Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could someone help me through the steps to remove the adulttube.info virus?


  • This topic is locked This topic is locked
55 replies to this topic

#1 BrokenObelisk

BrokenObelisk

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 14 March 2015 - 06:59 AM

Hi,

 

Three weeks ago, I followed a Bleeping Computer forum post to delete the adultcameras.info virus. Thereafter, I reset my computer, and bang, today, I found adulttube.info on my laptop. I am at my wit's end trying to get rid of it. A Full Scan of Microsoft Security Essentials seems like it will go on forever, and I am not hoping to nail this virus with it.

 

I will truly appreciate it if someone would help me get rid of this thing once and for all.

 

Many thanks.



BC AdBot (Login to Remove)

 


#2 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 14 March 2015 - 11:40 AM

Hello and welcome to Bleeping Computer! My nickname is Pystryker :) , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you
  • If you are receiving help for this issue at another forum, please let me know so I can close this thread.
  • Please download to and run all requested tools from your Desktop.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
  • Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
  • Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)
Now, let's get started, shall we? :thumbsup:


Hello, let's get a look at your system and see what's going on. :)


Step 1: Scan with Farbar's Recovery Scan Tool (FRST)

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Place a check in the box marked Addition.txt

    farbarmainpanel_zps77bf9e25.jpg
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

FRST Log

Addition.txt Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#3 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 14 March 2015 - 10:06 PM

Halo Pystryker,

 

Thank you for your prompt reply.

 

I tried pasting the FRST log in a separate post here, but it said that the post was too long.

 

So, I am sending both files to my Google Drive and sharing them with you, if that is okay with you.

 

 FRST Log: https://drive.google.com/file/d/0BwuUuvAdAm3TSWI0ZDFuTXRsLUU/view?usp=sharing

 

Addition.txt Log: https://drive.google.com/file/d/0BwuUuvAdAm3TalFlN3FmdGNSUFU/view?usp=sharing



#4 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 14 March 2015 - 10:44 PM

No worries, we'll work with the FRST logs like this. Subsequent logs will be shorter and will post. :thumbup2:


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Warnings


Multiple Anti-Virus Programs Installed

Your log indicates you have 2 or more anti-virus programs installed on your machine. They are Norton Internet Security and Microsoft Security Essentials.
  • Research shows that having multiple anti-virus programs installed is not a good idea. This is a case of more is not better. They will often conflict with each, provide false positives, and additional problems.
  • We need to remove one or more of these from your system. I recommend removing Norton, as MSE is so tied into Windows these days.
The Dangers of P2P Programs

I noticed that you have a P2P file sharing program on your computer . I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are more likely than not infected with trojans, malware, rootkits, etc.

You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

There are also new infections out there such as CryptoWall 3.0 and CryptoLocker. When infected with these, all of your personal files on any drive connected to your computer will be affected. These infections copy all your files, encrypt them, and then delete the originals, leaving you with the encrypted copies. These type infections also remove any shadow copies as well. You are then presented with a screen telling you you have a certain amount of time to pay the ransom for the decryption code to decrypt your files. Even if you pay the ransom, there decryption process usually results in corrupt and unusable files.

There is nothing we can do to decrypt the files, as they use very sophisticated encryption techniques. Please consider this when using P2P programs. Malware and ransomware writers use P2P to spread their infections.


Here are some information sources about the dangers of P2P programs:

FBI - Peer to Peer Scams

USA Today Artticle on P2P Programs

File Sharing Infects 500,000 Computers

I very much recommend you uninstall this program from your machine. If not, I can guarantee you will be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.



Step 2: Fix with FRST


Note: Before performing this step, please move FRST64.exe from Running from C:\Users\Hippo\Desktop\FRST to your Desktop or the fix will not work.
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\...\Run: [EpicScale] => [X]
HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\...\MountPoints2: {6be6dbe8-c4df-11e4-980f-68b599e1c815} - F:\Startme.exe
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-4253893635-3017890488-1047496380-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
Toolbar: HKU\S-1-5-21-4253893635-3017890488-1047496380-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
cmd: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 3: Junkware Removal Tool


thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: AdwCleaner


Download ADWcleaner by clicking here. Please save it to your Desktop


adwcleaner2_zps680e0e15.jpg
  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
    • Click the Report button and the log will open. Copy and Paste the contents of the log file into your next reply.
    This report is also saved at C:\AdwCleaner[R0].txt
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Junkware Removal Tool Log

AdwCleaner Log

How is the computer running?

