Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clear away unwanted Scheduled Tasks / Triggers, Windows 7


  • This topic is locked This topic is locked
8 replies to this topic

#1 seglarn

seglarn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 June 2015 - 01:05 PM

See the file [FRST-150605.txt]
I thought that I managed to get away most of it... this time when I manually picked out a number of "application directories and deleted. See the attached file [rensa.txt]
But right now, as I write this text there is a new task/trigger (scheduled task) that wants to install a lot of shopping rubbish !!
Wajam, SmartWeb, Best victim today, EDU updates etc see more in the attached file. my home to the Explorer is reset to hxxp://www.instasurf.com something see the attached file [installation.pdf and adwcleaner-150604.pdf]
Is this problem ?? part of the text in :
xmlns=" hxxp://schemas.microsoft.com/windows/2004/02/mit/task
<Exec>      <Command>C:\Users\sodlei\AppData\Local\SmartWeb\SmartWebHelper.exe</Command>
    </Exec>
AdwCleaner and ComboFix fails to remove the trigger (Smart Web upgraded trigger ??)
Wajam installation can not be chanceled. When I force Windows 7 to shut down I have to turn of nstc2c0.tmp.
I try using the log from FRTS64 to understand how I should remove this "trigger box"
Find nothing in the Task Manager, Start up or msconfig ...
please help look through first log.
I enclose also some screenshots from the installations bleep like to do.
My problems started when I accepted a fake Adobe Flash update, update now ". Very Mad done !! Blame the late evening and fatigue.
Most of the installed I was able to uninstall ... I also ran AdwCleaner.
(Without disable MS Security Essentials and firewall).
I later visited an infected site that also downloaded and installed a lot of garbage .... I uninstalled everything I could and disabled a number Adds one.
I ran again AdwClaner and this time also ComboFix, again without disabling MS Security Essentials and firewall.
I submitted a question to the Forum regarding the risk of running CmboFix without disabling MS Security Essentials and firewall.
I got a good response from Bleepin 'Janitor Global Moderator!

Attached Files


Edited by Orange Blossom, 06 June 2015 - 01:18 PM.
Deactivated links to protect membership. ~ OB


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:58 AM

Posted 09 June 2015 - 10:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

() C:\Users\sodlei\AppData\Roaming\768D0B81-1431721869-11CB-A146-C781AE7E4116\nsvDED8.tmp
() C:\Users\sodlei\AppData\Roaming\768D0B81-1431721869-11CB-A146-C781AE7E4116\jnsr5EE.tmp
() C:\Users\sodlei\AppData\Local\mbot_se_102\upmbot_se_102.exe
(SoftBrain Technologies Ltd.) C:\Users\sodlei\AppData\Local\SmartWeb\SmartWebHelper.exe
() C:\Program Files (x86)\mbot_se_102\mbot_se_102.exe
(SoftBrain Technologies Ltd.) C:\Users\sodlei\AppData\Local\SmartWeb\SmartWebApp.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SmartWeb] => C:\Users\sodlei\AppData\Local\SmartWeb\SmartWebHelper.exe [270368 2015-02-17] (SoftBrain Technologies Ltd.)
HKLM-x32\...\Run: [mbot_se_102] => C:\Program Files (x86)\mbot_se_102\mbot_se_102.exe [3978920 2014-11-27] ()
HKLM-x32\...\RunOnce: [upmbot_se_102.exe] => C:\Users\sodlei\AppData\Local\mbot_se_102\upmbot_se_102.exe [3309736 2014-11-27] ()
Startup: C:\Users\sodlei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartWeb.lnk [2015-06-05]
ShortcutTarget: SmartWeb.lnk -> C:\Users\sodlei\AppData\Local\SmartWeb\SmartWebHelper.exe (SoftBrain Technologies Ltd.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3256510715-2264537422-2842215746-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO-x32: Edu App 1.0.0.7 -> {cf07d83b-d1b0-4642-b955-e7eb9b9cf5b3} -> C:\Program Files (x86)\Edu App\EduAppbho.dll [2015-06-05] (Edu App)
Toolbar: HKU\S-1-5-21-3256510715-2264537422-2842215746-1002 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
R2 mozolihu; C:\Users\sodlei\AppData\Roaming\768D0B81-1431721869-11CB-A146-C781AE7E4116\nsvDED8.tmp [169984 2015-06-03] () [File not signed]
R2 pygohyju; C:\Users\sodlei\AppData\Roaming\768D0B81-1431721869-11CB-A146-C781AE7E4116\jnsr5EE.tmp [231424 2015-05-15] () [File not signed]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\Users\sodlei\AppData\Roaming\768D0B81-1431721869-11CB-A146-C781AE7E4116
C:\Users\sodlei\AppData\Local\mbot_se_102
C:\Users\sodlei\AppData\Local\SmartWeb
C:\Program Files (x86)\mbot_se_102
C:\Program Files (x86)\Edu App

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run the AdwCleaner tool and clean all that is found.

===

I need to see the Addition.txt file that was created when you last executed the Farbar tool.

p.s.
Please do not post .pdf files as I will not open them.
Copy and past your logs in your next reply.

How is the computer running?

#3 seglarn

seglarn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 June 2015 - 10:40 AM

Hello "nasdaq"
I was a bit confused when I received the first response to my post in the forum.
"Do nothing just wait ... for a response. It may take a while"

I had no patience. I found a several months old image (including boot sector) of my Win 7 partition. I did a restore of a few days ago ... Got a lot of jobs for chkdsk but everything worked as it should.

I can see that you've done a fantastic job. Analysing the log and making the code for a "fixlist.txt".
I now realize that I'd been waiting for your response and driving FRTST / FIX. Sorry!
I can also see that I, as an amateur, (retired 72 years old) was on the right track - SmartWeb.

What protection is best to stop malware from an infected Website ??

I enclose my latest Addition.txt. If. If it can be of any help in your continued working.

I enclose my latest Addition.txt. If it can be of any help in your continued working.
Anny sugestions on "Accounts:"??

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:58 AM

Posted 10 June 2015 - 10:55 AM

I would rather see a fresh FRST log.

Please run the Farbar tool and post both logs.
To get a fresh Addition text make sure you click the option when you run the tool.

#5 seglarn

seglarn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 June 2015 - 12:22 PM

Hello again

Are you realy interested i new logs?

I have installed a fresh new (old) c:window partition and boot section.

So what can be left from my "virus" problem?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:58 AM

Posted 11 June 2015 - 06:37 AM

I'm leaving up to you.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 seglarn

seglarn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 11 June 2015 - 07:54 AM

Yes i am prity sure all is well. I took a quick look at the both logs.

A big thank you!
This was the first time I ever got into the virus ... belive it or not.
I have had PC since about 1988. Been out on the net since that. Initially it was Fidonet, Uset and Memonet ... built my first website in 1994, The Swedish Disability Sports Federation. Very much with help from people in forums at Fidonet. And the International Paralympic org 1995.
1996-2001 webmaster in two large Swedish insurance companies. Responsible for a major Internet Development Department. Retired in 2005.
But then ... one evening when I'm a little bit tired, and is too fast. I click and accept to update the false Adobe Flash player ... (194.6.232.151/39/en/video.php). I also believe that I was visiting an infected website. As soon as the page was opened as closed Internet Explorer (11) down and all the crap was installed. But it may be that all the fake Adobe Flash installation ... SmartWeb etc.

Have now a great summer !!
Take care and will always try to be safe...
But the age does strange thing with us...



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:58 AM

Posted 11 June 2015 - 12:16 PM

Glad we could help.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:58 AM

Posted 17 June 2015 - 07:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users