Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how can i delete this infected?


  • Please log in to reply
32 replies to this topic

#1 JRfromNY

JRfromNY

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 09 February 2015 - 12:53 AM

It started a couple days ago that i been struggling with my computer. Before i begin ill explain my OS. I use windows 7 Home Premium. Now to the topic at hand i tried to download a program on my computer, which turns out has this virus. I use Microsoft Security essentials and Mbam but they couldnt find the virus. The only program that does found the virus was super anti spyware, however the program failed to deleate the virus. So i got despriate and used adwcleaner. It seemed to taken out the virus but instade i couldnt have access to my browsers, yet still connected to the internet. Lucky for me i follow instructions on this site that gave me step by step to gain control back with the browsers. Also the instruction states that the virus would still be on the computer and sure enough it still here. So the instructer told the original person that had a similar problem of mine to use JRT, Rkill, and Mbam all in that same order. When i looked for more detailed information the post just stopped. I know the virus is still on my computer so can you guys please help me? The virus is an adware called loadshop/variant if that information helps in anyway. Also i have the .txt of my results on JRT Rkill and Mbam

 

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Home Premium x64
Ran by JR on Sun 02/08/2015 at 20:30:34.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] 70e6ca8c
Successfully deleted: [Service] 70e6ca8c



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Toolbar.CT3279141
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Toolbar.CT3289847
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220322432244}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220422362228}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660366436644}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660466366628}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322432244}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{22222222-2222-2222-2222-220422362228}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{66666666-6666-6666-6666-660366436644}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{66666666-6666-6666-6666-660466366628}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3279141
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3289847
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660366436644}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660466366628}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366436644}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660466366628}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{46D09695-311D-43F2-801F-7F1D7B403CCE}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{8BD7501A-5166-4036-BB01-5FC63C68EFEB}



~~~ Files

Successfully deleted: [File] C:\Windows\Tasks\PC Optimizer Pro Idle.job
Successfully deleted: [File] C:\Windows\Tasks\PC Optimizer Pro Scan.job
Successfully deleted: [File] C:\Windows\Tasks\PC Optimizer Pro startups.job



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\fighters"
Successfully deleted: [Folder] "C:\Users\JR\AppData\Roaming\fighters"
Successfully deleted: [Folder] "C:\Users\JR\AppData\Roaming\strongvault"
Successfully deleted: [Folder] "C:\Users\JR\appdata\local\downloadterms"
Successfully deleted: [Folder] "C:\Users\JR\appdata\local\genienext"
Successfully deleted: [Folder] "C:\Program Files (x86)\bench"
Successfully deleted: [Folder] "C:\Program Files (x86)\fighters"
Successfully deleted: [Folder] "C:\Program Files (x86)\lesstabs"
Successfully deleted: [Folder] "C:\Program Files (x86)\mobogenie"
Successfully deleted: [Folder] "C:\Program Files (x86)\newplayer"
Successfully deleted: [Folder] "C:\Program Files (x86)\pcfixspeed"
Successfully deleted: [Folder] "C:\Program Files (x86)\pcpowerspeed"
Successfully deleted: [Folder] "C:\Program Files (x86)\system optimizer pro"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\buzzsocialpoints_dns"
Successfully deleted: [Folder] "C:\ai_recyclebin"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ FireFox

Successfully deleted the following from C:\Users\JR\AppData\Roaming\mozilla\firefox\profiles\nvhwjl7x.default\prefs.js

user_pref("extensions.XyP0f4nCJfQezPML.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"rja9rdw8rHrHrHgFrdC7rTw6qdn\")>-1||u
user_pref("extensions.XyP0f4nCJfQezPML.url", "hxxp://superve.org/sync2/?q=hfZ9ofV9CShEAen0qHs9tMqLDe49CNU0jHwMCMlNhd9FqjaFrTrGrTa6qjwMBzqUojw8rdsEpjaFrjs9rSh7hfs0pihPBMn0pdC9r
user_pref("extensions.dA9G9KjpVms02lYi.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"rja9rdw8rHrHrHgFrdC7rTw6qdn\")>-1||u
Emptied folder: C:\Users\JR\AppData\Roaming\mozilla\firefox\profiles\nvhwjl7x.default\minidumps [140 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 02/08/2015 at 20:33:24.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

rkill

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/08/2015 08:36:20 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\JR\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe (PID: 3260) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * WMPNetworkSvc [Missing Service]

 * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 02/08/2015 08:36:27 PM
Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)

 

 

Mbam

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/8/2015
Scan Time: 8:38:39 PM
Logfile: Mbam.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.08.09
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: JR

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 521241
Time Elapsed: 21 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 14