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#5 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 15 March 2015 - 02:18 AM

I uninstalled Norton Anti-Virus. It actually came with the machine but I had not activated it during the reset. However, I uninstalled it completely through the Control Panel.

 

Thanks to your word of caution, I uninstalled the P2P client too. I'll be fine without a few books, I guess :)

 

While following the steps you had outlined, I noticed two things:

 

1. The Junkware Removal Tool did not run with the 'real-time protection' of Microsoft Security Essentials turned off, like you had instructed. It did work once I turned on the feature.

 

2. After using the FRST to fix with the fixlist you had sent, Mozilla Firefox coughed up a dialog box asking me allow access through Windows Firewall. I had done this once with another program before and was rewarded with a virus. So, I quickly hit the 'Cancel' button. Is it okay to 'allow access' to trusted programs like Mozilla Firefox?

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Hippo at 2015-03-15 12:13:03 Run:1
Running from C:\Users\Hippo\Desktop
Loaded Profiles: Hippo (Available profiles: Hippo)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
    Start
    CreateRestorePoint:
    CloseProcesses:
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\...\Run: [EpicScale] => [X]
    HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\...\MountPoints2: {6be6dbe8-c4df-11e4-980f-68b599e1c815} - F:\Startme.exe
    SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    SearchScopes: HKU\S-1-5-21-4253893635-3017890488-1047496380-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    Toolbar: HKU\S-1-5-21-4253893635-3017890488-1047496380-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    cmd: bitsadmin /reset /allusers
    CMD: netsh advfirewall reset
    CMD: netsh advfirewall set allprofiles state on
    CMD: ipconfig /flushdns
    Emptytemp:
    Hosts:
    End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\Software\Microsoft\Windows\CurrentVersion\Run\\EpicScale => value deleted successfully.
"HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6be6dbe8-c4df-11e4-980f-68b599e1c815}" => Key deleted successfully.
HKCR\CLSID\{6be6dbe8-c4df-11e4-980f-68b599e1c815} => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
"HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKU\S-1-5-21-4253893635-3017890488-1047496380-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.

=========  bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{B34E1467-CF85-4C86-B233-4C3781D0A424} canceled.
{6C1546BE-246A-4DE1-9C24-2563D0BF1590} canceled.
2 out of 2 jobs canceled.

========= End of CMD: =========


=========  netsh advfirewall reset =========

Ok.


========= End of CMD: =========


=========  netsh advfirewall set allprofiles state on =========

Ok.


========= End of CMD: =========


=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 594.5 MB temporary data.


The system needed a reboot.

==== End of Fixlog 12:15:37 ====

 

Junkware Removal Tool Log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows 7 Home Premium x64
Ran by Hippo on 15-03-2015 at 12:21:32.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Hippo\AppData\Roaming\mozilla\firefox\profiles\x6pn0ypw.default\prefs.js

user_pref("browser.newtabpage.pinned", "[{\"url\":\"hxxps://mail.google.com/mail/u/0/#inbox\",\"frecency\":200,\"lastVisitDate\":1425550871205000,\"type\":\"history\",\"title\



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15-03-2015 at 12:24:50.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

AdwCleaner Log

 

# AdwCleaner v4.112 - Logfile created 14/03/2015 at 13:18:35
# Updated 09/03/2015 by Xplode
# Database : 2015-03-05.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Hippo - HIPPOPOTAMUS
# Running from : C:\Users\Hippo\Downloads\adwcleaner_4.112.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\epicscale

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v36.0.1 (x86 en-US)


*************************

AdwCleaner[R0].txt - [2255 bytes] - [14/03/2015 13:16:26]
AdwCleaner[S0].txt - [1839 bytes] - [14/03/2015 13:18:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1898  bytes] ##########
# AdwCleaner v4.112 - Logfile created 15/03/2015 at 12:30:08
# Updated 09/03/2015 by Xplode
# Database : 2015-03-05.1 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Hippo - HIPPOPOTAMUS
# Running from : C:\Users\Hippo\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\epicscale

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v36.0.1 (x86 en-US)


*************************

AdwCleaner[R0].txt - [3783 bytes] - [14/03/2015 13:16:26]
AdwCleaner[S0].txt - [3400 bytes] - [14/03/2015 13:18:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3459  bytes] ##########

 

I didn't do much on my computer after these steps. But it looks okay.

 

And yes, I forgot to tell you this. After I posted this question on the forum and before I got your reply, I restored my computer to an earlier date using System Restore. Since then, the adulttube.info websites have stopped popping up and the speeds seem good. Do you think that was a good move?


