Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Message from webpage' popups. One says t.cttsrv.com/jstex.js


  • Please log in to reply
6 replies to this topic

#1 rblg

rblg

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 21 January 2015 - 03:02 PM

64-bit Win7 with Internet Explorer.

2127pye.jpgipmv0j.jpg

I'm posting this on behalf of a colleague's wife. My colleague said it only happens on our website, but I don't know of anyone else having this problem, and a web search says t.cttsrv.com is a virus.  He posted these screen shots of popups that come up when she tries to visit our site, but those scripts have nothing to do with our site. The same messages also popped up for scripts we do use, from google-analytics.com, googleapis.com, and viglink.com. He said she gets an unending barrage of popups, but I don't know what any of the others say.

I can't find anything on the web about "appch ok" messages, but all of the popups say that. Could this have something to do with appch.exe?

My colleague tried the following, but the problem persists:
 

Malwarebytes (paid version)
Spybot S&D (paid version)
AVG (paid version)
Advanced System Care 7 (paid version)
And I reset her system registry to what it was on 12-1-14

I also looked in the task manager and saw no sign of this cttsrv thingy...

 

Am I right that this is the t.cttsrv virus? It doesn't appear to be serving her any ads or redirecting her anywhere like the descriptions of the virus state, but that one popup still makes me think it might be. I also don't understand why a virus on the user end would only show up on one website, but nobody else has reported this, and plenty of people know how to contact us through other social networking sites if they have a problem on ours.

 

Any help would be greatly appreciated.



BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 21 January 2015 - 03:31 PM

Hi lets look at these 2 one quick and one long.
 
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
     
    >>>>>
     
     ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rblg

rblg
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 24 January 2015 - 02:54 PM

Thank you for your reply, and sorry for my late response. I asked my colleague to follow your instructions and he said he would do it yesterday, but he's been busy and hasn't gotten around to it yet.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 25 January 2015 - 05:23 PM

I'll keep the topic open if you still need it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 rblg

rblg
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2015 - 12:01 AM

Yes, please. Thank you. My colleague followed the steps and said it cleaned out 32 trojans, but the original problem remains. He said he created an account here and was going to post the log, so I don't know why he hasn't done that yet. I'm going to write to him now.


Edited by rblg, 26 January 2015 - 12:04 AM.


#6 rbpr

rbpr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 26 January 2015 - 01:16 AM

Hi,

 

My apologies for taking so long to get to this but at least I am here now. I followed the instructions given here is the minitoolbox results:

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by xxxx (administrator) on 24-01-2015 at 21:32:57
Running from "C:\Users\xxxx\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
 
There are 15476 more lines starting with "127.0.0.1"
 
========================= IP Configuration: ================================
 
Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC = Wireless Network Connection (Connected)
Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : xxxx-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
   Physical Address. . . . . . . . . : 70-F1-A1-56-98-E1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5422:d826:818:af6b%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, January 24, 2015 9:21:36 PM
   Lease Expires . . . . . . . . . . : Sunday, January 25, 2015 9:21:35 PM
   Default Gateway . . . . . . . . . : fe80::3246:9aff:fe8d:79a0%11
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 309391777
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-62-EC-41-00-26-6C-69-75-91
   DNS Servers . . . . . . . . . . . : 81.218.119.15
                                       199.203.35.75
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : 00-26-6C-69-75-91
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{74C1B59F-2EDD-4E39-83CE-D8C34E6A282F}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  81.218.119.15
 
Name:    google.com
Addresses:  2a00:1450:4017:803::200e
 212.179.180.121
 212.179.180.123
 212.179.180.95
 212.179.180.117
 212.179.180.80
 212.179.180.112
 212.179.180.113
 212.179.180.91
 212.179.180.110
 212.179.180.90
 212.179.180.84
 212.179.180.106
 212.179.180.88
 212.179.180.99
 212.179.180.101
 212.179.180.102
 
 
Pinging google.com [212.179.180.106] with 32 bytes of data:
Reply from 212.179.180.106: bytes=32 time=226ms TTL=52
Reply from 212.179.180.106: bytes=32 time=229ms TTL=52
 
Ping statistics for 212.179.180.106:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 226ms, Maximum = 229ms, Average = 227ms
Server:  UnKnown
Address:  81.218.119.15
 
Name:    yahoo.com
Addresses:  98.139.183.24
 206.190.36.45
 98.138.253.109
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=80ms TTL=50
Reply from 98.139.183.24: bytes=32 time=80ms TTL=50
 
Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 80ms, Maximum = 80ms, Average = 80ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...70 f1 a1 56 98 e1 ......Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
 10...00 26 6c 69 75 91 ......Realtek PCIe FE Family Controller
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.5     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.5    281
      192.168.1.5  255.255.255.255         On-link       192.168.1.5    281
    192.168.1.255  255.255.255.255         On-link       192.168.1.5    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.5    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.5    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11   4121 ::/0                     fe80::3246:9aff:fe8d:79a0
  1    306 ::1/128                  On-link
 11    281 fe80::/64                On-link
 11    281 fe80::5422:d826:818:af6b/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 07 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 08 C:\windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (01/23/2015 09:10:12 PM) (Source: IMFservice) (User: )
Description: The handle is invalid
 
