23 PM

 Hello noknojon:

 

Thanks for your reply again. I appreciate that.

 

Steps I took today:

1. I reran AdwCleaner and cleaned ALL of what it suggested. It basically deleted everything that was in the logs I posted above

2. I have Malware Bytes, but I don't have Malware Bytes Anti-Rootkit. Did you want me to download MB Anti-Rootkit? It looks like it is in beta. (hxxps://www.malwarebytes.org/antirootkit/) 

 

Questions:

1. Besides boiling down to faith, I'd like to ask how can users trust what anti-malware programs (specifically, like rkill.exe, adwcleaner.exe, JRT, Temp File Cleaner) to run?  :smash: The fear being these software they have not heard about it before (versus say hearing about Norton, BitDefender etc...)

 

2. For rkill.exe last time, Norton alerted me to a firewall alert about rkill.exe:

From my computer -> TCP -> oscp.verisign.com, cri.verisign.com

Options: In this case I did "Allow this instance"

Can you please explain to me what is this firewall alert? I guess it has to do with checking Missing Digital Signatures?

 

3. Sort of related to Question#1, I'm trying not to download too many tools to my machine. From the logs, do you think JRT, Temp File Cleaner are still necessary to run for me? 

 

 

Comments:

After I had uninstalled Dynamo Combo manually from my first post, I didn't see Dynamo Combo toolbar. But I wanted to be sure that the little bits were blown away. And I wasn't sure if Dynamo Combo was "hiding" and pretending to be uninstalled. Also I didn't like the fact that I could have had other potential problems like a keylogger which was my biggest worry. But from your previous post that sounds like that is not the case. 

 

From the logs I posted last time, it still looks like things are being picked up - were the registry key ones AdwCleaner.exe picked up pretty serious? I can't say I understand where those paths point to and what they mean.

 
AdwCleaner:
***** [ Registry ] *****
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
 

 

Thanks again for your help,

 

Proto-Kaw

 

 



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:15 PM

Posted 19 January 2015 - 01:55 AM

1. Besides boiling down to faith, I'd like to ask how can users trust what anti-malware programs (specifically, like rkill.exe, adwcleaner.exe, JRT, Temp File Cleaner) to run?

We run these tools every day, so they are not strange to us.. Please read other posts in this area  ..

 

2. For rkill.exe last time, Norton alerted me to a firewall alert about rkill.exe:

It is not unusual for your installed Antivirus programs to alert you to any Antimalware / Antivirus that we offer, as they want to "look inside your computer".

For many tools we say Temporarily Disable your Antivirus or just ignore it.

 

3. Sort of related to Question#1,

Also be alerted that Norton is known for reacting to "almost nothing problems". At times good, and at times annoying.........

Is your Norton from your ISP, as this also makes it more sensitive to installing programs .

 

I keep Temp File Cleaner and a few others on my desktop, and others I delete, open AdwCleaner and hit "Uninstall" as it Quarantines items and Unilstall removes the program and all Quarantined items.

 

Sorry but I do not have the time to check every CLSID e.g. {8DCB7100-DF86-4384-8842-8FA844297B3F}, but I trust the programs . .

 

AdwCleaner will only act on "lower grade" items like some of these are Extensions etc, that are not required.

It is rare to get a scan with no result, as you must disable all other protection first, and only run the tool by itself.

Also remember that the program only reacts to what you do, you may be the one that is visiting "nasty" sites between each post ....

 

 

Malwarebytes Anti-Rootkit (A.K.A. MBAR) could always be called BETA, as they are always changing and updating the program. I asked them if it was retail, and got that answer .

But I trust it and ask others to use it almost daily, and I use it weekly ..

 

 

A Mix of Answers but you left a Mix of Questions, and I think I covered most items in some way ............



#8 Protokaw

Protokaw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 19 January 2015 - 04:02 AM

Thanks for your help noknojon - just so you know, I also posted on the other BC thread and linked to this forum, because someone from the Norton community recommended I verify what I did with a staff member from Bleeping Computer.

 

I do appreciate your help, and immense support. At this point I am just waiting for verification from a Bleeping Computer staff member before I proceed with any more steps. Just a FYI in case you do see the other thread float up. 



#9 hamluis

hamluis

    Moderator


  • Moderator
  • 54,865 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:15 PM

Posted 19 January 2015 - 07:56 AM

Reference:  http://www.bleepingcomputer.com/forums/t/563683/dynamo-combo-malware-infection-originally-posted-in-wrong-forum-thread/ .

 

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users