Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser shortcut pinned to task bar, Target window modified.


  • This topic is locked This topic is locked
17 replies to this topic

#1 op3l

op3l

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 12 May 2015 - 08:43 PM

Not sure how to explain this but... In the properties of the browser links(IE, Firefox, and Chrome) it used to just say "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" 

 

But yesterday, I downloaded something from a less than honest site, and now whenever I open up any of the 3 browsers, I get redirected to "hao.360.cn" So I checked the shortcut properties, and all 3 browser's targets now respectively has "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://xx234.kuaila.com/ in the target window.

 

I've tried removing the http://xx234.kuaila.com/ by deleting it from the target window, but when I try to save the changes, the computer tells me I don't have administrator privileges, even though I'm the only user on this computer. 

 

So I deleted all 3 browser shortcuts from the taskbar, and dragged them out from the program files folders into the taskbar, but it will still add the

 

It's only when I drag and drop straight from the program files folder, that the link's target gets changed and added with the http://xx234.kuaila.com/.

 

I've tried scanning with Malwarebytes and it came up with nothing so I'm at my wit's end. I've included the hijackthis log, hopefully can have a solution to this problem. 

 

Thank you very much for your time.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 13 May 2015 - 05:35 AM

Hello op3l and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called FRST.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Logs to include with next post:

AdwCleaner log
RKreport.txt
FRST.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 op3l

op3l
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 13 May 2015 - 08:42 PM

Hello Satchfan!

 

First of all, thank you very much for your help. Very appreciated.

 

These are the logs as done per your instructions.

 

Thanks again!

 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 14 May 2015 - 06:10 AM

P2P - I see you have P2P software, (uTorrent ), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

I notice you have run ComboFix which is not recommended. ComboFix is a VERY powerful tool that can reduce a computer to a useless piece of metal without expert guidance.

While you may see ComboFix being used quite often without incident, the tool should NEVER be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool)

Please send the log from when you ran it. ComboFix logs are located at c:\combofix.txt, older logs are at c:\qoobox\combofix2.txt, c:\qoobox\ComboFix3.txt etc

===============================================

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

 

NOTE: Please include the logs in the post, not attach them.

 

Thanks

 

Satchfan
 


Edited by satchfan, 14 May 2015 - 06:11 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 op3l

op3l
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 14 May 2015 - 08:20 PM

I couldn't find the combofix.txt log. This is all I could find. But I didn't delete any files from when I ran the combofix as I know deleting files I don't know could mess up the computer.

 

Here are the logs:

--------------------------

Add-Remove Programs.txt

 

??????? 7.5???
µTorrent
Adobe Flash Player 17 ActiveX
Adobe Flash Player 17 NPAPI
Adobe Reader X (10.1.13) MUI
AI Suite 3
Akamai NetSession Interface
AMD Catalyst Control Center
Apple Application Support (32-bit)
Apple Software Update
Asmedia ASM104x USB 3.0 Host Controller Driver
Autodesk App Manager
Autodesk Content Service
Autodesk Content Service Language Pack
Autodesk Design Review 2013
Autodesk Design Review Browser Add-on v1.2 
Autodesk Featured Apps
Autodesk Material Library 2014
Autodesk Material Library Base Resolution Image Library 2014
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Combined Community Codec Pack 2014-07-13
Definition Update for Microsoft Office 2010 (KB2965299) 32-Bit Edition
Dropbox
FARO LS 1.1.501.0 (64bit)
Foxit Cloud
Foxit Reader
Geekbench 3
Google Chrome
Google Earth
Google Update Helper
IrfanView (remove only)
LINE
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 2.0.2.1012
Microsoft Office Access MUI (Chinese (Traditional)) 2010
Microsoft Office Excel MUI (Chinese (Traditional)) 2010
Microsoft Office Groove MUI (Chinese (Traditional)) 2010
Microsoft Office IME (Chinese (Traditional)) 2010
Microsoft Office InfoPath MUI (Chinese (Traditional)) 2010
Microsoft Office OneNote MUI (Chinese (Traditional)) 2010
Microsoft Office Outlook MUI (Chinese (Traditional)) 2010
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (Chinese (Traditional)) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proofing (Chinese (Traditional)) 2010
Microsoft Office Publisher MUI (Chinese (Traditional)) 2010
Microsoft Office Shared MUI (Chinese (Traditional)) 2010
Microsoft Office Word MUI (Chinese (Traditional)) 2010
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
Mozilla Firefox 37.0.2 (x86 en-US)
Mozilla Maintenance Service
PE Builder 3.1.10a
PowerISO
QCAD 3.7.1
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4.5.2 (KB3037581)
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2889839) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2920748) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2956073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2956076) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2920812) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2553428) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
SketchUp Import for AutoCAD 2014
Skype™ 7.4
Ultima Online Classic Client
Ultima Online Forever
Update for Microsoft Access 2010 (KB2837601) 32-Bit Edition
Update for Microsoft Excel 2010 (KB2956084) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2881026) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553140) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589386) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687275) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837582) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837602) 32-Bit Edition
Update for Microsoft Office 2010 (KB2883019) 32-Bit Edition
Update for Microsoft Office 2010 (KB2920813) 32-Bit Edition
Update for Microsoft Office 2010 (KB2956141) 32-Bit Edition
Update for Microsoft Office 2010 (KB2956191) 32-Bit Edition
Update for Microsoft Office 2010 (KB2965235) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2956075) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2956205) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2965295) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2956190) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2881025) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2881021) 32-Bit Edition
Visual Studio 2012 x86 Redistributables
----------------------------------------------------
 
