Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove malware using Hitman Pro


  • Please log in to reply
10 replies to this topic

#1 Reesey2369

Reesey2369

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 27 August 2015 - 02:31 PM

Hi,

 

I am unable to remove malware from my laptop, which is currently running on Windows 7. I have followed the directions from this website:  http://malwaretips.com/blogs/malware-removal-guide-for-windows/ until Step 5. I was able to remove threats using Malwarebytes but found residual PUPs using Hitman Pro.

 

When I run Hitman Prof 3.7.9, a potential identified threat is found (3.4.1_30942.exe). However, when attempting to upload this file to the Scan Cloud, the upload stalls and generates a timeout error (UPLOAD TIMED OUT.) I am unable to delete the file.

 

I am unable to locate the exe file in the directory indicated. Any advice about how to proceed?

 

 

Many thanks



BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:18 AM

Posted 28 August 2015 - 10:27 AM

Hello and welcome to BC, 

 

I would like to suggest you to stop your search for that .exe file and to do the following to make sure that your PC is clean:

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

--------

 

Please download Junkware Removal Tool to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

---------

 

Post me a rkill log, it should be on Desktop.


Edited by severac, 28 August 2015 - 10:28 AM.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 Reesey2369

Reesey2369
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 28 August 2015 - 11:54 AM

Hi, Severac

 

