Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected


  • Please log in to reply
19 replies to this topic

#1 PrevailGFX

PrevailGFX

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 21 May 2015 - 02:32 PM

Considering my computer just went to one of the screens where it said it recovered from a shutdown or something, and asked if I wanted to go into safemode or start windows normally I figured I should post here.

 

I had just restarted due to running GTA 5, making it slow my PC down and I was opening up a program -- a bot for a game. They're notorious for infections, although I don't think it is considering in just the past hour there was 2,300 active people. It'd be known to be malware by now if it really was, I'd think.

 

Anyways; Windows 7 Home Premium SP1

 

Currently running a scan with MBAM.

 

Thanks.


Edited by PrevailGFX, 21 May 2015 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 jerrymck

jerrymck

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 21 May 2015 - 02:46 PM

It isn't common for a virus to cause a computer to completely shutdown at random. Unless the virus is hijacking your system resources and using them all thus causing overheating but it is unlikely. Are you positive your computer can run GTA5 healthy?

shutting down is normally caused by over exerting the cpu, gpu, or ram. The computer shuts down to save the hardware from over heating.


Craigslist PC Technicians be like "Oh you have a virus? Let me defrag your hard drive and delete unused desktop icons for you. And if you're lucky, I'll even empty your recycling bin! :smash:


#3 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 21 May 2015 - 02:51 PM

It isn't common for a virus to cause a computer to completely shutdown at random. Unless the virus is hijacking your system resources and using them all thus causing overheating but it is unlikely. Are you positive your computer can run GTA5 healthy?

shutting down is normally caused by over exerting the cpu, gpu, or ram. The computer shuts down to save the hardware from over heating.

 

It did this after I had already restarted from running GTA 5. I can run it at 60 fps on high.

 

QyFMWrR.png



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:24 AM

Posted 21 May 2015 - 03:29 PM

Hi there,

Please run this so I can see what's going on.

MiniToolbox by Farbar

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Regards,
Alex

#5 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 21 May 2015 - 03:51 PM

Here you are, @Alexstrasza

 

MiniToolBox

Security Check



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:24 AM

Posted 21 May 2015 - 04:09 PM

Hi there,

Please paste all of your logs directly into your replies instead of putting them somewhere else - it's more convenient.

This Reddit post and the errors in your Event Viewer log seem to coincidence with each other. We can try disabling that service and see if it helps.

Please uninstall the following software from Programs and Features:

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Java 7 Update 67 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)

If you run into any issues, let me know.

You do not appear to have resident antivirus protection - do you have one right now?

Regards,
Alex

#7 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 21 May 2015 - 06:19 PM

From another community I go on there's another MRT expert and he usually prefers not to quote any posts, and to paste logs in separate links like that... I felt like it would be more convenient than pasting a bunch of text in one box, but okay. If you prefer it that way then that's alright.

 

Anyways, I removed all of those -- but that leaves me without a Java version. Should I install the latest version?

 

And no, I don't have any antivirus... I mean, take a look at your signature. But every now and then common sense gets the best of you and you go to a site and something suspicious downloads, some ad pops up even though you have adblock, or you download a program you know you shouldn't run and you do it anyways. Can't help but think somewhere along the line you may of got a little herpes.

 

Also, just out of curiosity what made you want me to delete those?


Edited by PrevailGFX, 21 May 2015 - 08:11 PM.


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:24 AM

Posted 22 May 2015 - 01:49 AM

From another community I go on there's another MRT expert and he usually prefers not to quote any posts, and to paste logs in separate links like that... I felt like it would be more convenient than pasting a bunch of text in one box, but okay. If you prefer it that way then that's alright.

That's how it works in here, you might want to check other posts :) I suspect that I know which forum you are referring to, but it's just speculation (if you are curious then shoot me a pm).
 

Anyways, I removed all of those -- but that leaves me without a Java version. Should I install the latest version?

Please do :)
 

And no, I don't have any antivirus... I mean, take a look at your signature. But every now and then common sense gets the best of you and you go to a site and something suspicious downloads, some ad pops up even though you have adblock, or you download a program you know you shouldn't run and you do it anyways. Can't help but think somewhere along the line you may of got a little herpes.

That is precisely what antivirus and antimalware solutions are for - better safe than sorry. Software cover our backs in places where common sense is not enough.
 

Since you mentioned running a scan with Malwarebytes, please post the scan log when you are done.

After that please run this.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#9 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 22 May 2015 - 12:37 PM

You probably do, the link starts with an H. Their two main Malware Technicians left, and now that's left is some people who know a little bit about the software they find off of here. So I figured I'd be best off coming here...

 

Also, I don't know what Antivirus's are any good.