ComboFix-quarantined-files.txt
 
2015-05-12 05:01:35 . 2015-05-12 05:01:35              377 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2015-05-12 04:58:06 . 2015-05-12 04:58:06            5,316 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2015-05-12 04:31:02 . 2015-05-12 04:31:02               51 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2015-05-12 01:47:14 . 2015-05-12 01:47:14              642 ----a-w-  C:\Qoobox\Quarantine\C\Windows\PFRO.log.vir
----------------------------------------------------
 
ckfiles.txt
 
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\gimp 2\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\razor\crypt.dll
c:\windows\autokms\autokms.exe
scanner sequence 3.BC.11.VBLBI0
 ----- EOF ----- 
----------------------------------------------
 
 


#6 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 15 May 2015 - 03:14 AM

You have illegal software on your system, which is probably how your computer became infected. Besides being illegal, cracks/keygens are the most certain means of infecting your system, as ALL illegal software contains some form of malicious code.

This forum, as well as all the other well-respected malware removal forums, does not condone the use of illegal software. If you disregard this warning and become re-infected, we may not assist you the next time.

Please uninstall all the illegal software that you have downloaded and installed. When you have done this, run CKScanner again and post a new log.

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 17 May 2015 - 05:42 PM

I haven't heard from you since I posted a couple of days ago.

 

Please let me know if you are having problems. If I hear nothing within the next 24 hours I'll assume that you no longer require help and close the topic.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 op3l

op3l
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 17 May 2015 - 08:51 PM

Sorry, been busy with things.

 

Deleted the things found in the first scan. Log:

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\gimp 2\share\gimp\2.0\patterns\cracked.pat
scanner sequence 3.AP.11.XAFNC0
 ----- EOF ----- 
 
I checked that file, it's a pattern for the image editing software. It's like a freeware version of Photoshop.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 18 May 2015 - 03:44 AM

That looks better (but I don't know why you had to run it so many times).

 

Can you tell me if the same problem persists or what the current situation is.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 op3l

op3l
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 19 May 2015 - 08:21 PM

Sorry for the late response.

 

I tried again to add pin the links for the 3 browsers I use straight from the folders, and they no longer are affected by that http://xx234.kuaila.com/  that was added to the target window.

 

Thank you very much for your help Satchfan. Most appreciated!



#11 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 20 May 2015 - 04:50 AM

Thank you very much for your help Satchfan. Most appreciated!

 

You're welcome.

 

 

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • start Malwarebytes-Anti-Malware and update it, (“Update” tab}
  • once it is updated, click on “Scan” tab, select Threat Scan, then click Scan.
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

================================================

Run Security Check

Download Security Check by screen317 from here or here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.


NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

===================================================

Let’s also run an online scan to be sure nothing is left and if both logs are clear I’ll send instructions to tidy up.

Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or  Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan


  • click the Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:


o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found.
 

If threats were found:

 

o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    Click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here.
 

Logs to include with the next post:

Mbam.txt

checkup.txt[

Eset result, (if any).

Can you tell me if there are any outstanding problems.

Satchfan


Edited by satchfan, 20 May 2015 - 05:01 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 op3l

op3l
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 21 May 2015 - 02:47 AM

Here are the logs for the 2 scans. 

 

ESET: 