Thanks for your help. I'm a total dork when it comes to stuff like this. The logs are in this order 1) JRT, 2) AdwCleaner, 3) Rkill (ran in Safe Mode yesterday)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.9 (08.27.2015:1)
OS: Windows 7 Professional x64
Ran by HP on Fri 08/28/2015 at 12:43:20.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] C:\Windows\SysWOW64\ai_recyclebin



~~~ FireFox

Successfully deleted the following from C:\Users\HP\AppData\Roaming\mozilla\firefox\profiles\spw31o22.default\prefs.js

user_pref(browser.search.hiddenOneOffs, Yahoo,Bing,Amazon.com,eBay,Twitter,Wikipedia (en),DuckDuckGo,Trovi search);
Emptied folder: C:\Users\HP\AppData\Roaming\mozilla\firefox\profiles\spw31o22.default\minidumps [41 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/28/2015 at 12:46:46.62
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

# AdwCleaner v5.003 - Logfile created 26/08/2015 at 14:33:33
# Updated 20/08/2015 by Xplode
# Database : 2015-08-25.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : HP - HP-HP
# Running from : C:\Users\HP\Downloads\adwcleaner_5.003.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

[-] [C:\Users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\spw31o22.default\prefs.js] [Preference] Deleted : user_pref("browser.newtab.url", "hxxp://search.conduit.com/?gd=&ctid=CT3314958&octid=EB_ORIGINAL_CTID&ISID=M7030E641-31D5-45B1-AF0E-643EF390DB2E&SearchSource=69&CUI=&SSPV=&Lay=1&UM=5&UP=SP11BE971C-8FF[...]

*************************

:: Proxy settings cleared
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [923 bytes] ##########
# AdwCleaner v5.004 - Logfile created 28/08/2015 at 12:06:45
# Updated 26/08/2015 by Xplode
# Database : 2015-08-25.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : HP - HP-HP
# Running from : C:\Users\HP\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************


########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1586 bytes] ##########
 

Rkill 2.8.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/27/2015 03:06:14 PM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  0.0.0.1    mssplus.mcafee.com

Program finished at: 08/27/2015 03:06:40 PM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)
 



#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:18 AM

Posted 28 August 2015 - 12:37 PM

Hi,

 

let's run MBAM again:

 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

-------

 

And Kaspersky, just to be sure that you are clean:

 

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 Reesey2369

Reesey2369
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 28 August 2015 - 08:49 PM

Hi,

 

First, I ran MBAM again without a problem but then afterwards, Kaspersky Virus Removal always crashes (Normal and Safe mode.) Kaspersky crashed a few times. One threat was detected (...UCQQYXP0\SPSetup[1].exe) | Detected: not-a-virus:Webtoolbar.Win32.Agent.azm. but can't seem to get rid of it.

 

What do I do now?

 

The log from MBAM is below.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/28/2015
Scan Time: 7:08 PM
Logfile: 8 28 2015 MBAM Scan log.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.28.06
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: HP

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358670
Time Elapsed: 10 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:18 AM

Posted 29 August 2015 - 01:43 AM

ESET Online Scanner

§  Click here to download the installer for ESET Online Scanner and save it to your Desktop.

§  Disable all your antivirus and antimalware software - see how to do that here.

§  Right click on esetsmartinstaller_enu.exe and select Run as Administrator.

§  Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.

§  Select Enable detection of potentially unwanted applications.

§  Click Advanced Settings, then place a checkmark in the following:

o    Remove found threats

o    Scan archives

o    Scan for potentially unsafe applications

o    Enable Anti-Stealth technology

§  Click Start to begin scanning.

§  ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.

§  When the scan is done, click List threats (only available if ESET Online Scanner found something).

§  Click Export, then save the file to your desktop.

§  Click Back, then Finish to exit ESET Online Scanner.

-------

 

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Malware Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 Reesey2369

Reesey2369
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 29 August 2015 - 10:09 AM

Hi,

 

First log = ESET Online Scan

Second log = EEK

 

C:\Users\HP\AppData\Roaming\uTorrent\updates\3.4.1_30888.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting - quarantined
C:\Users\HP\AppData\Roaming\uTorrent\updates\3.4.1_30942.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting
C:\Users\HP\AppData\Roaming\uTorrent\updates\3.4.2_38656.exe    a variant of Win32/OpenCandy.C potentially unsafe application    cleaned by deleting - quarantined
 

 

 

Emsisoft Emergency Kit - Version 10.0
Last update: 8/29/2015 10:02:32 AM
User account: HP-HP\HP

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    8/29/2015 10:59:44 AM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\BINGBAR_RASMANCS     detected: Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI.1     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.BHO (A)

Scanned    72522
Found    8

Scan end:    8/29/2015 11:01:31 AM
Scan time:    0:01:47

Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}    Quarantined Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI.1    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\BINGBAR_RASMANCS    Quarantined Application.Win32.InstallExt (A)

Quarantined    8
 



#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:18 AM

Posted 29 August 2015 - 10:59 AM

It seems that ESET found that 3.4.1_30942.exe and some other similar files. It seems that is some utorrent file, that is why Hitman detected it. 

 

What is the status of your PC now?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#9 Reesey2369

Reesey2369
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 29 August 2015 - 11:06 AM

Hi,

 

Yeah, I wasn't sure if that torrent update was legit. I couldn't find them on my computer and was suspicious when Hitman couldn't scan it.  My computer seems okay but like I said, I'm a dork when it comes to things like this. I ran Hitman again and it didn't detect those exe files. Everything seems okay. Fingers crossed.

 

Thanks again for your help. You're a total lifesaver. :guitar:



#10 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:11:18 AM

Posted 29 August 2015 - 11:11 AM

Great.  :thumbup2:

 

You should be clean now. 

 

Empty your temp folders using TFC (Temporary File Cleaner)

§  Please download TFC by Old Timer and save it to your desktop.
alternate download link

§  Save any unsaved work. (TFC will close ALL open programs including your browser!)

§  Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)

§  Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

§  Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

--------------

 

This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download  DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

§  Activate UAC (optional; some users prefer to keep it off)

§  Remove disinfection tools

§  Create registry backup

§  Purge System Restore

Now click "Run" and wait patiently.
Once finished, a logfile will be created. You don't have to attach it to your next reply.

-----------

 

Best regards


Edited by severac, 29 August 2015 - 11:12 AM.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#11 Reesey2369

Reesey2369
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 29 August 2015 - 11:35 AM

Fantastic! Thanks so much again! :bounce:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users