Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Taplika and a couple trojans.


  • Please log in to reply
6 replies to this topic

#1 ElmmBC

ElmmBC

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 23 April 2015 - 02:00 PM

Hi - It all started when Chrome popped up with an update. I realized as I clicked that I accidentally excepted at least one baddie. I tried to back out of the install to no avail. Of course, right away I noticed I had been hijacked as a program called Taplika overtook my browsers (Firefox and Chrome). I tried to manually uninstall it and I set my browsers back to normal. I then ran AVG 2015 and it showed no infections. Everything "looked" fine but a day later all this adware started popping up and Internet Explore (which I never use)  kept trying to take over. I installed Malwarebytes Anit -Malware 2.1.6.1022 and the scan showed a bunch of PUPs mostly Taplika and the following: Trojan.email.FakeDoc and rogue.multiple. I ran the clean up and it said everything was cleaned. I then downloaded AdwCleaner and ran a scan. Sorry I cannot remember what it showed and I deleted it after I ran the scan. But, in the end it cleaned everything it found. In looking around Bleeping Computer I saw someone suggest SpyHunter 4. I ran it and it shows all kinds of infections including Adware.GorillaPrice, Qvo6.com Hijacker, a few other adwares and of course Taplika is still there. However, you have to pay to have SpyHunter actually clean. I cannot do that now so I'm coming here for help. Also, I deleted SpyHunter before I copied the log (I did make a couple of screen shots of a few things it was showing) and I downloaded SpyBot in an attempt to get rid of these 263 threats SpyHunter was showing. SpyBot only registared 2 hits of adware and it cleaned those up. Please help me know what to do next. Everything seems to be running smoothly but I'm worried there is something in my system lurking. I have attached Malwarebytes log and highlighted the two trojans in red. 

 

Thanks in Advance!

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/22/2015
Scan Time: 10:48:35 AM
Logfile: 
Administrator: Yes
 
Version: 2.01.4.1018
Malware Database: v2015.04.22.03
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: User
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388915
Time Elapsed: 15 min, 43 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 2
PUP.Optional.FindingDiscount.A, C:\Program Files\Windows Discount\FindingDiscount\findingdiscount.exe, 588, Delete-on-Reboot, [edae83ec0e7c8da9e45c3a7dbb480ff1]
PUP.Optional.RuntimeManager.A, C:\Program Files\Windows NT\Accessories\RuntimeManager\runtimemanager.exe, 2876, Delete-on-Reboot, [5447fe710189102600463c7bdd26f60a]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 8
PUP.Optional.Trovi.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{589B893E-773C-4941-88C2-0DCC718E621C}, Quarantined, [1b80531c63276dc9d3ffdf5dba49da26], 
PUP.Optional.Trovi.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{589B893E-773C-4941-88C2-0DCC718E621C}, Quarantined, [1b80531c63276dc9d3ffdf5dba49da26], 
PUP.Optional.Taplika.C, HKLM\SOFTWARE\CLASSES\APPID\{BE26A525-DF20-4BBD-A602-5CE538ADA94E}\INSTL\DATA, Quarantined, [9506aac5cac0c6700021655c43c0a759], 
PUP.Optional.Taplika.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\lfkjojacgdjkninepeghaamnapdjmlfn, Quarantined, [455629466b1f77bf61325879f50e1fe1], 
PUP.Optional.InternetEnhancer.A, HKLM\SOFTWARE\MICROSOFT\ESENT\PROCESS\InternetEnhancer, Quarantined, [0e8d600feb9f6ec861d88b381ce7a15f], 
PUP.Optional.FindingDiscount.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\FindingDiscount, Delete-on-Reboot, [d4c7284798f2e650625000d3a2613fc1], 
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\wse_taplika, Quarantined, [49525619f39705316c1c12bfa063f60a], 
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\lfkjojacgdjkninepeghaamnapdjmlfn, Quarantined, [f2a9bfb0cebc41f5791bf0e119ea16ea], 
 