C:\Users\Kevin Chao\Downloads\ccsetup419.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2014-04-11 115109\Backup Files 2014-04-11 115109\Backup files 1.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2014-05-21 143055\Backup Files 2014-05-21 143055\Backup files 3.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2014-05-21 143055\Backup Files 2014-07-07 081804\Backup files 2.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2014-07-28 081900\Backup Files 2014-07-28 081900\Backup files 17.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2014-10-13 081749\Backup Files 2014-10-13 081749\Backup files 17.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2014-10-13 081749\Backup Files 2014-10-13 081749\Backup files 18.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2014-10-13 081749\Backup Files 2014-10-20 081602\Backup files 2.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2014-10-13 081749\Backup Files 2014-11-24 081232\Backup files 3.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2014-12-08 081801\Backup Files 2014-12-08 081801\Backup files 19.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2014-12-08 081801\Backup Files 2014-12-08 081801\Backup files 21.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2015-03-09 080909\Backup Files 2015-03-09 080909\Backup files 20.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2015-03-09 080909\Backup Files 2015-03-09 080909\Backup files 22.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2015-04-06 115054\Backup Files 2015-04-06 115054\Backup files 22.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2015-04-06 115054\Backup Files 2015-04-06 115054\Backup files 24.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\KEVINCHAO-PC\Backup Set 2015-04-06 115054\Backup Files 2015-05-18 081233\Backup files 4.zip Win32/Toolbar.Conduit potentially unwanted application
D:\KEVINCHAO-PC\Backup Set 2015-04-06 115054\Backup Files 2015-05-18 081233\Backup files 5.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\???????\Thao\backup data\Data C\Program Files\AskBarDis\unins00.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\???????\Thao\backup data\Data C\Program Files\AskBarDis\bar\bin\askPopStp.dll a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\???????\Thao\backup data\Data C\Program Files\Paltalk Messenger\AskInstallChecker-1.4.0.0.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
D:\???????\Thao\backup data\Data C\Program Files\Paltalk Messenger\askToolbarInstaller-1.6.6.0.exe a variant of Win32/Bundled.Toolbar.Ask.A potentially unsafe application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgAdaptersProxy.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgAIMAuto.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgAIMMessengerAdapter.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgArchive.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgcommon.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgcommunication.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgconfig.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgFlashPlayer.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mghooking.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgIEPlayer.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mglogger.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgMediaPlayer.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgMsnAuto.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgMsnMessengerAdapter.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgsimcommon.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgSweetIM.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgUpdateSupport.dll a variant of Win32/SweetIM.F potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgxml_wrapper.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgYahooAuto.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\mgYahooMessengerAdapter.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Messenger\SweetIM.exe a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\ClearHist.exe a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mgcommon.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mgconfig.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mglogger.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll a variant of Win32/SweetIM.L potentially unwanted application
D:\???????\Thao\backup data\Data C\Program Files\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll a variant of Win32/SweetIM.L potentially unwanted application
 
The files from d:\ are old backup files from another computer. I can delete those if needed.
 
MBAM:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/21/2015
Scan Time: 8:13:44 AM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.20.06
Rootkit Database: v2015.05.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7
CPU: x64
File System: NTFS
User: Kevin Chao
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 439083
Time Elapsed: 1 hr, 20 min, 43 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#13 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 21 May 2015 - 02:57 AM

The files from d:\ are old backup files from another computer. I can delete those if needed.

 

 

Please do as they are not good.

 

 

Please send the result of SecurityCheck, (checkup.txt).

 

Apart from that, all looks fine. Are there any remaining problems?

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 op3l

op3l
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 21 May 2015 - 03:25 AM

Sorry, missed that part of the instructions:

 

 Results of screen317's Security Check version 1.002  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Free Edition 2015   
 Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 17.0.0.169  
 Adobe Reader 10.1.14 Adobe Reader out of Date!
 Mozilla Firefox (38.0.1) 
 Google Chrome (42.0.2311.135) 
 Google Chrome (42.0.2311.152) 
````````Process Check: objlist.exe by Laurent````````
 AVG avgwdsvc.exe 
 avgui.exe    
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3% 
````````````````````End of Log``````````````````````
 
No, the original problem with the links have been resolved. They function normally now and no longer edits the Target window.

Edited by op3l, 21 May 2015 - 03:27 AM.


#15 satchfan

satchfan

  • Malware Response Team
  • 2,801 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:54 PM

Posted 21 May 2015 - 03:56 AM

Well done op31, your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall Combofix

To be sure that it has been uninstalled from the time you ran it previously, follow these steps to uninstall Combofix:

  • click START then RUN, (or Windows key+R)
  • now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

CFuninstall.jpg


  • please follow the prompts to uninstall Combofix.
  • once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore


  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Antivirus

AVG  needs to be updated:

  • open the AVG Program
  • on the left side of the window, click Update now.

===================================================

Update installed programs

Your version of Adobe Reader is out-of-date and need to be removed and updated.

Having the latest updates and removing old versions ensures there are no security vulnerabilities in your system.

To remove it:

  • click Start, Control Panel, Programs and Features.
  • click on Adobe Reader 10.1.14 and then on Uninstall.

You can also uninstall Eset in the same way.

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

NEXT

Visit Adobe and download the latest version of Acrobat Reader.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Download WOT

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
 


green if it's safe
yellow for caution
red for unsafe
 

You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

======================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

======================

Your computer needs to be defragmented. See this

Download and run Auslogics Disc Defragmenter

Make sure when installing that you look out for, and say NO to, the ASK toolbar, (although, if you have taken my advice and installed UnChecky, that won’t be necessary).

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

Keeping your kids safer on the PC.

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan


Edited by satchfan, 21 May 2015 - 03:59 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users