Edited by BrokenObelisk, 15 March 2015 - 06:21 AM.


#6 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 15 March 2015 - 08:02 AM

I uninstalled Norton Anti-Virus. It actually came with the machine but I had not activated it during the reset. However, I uninstalled it completely through the Control Panel.

Thanks to your word of caution, I uninstalled the P2P client too. I'll be fine without a few books, I guess :)


:thumbup2:




The Junkware Removal Tool did not run with the 'real-time protection' of Microsoft Security Essentials turned off, like you had instructed. It did work once I turned on the feature.


Interesting, but it did run to completion successfully. I'll mention that to the author of the program, as that's the first time I've seen that happen.


 

After using the FRST to fix with the fixlist you had sent, Mozilla Firefox coughed up a dialog box asking me allow access through Windows Firewall. I d done this once with another program before and was rewarded with a virus. So, I quickly hit the 'Cancel' button. Is it okay to 'allow access' to trusted programs like Mozilla Firefox?


This occurred due to the one of the commands in the fixlist I gave you. One of them reset the firewall permissions to remove any access any malware programs on your machine had to get through the firewall. It's ok to give programs you recognize access through the firewall when those dialog boxes pop up. :)

 

I didn't do much on my computer after these steps. But it looks okay.



And yes, I forgot to tell you this. After I posted this question on the forum and before I got your reply, I restored my computer to an earlier date using System Restore. Since then, the adulttube.info websites have stopped popping up and the speeds seem good. Do you think that was a good move?


Good, we've still got a few steps to go to ensure complete cleaning. As for using system restore, it seems that the restore point you chose was made before the malware infestation, and that's why it stopped. We'll also remove your old restore points once the machine is completely clear of malware, as Windows has no problem backing up malicious programs along with everything else during creation of a restore point.

Let's continue the cleaning. :)



Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Scan with Malwarebytes


Please download Malwarebytes Anti-Malware to your desktop
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings_zpsb6b9ada0.jpg

Go back to the Dashboard and select Scan Now

MBAMScan_zps8ba7d192.jpg

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot_zps9089ab30.jpg

MBAMLog_zpsade07f42.jpg

On completion of the scan (or after the reboot), start MBAM,

Click History, then Application Logs, then check the Select box by the first Scan Log in the list.

Click View, then click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.



Step 2: Scan with ESET Online Scanner


Please note: You can use Internet Explorer or Firefox for this step. Either browser used will have to be ran in admin mode.

Right click on either the Internet Explorer icon or the Firefox icon in the Start Menu or Quick Launch Bar on the Task bar and select Run as Administrator from the menu.

If you use Firefox, you will be prompted to download esetsmartinstaller_enu.exe. Please do so, then double click it to install it.

Please click on this link and then click the ESET Online Scanner bar ---->esetbar_zps93905f48.jpg
  • Select the option YES, I accept the Terms of Use then click on Start
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Now click on Finish
  • Use notepad to open the logfile located at C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Step 3: SecurityCheck Scan


Download Security Checksecuritycheck_zpsb7736812.jpg by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Things I need to see in your next post:

Please post each one of these logs as a separate reply in this thread.
  • ESET Scan Log
  • MBAM Log
  • SecurityCheck Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#7 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 15 March 2015 - 10:33 PM

Hi,

 

The moment I installed Malwarebytes, there has been this pesky pop-up bobbing up and down on my desktop. I have included the link to the screenshot below:

 

https://drive.google.com/file/d/0BwuUuvAdAm3TQUlWN3ZPVTBEa1U/view?usp=sharing

 

What does it mean and how do we deal with it?

 

Otherwise, the scans went well. Here are the results:

 

MBAM Log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 15-03-2015
Scan Time: 20:49:54
Logfile: MBAM.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.15.03
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Hippo

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 346219
Time Elapsed: 32 min, 48 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.EpicScale, HKU\S-1-5-21-4253893635-3017890488-1047496380-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\EpicScale, Quarantined, [268311112c5e8aac2d69c6e48b782dd3],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