Error: (01/20/2015 08:54:07 PM) (Source: IMFservice) (User: )
Description: The handle is invalid
 
Error: (12/22/2014 11:00:25 AM) (Source: IMFservice) (User: )
Description: The handle is invalid
 
Error: (12/22/2014 11:00:24 AM) (Source: IMFservice) (User: )
Description: The handle is invalid
 
Error: (12/22/2014 00:35:02 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (12/22/2014 00:34:56 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (12/05/2014 09:20:19 AM) (Source: SDWinSec.exe) (User: )
Description: The service process could not connect to the service controller
 
Error: (11/26/2014 10:27:38 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (11/25/2014 06:07:48 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (11/23/2014 09:00:05 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
 
System errors:
=============
Error: (01/24/2015 09:28:58 PM) (Source: Service Control Manager) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error: 
%%3
 
Error: (01/24/2015 09:25:52 PM) (Source: Service Control Manager) (User: )
Description: The TOSHIBA HDD SSD Alert Service service failed to start due to the following error: 
%%1053
 
Error: (01/24/2015 09:25:52 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the TOSHIBA HDD SSD Alert Service service to connect.
 
Error: (01/24/2015 09:25:52 PM) (Source: DCOM) (User: )
Description: 1053TOSHIBA HDD SSD Alert Service{A1CC28EB-258A-4B67-BBC2-4DD5D8AF4C8F}
 
Error: (01/24/2015 09:25:22 PM) (Source: Service Control Manager) (User: )
Description: The TPCH Service service failed to start due to the following error: 
%%1053
 
Error: (01/24/2015 09:25:22 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the TPCH Service service to connect.
 
Error: (01/24/2015 09:25:22 PM) (Source: DCOM) (User: )
Description: 1053TPCHSrv{45CC1698-D1CF-417B-BC32-80EB79E05EF1}
 
Error: (01/24/2015 09:24:14 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: 
%%1058
 
Error: (01/24/2015 09:24:14 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: 
%%1058
 
Error: (01/24/2015 09:23:11 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error: 
%%1053
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-11-08 14:03:17.939
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\AVG\AVG2015\avghooka.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-21 21:40:03.868
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-21 21:40:01.891
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-21 21:39:59.673
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-21 21:14:11.457
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-21 21:14:10.010
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-21 21:14:08.452
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.
 

and here is a copy of the eset scan:

 

C:\Users\All Users\Conduit\Multi\CT3315828\UninstallerUI.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application

C:\Users\All Users\IObit\ASCDownloader\ASCSetup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\ProgramData\Conduit\Multi\CT3315828\UninstallerUI.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\ProgramData\IObit\ASCDownloader\ASCSetup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application deleted - quarantined
C:\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Torch\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\Chromatic Browser\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\CRE\jhbbmmgbnjalccamlaefhepnajfmgopb.crx a variant of Win32/Toolbar.Conduit.AA potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhbbmmgbnjalccamlaefhepnajfmgopb\10.31.4.510_0\APISupport\APISupport.dll a variant of Win32/Conduit.SearchProtect.P potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhbbmmgbnjalccamlaefhepnajfmgopb\10.31.4.510_0\nativeMessaging\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhbbmmgbnjalccamlaefhepnajfmgopb\10.31.4.510_0\plugins\ChromeApiPlugin.dll a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Users\epeljkeihiecalflnafebnjfjdpgkghg\cs.js Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Users\hggeaboocdhcneehejhmcgnneoncdfck\cs.js Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\xxxx\AppData\Local\NativeMessaging\CT3315828\1_0_0_10\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\NativeMessaging\CT3315828\1_0_0_4\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\NativeMessaging\CT3315828\1_0_2_0\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Users\xxxx\AppData\Local\Torch\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\xxxx\Downloads\asc-setup.exe Win32/Toolbar.Widgi potentially unwanted application deleted - quarantined
C:\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Guest\AppData\Local\Torch\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\HomeGroupUser$\AppData\Local\Torch\User Data\Default\Extensions\giipchklemnmkgigmeincpgichkgdjck\5.2\CjSRr.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined

Sadly despite finding 34 Trojans and removing 32 of them the computer my wife uses is still unable to go to her message board when using IE as described in the first post on this topic. Hopefully someone here has some other ideas on how to proceed and resolve this problem...



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 26 January 2015 - 11:08 AM

Ok these infections have deep roots.. To get these we need a new topic .. Use the same title and include this link back to here

http://www.bleepingcomputer.com/forums/t/563970/message-from-webpage-popups-one-says-tcttsrvcomjstexjs/#entry3607373

We need to get a deeper look. Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users