Registry Values: 14
PUP.Optional.Taplika.C, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY|AppPath, C:\Program Files\WSE_Taplika\\, Quarantined, [f4a7432c1e6c59dd959613ae6f94c23e]
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=, Quarantined, [1685244bd8b2d85ef72a616325dee31d]
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, http://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=, Quarantined, [693285eacbbf8caa0c15794b08fbb947]
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|FaviconPath, C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Internet Explorer\Services\WSE_Taplika.ico, Quarantined, [603b056a07833006bb66c10340c3c43c]
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}, Taplika, Quarantined, [56459cd3d1b94beb39e8a024aa598c74]
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|DisplayName, Taplika, Quarantined, [2d6ed59af496e55137eaa51ffd0651af]
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Wse_taplika, C:\WINDOWS\system32\wscript.exe /E:vbscript /B "C:\DOCUME~1\User\APPLIC~1\Wse_taplika\UpdateProc\bkup.dat", Quarantined, [a9f2234cfa90d462679a5e6fb54eaa56]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Wse_taplika, C:\WINDOWS\system32\wscript.exe /E:vbscript /B "C:\DOCUME~1\User\APPLIC~1\Wse_taplika\UpdateProc\bkup.dat", Quarantined, [a9f2234cfa90d462679a5e6fb54eaa56]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=, Quarantined, [1b80dd92b0dadb5b2cf674501be8e818]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, http://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=, Quarantined, [e1bab3bcbecc73c3d64c03c11be8a45c]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|FaviconPath, C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Internet Explorer\Services\WSE_Taplika.ico, Quarantined, [f8a3bbb432580531ef3394307d866799]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}, Taplika, Quarantined, [3665026d9bef2e08031fb50fb84b0df3]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|DisplayName, Taplika, Quarantined, [118a9fd0d7b32f07ab7764609d660cf4]
 
Registry Data: 2
PUP.Optional.Taplika.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ABOUTURLS|Tabs, http://taplika.com/?f=2&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=, Good: (www.google.com), Bad: (http://taplika.com/?f=2&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=),Replaced,[475419562f5bce6861a537c3ca3b02fe]
PUP.Optional.Taplika.A, HKU\S-1-5-21-746137067-2111687655-725345543-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://taplika.com/?f=1&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=, Good: (www.google.com), Bad: (http://taplika.com/?f=1&a=tpl_installertech_15_17&cd=2XzuyEtN2Y1L1QzutDtDtByBtD0EtAtAyCyEtB0CyCtBtBzztN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2SyCtDyCtD0A0CyDtCtGyCtB0AtAtG0A0D0D0CtGtD0CyE0AtGyC0ByEzzyCzy0ByBtDtCyCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0C0FzyyC0F0AtBtGtByD0CzytGyEtBtCyCtG0B0F0DzytGzyzztBzz0E0EzztAtDyEtDzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyBtCyB&cr=1474058333&ir=),Replaced,[1289b0bfa1e9c27441c4b347f015c838]
 
Folders: 9
Rogue.Multiple, C:\Documents and Settings\All Users\Application Data\2308189059, Quarantined, [9506026d61291f1725fca0e0b74cd62a], 
PUP.Optional.FindingDiscount.A, C:\Program Files\Windows Discount, Delete-on-Reboot, [edae83ec0e7c8da9e45c3a7dbb480ff1], 
PUP.Optional.FindingDiscount.A, C:\Program Files\Windows Discount\FindingDiscount, Delete-on-Reboot, [edae83ec0e7c8da9e45c3a7dbb480ff1], 
PUP.Optional.FindingDiscount.A, C:\Documents and Settings\All Users\Application Data\Windows Discount, Quarantined, [e7b4bdb2503ab680bd84caede81bf10f], 
PUP.Optional.FindingDiscount.A, C:\Documents and Settings\All Users\Application Data\Windows Discount\FindingDiscount, Quarantined, [e7b4bdb2503ab680bd84caede81bf10f], 
PUP.Optional.RuntimeManager.A, C:\Program Files\Windows NT\Accessories\RuntimeManager, Delete-on-Reboot, [5447fe710189102600463c7bdd26f60a], 
PUP.Optional.Taplika.A, C:\Program Files\WSE_Taplika, Quarantined, [e2b94c23e7a39d99845ae5d3659e867a], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika, Quarantined, [f0abcda2b9d1a09648972b8dbe4523dd], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika\UpdateProc, Quarantined, [f0abcda2b9d1a09648972b8dbe4523dd], 
 