ESET Scan Log

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=0c1e9c211831114da2823e3192a3298e
# engine=22917
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-03-15 05:51:38
# local_time=2015-03-15 11:21:38 (+0530, India Standard Time)
# country="India"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 900711 49443892 0 0
# scanned=298994
# found=12
# cleaned=12
# scan_time=5691
sh=07F522959E84A70EA884D86042AEE5547A66572C ft=1 fh=3ae957c4bdf414ee vn="Win32/EpicScale.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\18508.dat.vir"
sh=8A5F1CC86732C17366A75588AC8F3767F43C98B5 ft=1 fh=269a24a63e413b2e vn="a variant of Win32/EpicScale.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\32834.dat.vir"
sh=82DE2C7A65E0A9AAF12222869FB06E4B789F2576 ft=1 fh=bcf5c6447dcd0a96 vn="Win32/EpicScale.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\EpicScale.exe.vir"
sh=87D46632B4AA4B4C7467BEDE9E1F8AD9CC3DA3C0 ft=1 fh=a63ca3166f78e091 vn="a variant of Win32/EpicScale.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\7z.dll.vir"
sh=2B02FB4445720FB26D326CE54A9C084702758A3D ft=1 fh=274469f0530969af vn="a variant of Win32/EpicScale.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\Client7z.dat.vir"
sh=BC99E4B3AC26B8877D7621E08EF479F89B3C7D06 ft=1 fh=438b9a0ae509fde4 vn="a variant of Win32/EpicScale.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\EpicScale.dat.vir"
sh=1DD40F0205A5F86A0BC66A067E8A200DDEAF50AF ft=1 fh=7219bb632d3ec5b4 vn="a variant of Win32/EpicScale.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\EpicScale.exe.vir"
sh=09B9886A9DF0D9E8F0F2ACC796B46DD0CF2B641E ft=1 fh=e0159fa055d3af24 vn="a variant of Win32/EpicScale.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\EpicScalePL.exe.vir"
sh=8A5F1CC86732C17366A75588AC8F3767F43C98B5 ft=1 fh=269a24a63e413b2e vn="a variant of Win32/EpicScale.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\Nova.dat.vir"
sh=42DB7D5C71C2E1FE260CF5B763640C34DE8988CF ft=1 fh=267878d2ebeee6b9 vn="a variant of Win32/EpicScale.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\epicscale\0\Probe.dll.vir"
sh=49FA7D2F6CEC47520875146110837D3A0626F123 ft=1 fh=04f77c9c176e3eaa vn="a variant of Win64/NetFilter.A potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Program Files\NetWorx\nfapi.dll"
sh=E1206E0C021B457BED363AC76B587278821673EE ft=1 fh=5054509104aed088 vn="a variant of Win32/NetFilter.A potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Hippo\Downloads\networx_setup.exe"
 

SecurityCheck Log

 