PUP.Optional.UniSales.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{63e17466-44d9-4e3f-b63f-7616293e03b2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\CLASSES\P63e17466_44d9_4e3f_b63f_7616293e03b2_.P63e17466_44d9_4e3f_b63f_7616293e03b2_, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\CLASSES\P63e17466_44d9_4e3f_b63f_7616293e03b2_.P63e17466_44d9_4e3f_b63f_7616293e03b2_.9, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\P63e17466_44d9_4e3f_b63f_7616293e03b2_.P63e17466_44d9_4e3f_b63f_7616293e03b2_, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\P63e17466_44d9_4e3f_b63f_7616293e03b2_.P63e17466_44d9_4e3f_b63f_7616293e03b2_.9, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\CLASSES\CLSID\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\CLASSES\CLSID\{63E17466-44D9-4E3F-B63F-7616293E03B2}\INPROCSERVER32, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKU\S-1-5-21-3481329785-2697435678-3545956436-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKU\S-1-5-21-3481329785-2697435678-3545956436-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{63E17466-44D9-4E3F-B63F-7616293E03B2}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4CEE92A3-9F0C-51AB-ADC0-34EC24AD7B7E}, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.UniSales.A, C:\Program Files (x86)\unIsaleS, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],

Files: 5
PUP.Optional.UniSales.A, C:\Program Files (x86)\unIsaleS\rZzLkpJI1Ws3i8.dat, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, C:\Program Files (x86)\unIsaleS\rZzLkpJI1Ws3i8.dll, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, C:\Program Files (x86)\unIsaleS\rZzLkpJI1Ws3i8.x64.dll, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, C:\Program Files (x86)\unIsaleS\rZzLkpJI1Ws3i8.exe, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],
PUP.Optional.UniSales.A, C:\Program Files (x86)\unIsaleS\rZzLkpJI1Ws3i8.tlb, Quarantined, [67a2001cb0dadc5a9ac5127450b38878],

Physical Sectors: 0
(No malicious items detected)


(end)



BC AdBot (Login to Remove)

 


#2 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:06:09 PM

Posted 09 February 2015 - 01:40 AM

Do you know the location of the virus's exe? Post a screenshot of your task manager here...



#3 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 09 February 2015 - 09:47 AM

i dont know the exe of the virus, also when you asked me to post a screenshot of task manager, by what tab did you wanted me to take the shot?



#4 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:06:09 PM

Posted 09 February 2015 - 10:15 AM

I mean the initial tab which appears when opening the task manager

 

Open command prompt as administrator & type this command: tasklist > c:\processes_list.txt

Paste the contents of C:\processes_list.txt HERE


Edited by TheDcoder, 09 February 2015 - 10:22 AM.


#5 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 09 February 2015 - 10:50 AM

ok I have done the prompt heres the link to it http://tny.cz/c93f7362

 

also heres the screenshot of my task manager C:\Users\JR\Desktop\task.jpg



#6 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:06:09 PM

Posted 09 February 2015 - 11:43 AM

Bingo! Got it!! (IMO ccc.exe & smss.exe are the culprits)
 
Steps to remove the virus:
 
<removed>
Mod Edit by quietman7: Unsafe fix instructions removed per this warning by myrti.
 
And Vola! The virus has been removed :wink:
Hope it helps.
 
(If its not fixed, after step 3, Install WinPatrol and take a screenshot of startups tab [Remember to take a full window screenshot].)
KrOz.png
(This is my WinPatrol)

#7 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 09 February 2015 - 12:09 PM

my computer haven't got fixed. I see in the prompt that the first part was terminated but the second one has an error stating that "the process with PID 284 (child process of PID4) could not be terminated. Reason: This is a critical system process. Taskkill cannot end this process." Anyways heres the screenshot. C:\Users\JR\Desktop\winstal.jpg



#8 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:06:09 PM

Posted 10 February 2015 - 12:28 AM

my computer haven't got fixed. I see in the prompt that the first part was terminated but the second one has an error stating that "the process with PID 284 (child process of PID4) could not be terminated. Reason: This is a critical system process. Taskkill cannot end this process." Anyways heres the screenshot. C:\Users\JR\Desktop\winstal.jpg

Dude, Please upload your image to imghost.us



#9 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 February 2015 - 02:00 AM

sorry, didn't realized that it was working. here's the link http://feb.imghost.us/L4n2.jpg



#10 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 February 2015 - 02:01 AM

sorry wrong image, HERES the link http://feb.imghost.us/L4oZ.jpg



#11 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:06:09 PM

Posted 10 February 2015 - 03:14 AM

can you post a screenshot of super anti-malwares's malware scan result where the virus is mentioned, this will be the last screenshot you will be sending.



#12 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 February 2015 - 03:31 AM

here's the log

 

 

http://feb.imghost.us/L6D7.jpg

 

I also want to note that so far, only my firefox seem to still have the effects of the virus but IE seems unaffected



#13 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:06:09 PM

Posted 10 February 2015 - 03:50 AM

Install Unlocker & Navigate to C > WINDOWS > SYSTEM32 > DRIVERS then find a file named cmwr.sys, right click on the file and select "unlocker" and follow the steps in the image below :)

 

 

L6WO.png

 

Hope it helps :wink:


Edited by TheDcoder, 10 February 2015 - 03:55 AM.


#14 JRfromNY

JRfromNY
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 February 2015 - 04:24 AM

for some strange reason, I could not find cmwr.sys, also I have ran a scan with super anti spyware and it also indicated that yet still having some trouble with pup ups on Firefox. im know starting to believe its a different viruse since, well I actually haven't used my anti virus scanners since I asked for help. im thinking about scanning my computer with Mbam but I don't only if you think it's a good idea.



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:39 PM

Posted 11 February 2015 - 04:44 AM

Hi,

 

neither smss.exe nor ccc.exe are malicious, the first is part of the operating system, the second is the Catalyst Control Centre.

 

Could you give me a list of the Firefox plugins that are installed at the moment on your Firefox? Just to be sure I udnerstand correctly: When you use IE you have no pop-ups at all?

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users