Files: 17
Trojan.Email.FakeDoc, C:\Documents and Settings\User\My Documents\Downloads\payment-0113-809.pdf.zip, Quarantined, [b8e3e7885e2c0b2b70e185928181aa56], 
PUP.Optional.RelevantKnowledge, C:\Documents and Settings\User\Local Settings\Temp\CSMEB.tmp, Quarantined, [dcbf5c136921043277f039d49175d927], 
PUP.Optional.Taplika.A, C:\WINDOWS\Tasks\Taplika sefo.job, Quarantined, [d8c3c3acff8b1f17a0ee577af70ca858], 
PUP.Optional.WSE.A, C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Internet Explorer\Services\WSE_Taplika.ico, Quarantined, [bedd08674d3dca6c22b63d199b6a748c], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika\UpdateProc\bkup.dat, Quarantined, [a9f2234cfa90d462679a5e6fb54eaa56], 
Rogue.Multiple, C:\Documents and Settings\All Users\Application Data\2308189059\BIT108.tmp, Quarantined, [9506026d61291f1725fca0e0b74cd62a], 
PUP.Optional.FindingDiscount.A, C:\Program Files\Windows Discount\FindingDiscount\findingdiscount.exe, Delete-on-Reboot, [edae83ec0e7c8da9e45c3a7dbb480ff1], 
PUP.Optional.FindingDiscount.A, C:\Documents and Settings\All Users\Application Data\Windows Discount\FindingDiscount\config.dat, Quarantined, [e7b4bdb2503ab680bd84caede81bf10f], 
PUP.Optional.FindingDiscount.A, C:\Documents and Settings\All Users\Application Data\Windows Discount\FindingDiscount\FindingDiscount.exe, Quarantined, [e7b4bdb2503ab680bd84caede81bf10f], 
PUP.Optional.RuntimeManager.A, C:\Program Files\Windows NT\Accessories\RuntimeManager\runtimemanager.exe, Delete-on-Reboot, [5447fe710189102600463c7bdd26f60a], 
PUP.Optional.Taplika.A, C:\Program Files\WSE_Taplika\config.dat, Quarantined, [e2b94c23e7a39d99845ae5d3659e867a], 
PUP.Optional.Taplika.A, C:\Program Files\WSE_Taplika\Sqlite3.dll, Quarantined, [e2b94c23e7a39d99845ae5d3659e867a], 
PUP.Optional.Taplika.A, C:\Program Files\WSE_Taplika\uninst.dat, Quarantined, [e2b94c23e7a39d99845ae5d3659e867a], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika\UpdateProc\config.dat, Quarantined, [f0abcda2b9d1a09648972b8dbe4523dd], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika\UpdateProc\info.dat, Quarantined, [f0abcda2b9d1a09648972b8dbe4523dd], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika\UpdateProc\STTL.DAT, Quarantined, [f0abcda2b9d1a09648972b8dbe4523dd], 
PUP.Optional.Taplika.A, C:\Documents and Settings\User\Application Data\Wse_taplika\UpdateProc\TTL.DAT, Quarantined, [f0abcda2b9d1a09648972b8dbe4523dd], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:47 AM

Posted 23 April 2015 - 02:54 PM

Spy Hunter is not recommended....try to uninstall it. Then run Download Revo Uninstaller Freeware in Advanced Mode to remove it.

That program is known to find what isn't there....many consider it a rogue.

 

Rerun AdwCleaner and post its log of what it found. It often finds more on the second run.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 ElmmBC

ElmmBC
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 April 2015 - 09:47 AM

Thanks buddy215 for the reply. I followed what you said and I have listed the results below. I am still having an issue with Spy Hunter. I uninstalled it and it is not showing up in my program list, but, whenever I reboot it pops up like it's part of the family. It didn't show up in any of the following scans so I'm not sure what to do . 