Results of screen317's Security Check version 0.99.98  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
Norton Internet Security        
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 22  
 Java version 32-bit out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
  Java 64-bit 8 Update 31  
 Adobe Flash Player 16.0.0.305  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (36.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 10%
````````````````````End of Log``````````````````````

 

 



#8 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 16 March 2015 - 06:49 AM

Hi,



The moment I installed Malwarebytes, there has been this pesky pop-up bobbing up and down on my desktop. I have included the link to the screenshot below:


That's actually MBAM doing it's job. :) The website that you computer was attempting to navigate to is considered malicious site and that's why you got the window. It was blocking access to it. According to the IP, that address is to a site in the Russian Federation. If that is a legitimate site that you meant to go to, you can always press the Exclude Website button and it will not come up again when you attempt to navigate to it.

If you didn't attempt to navigate to it, please let me know and we'll take another look to make sure everything is ok. :)


Now for some good news, your logs are Clean! :thumbup2:



Let's remove my tools and update some programs. I also have some information to help protect you in the future. :)


Step 1: Tool Removal with Delfix and Creation of a clean restore point
  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can uninstall ESET Online Scanner at this time.

I recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week. If it finds things such as PUP's (Potentially Unwanted Programs) you can delete those with no worries. However, if it finds something like a trojan, come see us.


Step 2: Program Updates


A word about Java

Java has become the #1 program exploited by thieves and hackers as of today. It's gotten so bad, the Department of Homeland Security recently recommended that users disable Java on their machines.

For more information regarding this, see the two articles below:

Forbes: US Department of Homeland Security Calls on user do disable Java

US warns on Java software

Unless you have software on your machine that absolutely requires Java, I highly recommend you completely remove it from your system.

If you do have software that requires it, then disable it until such time as it's needed by those programs.

Please click the link below for instructions to disable Java.

How to Disable Java in your Web Browser


If you wish to continue to use Java on your machine, please be sure to keep it updated by following the instructions below.
  • Click on this link Java Website and click Do I Have Java?
  • Then click the Verify Java Version button. It will scan your current version and show you if you have the most current version.
You can find instructions for manually removing older versions for Windows XP, Vista, and 7 by clicking the link below:

Instructions for manually removing old versions of Java




Update Adobe flash Player
  • Your current version of Adobe Flash is out of date. Please update it by clicking the link below.
  • Also, make sure you Uncheck the box to install the McAfee Security Scan Plus software.
http://get.adobe.com/flashplayer/




Updating Adobe Reader
  • Malware will exploit any vulnerabilities it can find in outdated software. If you are using Adobe Reader for reading pdf files, try using FoxIt Reader. It is a very capable alternative to Adobe.
  • Please click here to download FoxIt Reader.
  • If you wish to continue to use Adobe Reader, then please update it by clicking here.
  • Please remember to uncheck the option to install McAfee's Security Suite.
Step 3: Tips, Information, and Optional Installation of Unchecky
  • Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.
  • Install and keep only one anti-virus on your machine. Update it and scan your machine with it at least once a week.
  • Be careful of the websites you visit.
  • When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take your time and read each screen as you go. :)
To help protect yourself while on the web, I recommend you read How did I get infected in the first place?


Installation of Unchecky

This is a very good little program that will automatically uncheck any boxes during a software installation. This helps prevent the software from installing any malware that is by default checked while the program is being installed.

Click here to be taken to Unchecky.com

Click the very large Download button.

Click Save

Once downloaded, double click the program (Vista, Win 7, and 8, right click and Run as Administrator)

Once open, click the Install button.


unchecky1_zps667e512d.jpg


Then click Finish

unchecky2_zpsca4e7d0d.jpg


Unchecky is now installed and will help you keep unwanted check boxes unchecked. :thumb2up:


Things I need to see in your next post:

Delfix Log

Edited by pystryker, 16 March 2015 - 06:50 AM.

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#9 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 16 March 2015 - 08:13 AM

The Russian Federation thingi you referred to is actually the thorn in my (laptop's) flesh. I have no affiliation with any Russian web sites or products. Ever since adultcameras.info was dropped on my PC, and subsequent malware with which we are dealing with now, all randomly connected my browser to some xxxxxxx.ru server, opening pages, most of them dirty, with Russian content. And, it is still out there.

 

I'm glad to hear that my logs are okay otherwise :)

 

Delfix log

 

# DelFix v10.9 - Logfile created 16/03/2015 at 17:26:46
# Updated 27/02/2015 by Xplode
# Username : Hippo - HIPPOPOTAMUS
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Hippo\Desktop\AdwCleaner[S0].txt
Deleted : C:\Users\Hippo\Desktop\Fixlog.txt
Deleted : C:\Users\Hippo\Desktop\FRST64.exe
Deleted : C:\Users\Hippo\Desktop\JRT.txt
Deleted : C:\Users\Hippo\Desktop\SecurityCheck.exe
Deleted : C:\Users\Hippo\Downloads\AdwCleaner.exe
Deleted : C:\Users\Hippo\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Hippo\Downloads\JRT.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #13 [Windows Update | 03/11/2015 03:57:14]
Deleted : RP #14 [HPSF Applying updates | 03/13/2015 05:14:46]
Deleted : RP #15 [Windows Update | 03/14/2015 08:35:54]
Deleted : RP #16 [Installed HP Support Assistant | 03/14/2015 08:54:37]