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/21/2015
Scan Time: 2:33:42 PM
Logfile: scan.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.21.03
Rootkit Database: v2015.05.16.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Wayne
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 449154
Time Elapsed: 19 min, 42 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.OpenCandy, C:\Users\Wayne\AppData\Local\Temp\uttAF85.tmp, Quarantined, [bd8ae2b48bffec4a65dea3a9927431cf], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Emsisoft Emergency Kit - Version 9.0
Last update: 5/22/2015 10:05:09 AM
User account: Wayne-PC\Wayne
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 5/22/2015 10:05:38 AM
C:\$RECYCLE.BIN\S-1-5-21-2111133060-3351526975-1283433472-1000\$R2Q5V46\COC Bot_Obfuscated.exe detected: Trojan.Generic.14525285 
C:\Program Files (x86)\ArticGamers Entertainment\GunZ Online\Gunz.exe detected: Trojan.Generic.11018467 
C:\Users\Wayne\AppData\Local\Temp\tmp11EB.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp1D21.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp2145.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp28F4.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp3D10.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp63B2.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp7C12.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp816E.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp9405.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp989E.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpB6E0.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpBF68.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpE8B1.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpFBE7.dll detected: Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Roaming\Skype\My Skype Received Files\darkcomet 5.4.1.zip -> COC Bot_Obfuscated.exe detected: Trojan.Generic.14525285 
C:\Users\Wayne\Desktop\New WinRAR ZIP archive.zip -> New folder (5)/COC Bot_Obfuscated.exe detected: Trojan.Generic.14525285 
C:\Users\Wayne\Downloads\2.1.0_ClashBot (1).zip -> ClashBot.exe detected: Trojan.Generic.14516444 
C:\Users\Wayne\Downloads\2.1.0_ClashBot.zip -> ClashBot.exe detected: Trojan.Generic.14516444 
 
Scanned 721633
Found 20
 
Scan end: 5/22/2015 12:33:07 PM
Scan time: 2:27:29
 
C:\Users\Wayne\Downloads\2.1.0_ClashBot.zip Quarantined Trojan.Generic.14516444 
C:\Users\Wayne\Downloads\2.1.0_ClashBot (1).zip Quarantined Trojan.Generic.14516444 
C:\Users\Wayne\Desktop\New WinRAR ZIP archive.zip Quarantined Trojan.Generic.14525285 
C:\Users\Wayne\AppData\Roaming\Skype\My Skype Received Files\darkcomet 5.4.1.zip Quarantined Trojan.Generic.14525285 
C:\Users\Wayne\AppData\Local\Temp\tmpFBE7.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpE8B1.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpBF68.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmpB6E0.dll Quarantined Gen:Variant.Graftor.174438 C:\Users\Wayne\AppData\Local\Temp\tmp989E.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp9405.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp816E.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp7C12.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp63B2.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp3D10.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp28F4.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp2145.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp1D21.dll Quarantined Gen:Variant.Graftor.174438 
C:\Users\Wayne\AppData\Local\Temp\tmp11EB.dll Quarantined Gen:Variant.Graftor.174438 
C:\Program Files (x86)\ArticGamers Entertainment\GunZ Online\Gunz.exe Quarantined Trojan.Generic.11018467 
C:\$RECYCLE.BIN\S-1-5-21-2111133060-3351526975-1283433472-1000\$R2Q5V46\COC Bot_Obfuscated.exe Quarantined Trojan.Generic.14525285 


Quarantined 20

Edited by PrevailGFX, 22 May 2015 - 12:39 PM.


#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:24 AM

Posted 22 May 2015 - 01:14 PM

Hi there,

Please download OldTimer's Temp File Cleaner and run it to clear out all of your temporary files.

After that please run this.

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex

#11 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 23 May 2015 - 05:43 PM

C:\Program Files (x86)\Hotspot Shield\Uninstall.exe Win32/Bundled.Toolbar.Ask.L potentially unsafe application deleted - quarantined
C:\Users\Wayne\Desktop\HB\stxo_ss.exe a variant of MSIL/GameHack.DL potentially unsafe application deleted - quarantined
C:\Users\Wayne\Downloads\ccsetup503.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
C:\Users\Wayne\Downloads\HSS-3.42-install-plain-701-plain.exe Win32/Bundled.Toolbar.Ask.L potentially unsafe application deleted - quarantined
C:\Users\Wayne\Downloads\spsetup128.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
C:\Users\Wayne\Downloads\Windows 7 Sp1 Ultimate 16in1 [x86 x64] OEM ESD en-US Oct 2014 by Generation2-=TEAM OS=-{HKRG}\Win7.X86.X64.ESD.en-US.Oct2014.iso a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application deleted - quarantined
C:\Windows\Installer\MSIDBAA.tmp a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application deleted - quarantined


#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:24 AM

Posted 23 May 2015 - 05:46 PM

Hi there,

Did you try disabling the service via the Reddit post I linked to?

Please install an antivirus and remember to keep it updated.

Let me know how it went.

Regards,
Alex

#13 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 24 May 2015 - 12:35 AM

Hi there,

Did you try disabling the service via the Reddit post I linked to?

Please install an antivirus and remember to keep it updated.

Let me know how it went.

Regards,
Alex

 

 

Oh... didn't know I was supposed to do that.

 

I'm fairly certain this is it; 

MM9wtSK.png

 

I'll disable it now. What antivirus would you recommend?



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:24 AM

Posted 24 May 2015 - 03:34 AM

Hi there,

For an antivirus I recommend Avast for free and Emsisoft Anti-Malware for paid.

You can try setting the startup type of the service to Manual and see if the problem recurs. Keep me posted.

Regards,
Alex

#15 PrevailGFX

PrevailGFX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 24 May 2015 - 06:46 PM

Hi there,

For an antivirus I recommend Avast for free and Emsisoft Anti-Malware for paid.

You can try setting the startup type of the service to Manual and see if the problem recurs. Keep me posted.

Regards,
Alex

 

It's not important, I disabled it...

 

I'll install Avast now






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users