 

Here are the log filles:

 

AdwCleaner-

 

# AdwCleaner v4.202 - Logfile created 24/04/2015 at 09:11:18
# Updated 23/04/2015 by Xplode
# Database : 2015-04-23.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : User - FROUNT-OFFICE
# Running from : C:\Documents and Settings\User\My Documents\Downloads\adwcleaner_4.202.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=127.0.0.1:47574
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyEnable] - 1
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Mozilla Firefox v37.0.2 (x86 en-US)
 
 
-\\ Google Chrome v42.0.2311.90
 
 
*************************
 
AdwCleaner[R0].txt - [3231 bytes] - [22/04/2015 15:56:28]
AdwCleaner[R1].txt - [1520 bytes] - [24/04/2015 09:04:47]
AdwCleaner[S0].txt - [3113 bytes] - [22/04/2015 16:01:47]
AdwCleaner[S1].txt - [1225 bytes] - [24/04/2015 09:11:18]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1284  by
 
JRT-
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.2 (04.24.2015:1)
OS: Microsoft Windows XP x86
Ran by User on Fri 04/24/2015 at  9:25:52.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 04/24/2015 at  9:31:07.82
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
ESET-
 
C:\Documents and Settings\User\My Documents\Downloads\PDFCreator-1_7_3_setup.exe Win32/InstallMonetizer.AQ potentially unwanted application deleted - quarantined
 
 
Thanks Again for your help!


#4 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:47 AM

Posted 24 April 2015 - 10:37 AM

Did you use Revo Uninstaller in Advanced Mode to uninstall Spyware Hunter?

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 ElmmBC

ElmmBC
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 April 2015 - 10:52 AM

I did use the advance mode in Revo. 

 

Below are the logs from CC. Yep....Spy Hunter is showing up in the startup list. 

 

Startup

 

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR

No HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
Yes HKCU:Run ctfmon.exe Microsoft Corporation C:\WINDOWS\system32\ctfmon.exe
No HKCU:Run GoogleChromeAutoLaunch_CB71CD92231E9EECFEEE72606F7F75DB Google Inc. "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window
No HKCU:Run Sonic RecordNow!
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run Alcmtr Realtek Semiconductor Corp. ALCMTR.EXE
Yes HKLM:Run AVG_UI AVG Technologies CZ, s.r.o. "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY
Yes HKLM:Run BrMfcWnd Brother Industries, Ltd. C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
No HKLM:Run ControlCenter3 Brother Industries, Ltd. C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
Yes HKLM:Run HotKeysCmds Intel Corporation C:\WINDOWS\system32\hkcmd.exe
Yes HKLM:Run IgfxTray Intel Corporation C:\WINDOWS\system32\igfxtray.exe
No HKLM:Run IndexSearch Nuance Communications, Inc. "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
Yes HKLM:Run IntelliPoint Microsoft Corporation "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
Yes HKLM:Run Intuit SyncManager Intuit Inc. All rights reserved. C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
Yes HKLM:Run LogMeIn GUI LogMeIn, Inc. "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
Yes HKLM:Run PaperPort PTD Nuance Communications, Inc. "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
Yes HKLM:Run Persistence Intel Corporation C:\WINDOWS\system32\igfxpers.exe
Yes HKLM:Run PPort11reminder Nuance Communications, Inc. "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
Yes HKLM:Run RTHDCPL Realtek Semiconductor Corp. RTHDCPL.EXE
Yes HKLM:Run SpyHunter Security Suite Enigma Software Group USA, LLC. "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe"
Yes HKLM:Run SSBkgdUpdate Nuance Communications, Inc. "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
No HKLM:Run SunJavaUpdateSched Oracle Corporation "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
No HKLM:Run Zune Launcher "c:\Program Files\Zune\ZuneLauncher.exe"
Yes Startup Common InterVideo WinCinema Manager.lnk C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Yes Startup Common QuickBooks Update Agent.lnk Intuit Inc. C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
 