Deleted : RP #17 [Windows Modules Installer | 03/14/2015 08:58:37]
Deleted : RP #18 [Windows Modules Installer | 03/14/2015 09:00:02]
Deleted : RP #19 [Restore Operation | 03/14/2015 12:58:04]
Deleted : RP #20 [Windows Update | 03/14/2015 13:25:34]
Deleted : RP #21 [Windows Update | 03/15/2015 01:38:32]
Deleted : RP #23 [Restore Point Created by FRST | 03/15/2015 06:43:09]
Deleted : RP #24 [Restore Operation | 03/15/2015 10:30:12]
Deleted : RP #25 [Windows Update | 03/15/2015 10:46:45]
Deleted : RP #27 [Restore Point Created by FRST | 03/15/2015 11:09:19]

New restore point created !

########## - EOF - ##########
 

I manually removed Java 6 Update 22 (64-bit) from my PC. Once, my system is clean again, and if I really need it, I'll install it through the Java website.

 

My Adobe Flash Player is updated now.

 

I think I'll keep Adobe Reader, however, I'll find an update for it.

 

Unchecky is up and running!



#10 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 16 March 2015 - 08:22 AM

Posted Today, 08:13 AM
The Russian Federation thingi you referred to is actually the thorn in my (laptop's) flesh. I have no affiliation with any Russian web sites or products. Ever since adultcameras.info was dropped on my PC, and subsequent malware with which we are dealing with now, all randomly connected my browser to some xxxxxxx.ru server, opening pages, most of them dirty, with Russian content. And, it is still out there.

 
 
Ok, let me take another look with FRST and see if we can find what's on the machine trying to contact that site.
 
Disable your virus protection until the completion of this step.
 
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. Please download the 64-bit version for your machine
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Place a check in the box marked Addition.txt

    farbarmainpanel_zps77bf9e25.jpg
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

FRST Log

Addition.txt Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#11 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 16 March 2015 - 10:39 AM

Many thanks.

 

Like it happened before, the post length is 'too long'. Here are the Google Drive links:

 

https://drive.google.com/file/d/0BwuUuvAdAm3TY0hNQVJrMEQtQkk/view?usp=sharing

 

https://drive.google.com/file/d/0BwuUuvAdAm3TZ0FreGtGNW5IMkk/view?usp=sharing


Edited by BrokenObelisk, 16 March 2015 - 10:40 AM.


#12 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 16 March 2015 - 05:33 PM

Many thanks.


You're quite welcome. :)

Ok, I'm not seeing anything in there. Let's take a look with a different tool. :thumbup2:




Please download zoek.exe to your Desktop:
  • On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
  • Give it a few seconds to appear
  • Click the Options button and place a checkmark only on the following options:
AutoClean
  • Now...
  • Close any open programs.
  • Click the Run script button, and wait.
  • It takes a few minutes to run.
  • When the tool finishes, the zoek-results.log is opened in Notepad.
  • The log is also found on the systemdrive, normally C:\
  • If a reboot is needed, the log is opened after the reboot.
Things I need to see in your next post:

zoek-results log

Is the issue still occuring?

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#13 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 16 March 2015 - 09:30 PM

zoek-results log
 

The issue is still occurring. I see a path in the Malware Bytes pop-up. It reads C:\Windows\System32\svchost.exe. Forgive my callow guess, but could a rogue process be entrenched in the svchost.exe?



#14 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 16 March 2015 - 09:36 PM

The issue is still occurring. I see a path in the Malware Bytes pop-up. It reads C:\Windows\System32\svchost.exe. Forgive my callow guess, but could a rogue process be entrenched in the svchost.exe?


That's a definite possibility. That's what I'm going to check next with a program called RogueKiller. I was hoping Zoek would kill it, but apparently not.

Please read these instructions carefully. I'm only asking for a scan, do not delete anything that RogueKiller may find until I see the log. RogueKiller's log will be short enough to paste into a reply instead of using the Google site.


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.

Please download Rogue Killer to your desktop

Download Link for 32 bit systems

Download Link for 64 bit systems
  • Click on Scan
  • The scan will take a short amount of time
  • Click on Report to open the log.
  • Copy and paste the content of the log in your next reply.
Things I need to see in your next post:

RogueKiller Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#15 BrokenObelisk

BrokenObelisk
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 17 March 2015 - 12:13 AM

RogueKiller Log

 

RogueKiller V10.5.5.0 (x64) [Mar 16 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Hippo [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 03/17/2015  10:36:21

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 46.161.41.146 8.8.8.8 [RUSSIAN FEDERATION (RU)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 46.161.41.146 8.8.8.8 [RUSSIAN FEDERATION (RU)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 46.161.41.146 8.8.8.8 [RUSSIAN FEDERATION (RU)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{74D1DDEF-A94E-45D0-9AF9-2BB512112521} | DhcpNameServer : 46.161.41.146 8.8.8.8 [RUSSIAN FEDERATION (RU)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{74D1DDEF-A94E-45D0-9AF9-2BB512112521} | DhcpNameServer : 46.161.41.146 8.8.8.8 [RUSSIAN FEDERATION (RU)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{74D1DDEF-A94E-45D0-9AF9-2BB512112521} | DhcpNameServer : 46.161.41.146 8.8.8.8 [RUSSIAN FEDERATION (RU)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\Registration -- "C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe" (Registration ShowMessageTask2D) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++
--- User ---
[MBR] 7e565d19421cc4655967dfaaab91b3ad
[BSP] 20bed74253c590a25e1baeb0ac209534 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 595446 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1219883008 | Size: 14730 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1250050048 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03172015_102601.log


Edited by BrokenObelisk, 17 March 2015 - 05:34 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users