 
Unistall
 
Adobe Acrobat 5.0 Adobe Systems, Inc. 1/5/2011 5.0
Adobe AIR Adobe Systems Incorporated 4/28/2011 2.6.0.19140
Adobe Flash Player 17 ActiveX Adobe Systems Incorporated 4/21/2015 17.0.0.169
Adobe Flash Player 17 NPAPI Adobe Systems Incorporated 4/21/2015 17.0.0.169
Adobe Reader X (10.1.11) Adobe Systems Incorporated 10/1/2014 173.00 MB 10.1.11
AVG 2015 AVG Technologies 4/18/2015 2015.0.5941
AVS Image Converter 1.3.3.146 Online Media Technologies Ltd. 3/15/2011
AVS Update Manager 1.0 Online Media Technologies Ltd. 3/15/2011
AVS4YOU Software Navigator 1.4 Online Media Technologies Ltd. 3/15/2011
Brother MFL-Pro Suite Brother Industries, Ltd. 1/3/2011 1.00
CCleaner Piriform 3/30/2015 5.04
FindingDiscount
Google Chrome Google Inc. 8/14/2013 42.0.2311.90
Intel® Graphics Media Accelerator Driver Intel Corporation 4/23/2015
InterVideo WinDVD 4 InterVideo Inc. 1/5/2011
Java 7 Update 71 Oracle 10/31/2014 119.00 MB 7.0.710
LogMeIn LogMeIn, Inc. 1/3/2011 36.48 MB 4.1.1578
Malwarebytes Anti-Malware version 2.1.6.1022 Malwarebytes Corporation 4/23/2015 2.1.6.1022
Microsoft .NET Framework 2.0 Service Pack 2 Microsoft Corporation 2/13/2014 183.00 MB 2.2.30729
Microsoft .NET Framework 3.0 Service Pack 2 Microsoft Corporation 10/13/2013 272.00 MB 3.2.30729
Microsoft .NET Framework 3.5 SP1 Microsoft Corporation 10/10/2013
Microsoft .NET Framework 4 Client Profile Microsoft Corporation 2/13/2014 4.0.30319
Microsoft IntelliPoint 6.3 Microsoft 1/3/2011 19.98 MB 6.30.191.0
Microsoft Office Home and Student 2010 Microsoft Corporation 11/11/2013 14.0.7015.1000
Microsoft Silverlight Microsoft Corporation 7/24/2014 249.00 MB 5.1.30514.0
Microsoft User-Mode Driver Framework Feature Pack 1.9 Microsoft Corporation 7/28/2014
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 6/16/2011 5.28 MB 8.0.61001
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 1/3/2011 10.19 MB 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 6/16/2011 10.20 MB 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 2/12/2015 11.14 MB 10.0.40219
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) Microsoft Corporation 2/12/2015 10.0.50903
Microsoft WinUsb 1.0 Microsoft Corporation 7/28/2014
Mozilla Firefox 37.0.2 (x86 en-US) Mozilla 4/22/2015 37.0.2
MSXML 4.0 SP2 (KB954430) Microsoft Corporation 5/21/2010 2.67 MB 4.20.9870.0
MSXML 4.0 SP2 (KB973688) Microsoft Corporation 5/21/2010 2.77 MB 4.20.9876.0
MSXML 4.0 SP2 Parser and SDK Microsoft Corporation 5/21/2010 1.23 MB 4.20.9818.0
PaperPort Image Printer Nuance Communications, Inc. 1/3/2011 1.98 MB 1.00.0000
PDFCreator pdfforge 11/6/2014 1.7.3
QuickBooks Pro 2009 Intuit Inc. 4/23/2015 19.0.4014.705
REALTEK GbE & FE Ethernet PCI-E NIC Driver Realtek 5/21/2010 1.21.0000
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 5/21/2010 5.10.0.5764
Revo Uninstaller 1.95 VS Revo Group 4/24/2015 1.95
ScanSoft PaperPort 11 Nuance Communications, Inc. 1/3/2011 131.00 MB 11.1.0000
Sonic RecordNow! Sonic Solutions 5/21/2010 15.45 MB 6.5.1
SupportSoft Assisted Service SupportSoft 1/3/2011 3.45 MB 15
Trusteer Endpoint Protection Trusteer 3/30/2015 3.5.1404.84
TurboTax 2010 Intuit, Inc 2/16/2011
TurboTax 2011 Intuit, Inc 2/23/2012
TurboTax 2012 Intuit, Inc 1/23/2013 2012.0
TurboTax 2013 Intuit, Inc 2/21/2014 2013.0
TurboTax 2014 Intuit, Inc 3/10/2015 2014.0
TurboTax Business 2010 Intuit, Inc 2/14/2011
TurboTax Business 2011 Intuit, Inc 2/3/2012
TurboTax Business 2012 Intuit, Inc 1/23/2013 2012.0
TurboTax Business 2013 Intuit, Inc 2/19/2014 2013.0
TurboTax Business 2014 Intuit, Inc 3/3/2015 2014.0
Visual Studio 2012 x86 Redistributables AVG Technologies CZ, s.r.o. 9/30/2014 10.27 MB 14.0.0.1
Windows Genuine Advantage Validation Tool (KB892130) Microsoft Corporation 5/20/2010
Windows Internet Explorer 8 Microsoft Corporation 5/21/2010 20090308.140743
Windows Media Format 11 runtime 7/28/2014
Windows XP Service Pack 3 Microsoft Corporation 5/21/2010 20080414.031525
 


#6 ElmmBC

ElmmBC
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 April 2015 - 10:54 AM

Here's scheduled task from CC if you need it.

 

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task At1 C:\DOCUME~1\User\APPLIC~1\WSE_TA~1\UPDATE~1\UPDATE~1.EXE /Check
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task Microsoft Windows XP End of Service Notification Logon Microsoft Corporation C:\WINDOWS\system32\xp_eos.exe -c
Yes Task Microsoft Windows XP End of Service Notification Monthly Microsoft Corporation C:\WINDOWS\system32\xp_eos.exe
 


#7 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:47 AM

Posted 24 April 2015 - 11:36 AM

Disable These Windows Startups: (Use CCleaner. Click on each item to highlight and then choose Disable, Remove or Uninstall)

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR

Yes HKCU:Run ctfmon.exe Microsoft Corporation C:\WINDOWS\system32\ctfmon.exe

(Ctfmon is the Microsoft process that controls Alternative User Input and the Office Language bar. It’s how you can control the computer via speech or a pen tablet, or using the onscreen keyboard inputs for asian languages.

If you are using any of the above, you should leave it enabled.

Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

Yes HKLM:Run BrMfcWnd Brother Industries, Ltd. C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

Yes HKLM:Run IgfxTray Intel Corporation C:\WINDOWS\system32\igfxtray.exe

Yes HKLM:Run Intuit SyncManager Intuit Inc. All rights reserved. C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup

Yes HKLM:Run SpyHunter Security Suite Enigma Software Group USA, LLC. "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe" (remove if offered...not just disable)

Yes HKLM:Run SSBkgdUpdate Nuance Communications, Inc. "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

Yes Startup Common InterVideo WinCinema Manager.lnk C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Yes Startup Common QuickBooks Update Agent.lnk Intuit Inc. C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
 
Disable these Tasks:

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task Microsoft Windows XP End of Service Notification Logon Microsoft Corporation C:\WINDOWS\system32\xp_eos.exe -c
Yes Task Microsoft Windows XP End of Service Notification Monthly Microsoft Corporation C:\WINDOWS\system32\xp_eos.exe
 
Uninstall These programs:
Adobe Acrobat 5.0 Adobe Systems, Inc. 1/5/2011 5.0
Adobe AIR Adobe Systems Incorporated 4/28/2011 2.6.0.19140
FindingDiscount (use Revo to uninstall)
Google Chrome Google Inc. 8/14/2013 42.0.2311.90 (or update)

Java 7 Update 71 Oracle 10/31/2014 119.00 MB 7.0.710 (Old Java is a malware magnet....you may not even need it installed)

 

You can try doing a search for Spy Hunter..and removing....not sure if removing the startup will be enough.

 

EDIT: From the web....files associated with Spy Hunter:

  • C:\bootsqm.dat
  • C:\Users\Username\Desktop\SpyHunter.lnk
  • C:\sh4ldr
  • C:\Program Files\Enigma Software Group
  • C:\Windows\System32\Drivers\EsgScanner.sys
  • C:\Users\Username\Downloads\SpyHunter-Installer.exe
  • C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe

Edited by buddy215, 24 April 2015 - 12:04 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users