Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fix file type for files with no extension, savingtoyou


  • Please log in to reply
18 replies to this topic

#1 sparklestar

sparklestar

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 05 November 2015 - 04:50 AM

Files with no extension are now listed as file type "savingtoyou", They should be file type "file"  How do I fix that?

 

I have found some guides to change the file type of all files with a specific extension, but this is for all files with no extension.

 

This symptom appears to be a result of a malware infection, but I have already cleaned it out with mse, hitman, adwcleaner, mbam, and jrt. That doesn't fix the file type issue though.



BC AdBot (Login to Remove)

 


#2 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 05 November 2015 - 10:13 AM

I found a couple instances of savingtoyou in the registry and changed them to say File. Now instead of the file type showing up as savingtoyou, it shows up as "URL:File Protocol" any idea how to fix that?



#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 05 November 2015 - 12:04 PM

Hi sparklestar :)

My name is Aura and I'll be assisting you with your issue. Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the executable file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      B8oLpa3.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 05 November 2015 - 10:19 PM

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Suzy (administrator) on 05-11-2015 at 21:54:31
Running from "C:\Users\Suzy\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: XPS 8300 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:49375;https=127.0.0.1:49375

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================

Broadcom NetLink ™ Gigabit Ethernet = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Family-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Bell

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : Bell
   Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
   Physical Address. . . . . . . . . : 18-03-73-C6-81-AE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5176:792b:392d:9efd%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.59(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : November-05-15 10:04:23 AM
   Lease Expires . . . . . . . . . . : November-07-15 10:04:22 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 242756555
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-F9-AD-A2-18-03-73-C6-81-AE
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    google.com
Addresses:  24.226.16.44
      24.226.16.44


Pinging google.com [24.226.16.35] with 32 bytes of data:
Reply from 24.226.16.35: bytes=32 time=18ms TTL=61
Reply from 24.226.16.35: bytes=32 time=10ms TTL=61

Ping statistics for 24.226.16.35:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 18ms, Average = 14ms
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    yahoo.com
Addresses:  98.139.183.24
      98.139.183.24


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=87ms TTL=48
Reply from 206.190.36.45: bytes=32 time=81ms TTL=48

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 81ms, Maximum = 87ms, Average = 84ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...18 03 73 c6 81 ae ......Broadcom NetLink ™ Gigabit Ethernet
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.0.1    192.168.0.59     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.0.0    255.255.255.0         On-link     192.168.0.59    276
    192.168.0.59  255.255.255.255         On-link     192.168.0.59    276
   192.168.0.255  255.255.255.255         On-link     192.168.0.59    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.59    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.59    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    276 fe80::/64                On-link
 11    276 fe80::5176:792b:392d:9efd/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/05/2015 10:20:17 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:20:17 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:20:17 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:20:17 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:20:15 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:19:13 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client event error

Error: (11/05/2015 10:18:12 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:18:12 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client event error

Error: (11/05/2015 10:16:52 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (11/05/2015 10:06:46 AM) (Source: CVHSVC) (User: )
Description: Information only.
(Stream product id=0x0066): Streaming Failed


System errors:
=============
Error: (11/05/2015 10:20:15 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.

Error: (11/05/2015 10:19:45 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.

Error: (11/05/2015 10:19:13 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.

Error: (11/05/2015 10:18:55 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/05/2015 10:18:52 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/05/2015 10:18:51 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/05/2015 10:18:50 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/05/2015 10:18:48 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/05/2015 10:18:47 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/05/2015 10:18:45 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2015-11-05 01:20:01.618
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-11-05 01:20:01.558
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-11-05 01:20:01.508
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-11-05 01:20:01.448
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-11-01 22:56:58.245
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-11-01 22:56:58.183
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20077 - Adobe Systems Incorporated)
Adobe After Effects CS6 (HKLM-x32\...\{4817D846-700B-474E-A31B-80892B3E92E3}) (Version: 11 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.226 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Photoshop Elements 5.0 (HKLM-x32\...\Adobe Photoshop Elements 5) (Version: 5.0 - Adobe Systems Inc.)
AMD Catalyst Install Manager (HKLM\...\{AAFD93A0-6522-9FF4-69CF-15B98681681A}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bandicam (HKLM-x32\...\Bandicam) (Version: 1.8.4.283 - Bandisoft.com)
Bandisoft MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version:  - )
Blacklight: Retribution (HKLM-x32\...\Steam App 209870) (Version:  - Zombie, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CamStudio OSS Desktop Recorder (HKLM-x32\...\{FD9C31B6-F572-414D-81E3-89368C97A125}_is1) (Version: 2.6 Beta r294 - CamStudio Open Source Dev Team)
Chica Password Manager 2.0 2.0.0.8 (HKLM-x32\...\Chica Password Manager 2.0_is1) (Version: 2.0 - ChicaLogic, Inc.)
Company of Heroes 2 (HKLM-x32\...\Steam App 231430) (Version:  - )
CyberLink PowerDVD 9.5 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.5.1.3426 - CyberLink Corp.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell DataSafe Local Backup - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 9.4.60 - Dell Inc.)
Dell DataSafe Local Backup (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 9.4.60 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (HKLM-x32\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
Dell MusicStage (HKLM-x32\...\{91AF2672-F5BC-42CF-8037-A9D2F92BBCC0}) (Version: 1.5.201.0 - Fingertapps)
Dell PhotoStage (HKLM-x32\...\{0D98F04D-11A1-4B64-A406-43292B9EEE90}) (Version: 1.5.0.130 - ArcSoft)
Dell PhotoStage (HKLM-x32\...\{E4335E82-17B3-460F-9E70-39D9BC269DB3}) (Version: 1.5.0.130 - ArcSoft)
Dell Stage (HKLM-x32\...\{FE182796-F6BA-486A-8590-89B7E8D1D60F}) (Version: 1.7.209.0 - Fingertapps)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.1.6664.10 - Dell)
Dell Update (HKLM-x32\...\{3F862535-33F3-4F3F-864E-6D4F6FD3258D}) (Version: 1.5.2000.0 - Dell Inc.)
Dell VideoStage  (HKLM-x32\...\{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}) (Version: 1.2.0.1712 - CyberLink Corp.) Hidden
Dell VideoStage  (HKLM-x32\...\InstallShield_{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}) (Version: 1.2.0.1712 - CyberLink Corp.)
DirectX 9 Runtime (HKLM-x32\...\{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}) (Version: 1.00.0000 - Sonic Solutions) Hidden
DivX Setup (HKLM-x32\...\DivX Setup) (Version: 2.6.1.28 - DivX, LLC)
D-Link DWA-131 Wireless N Nano USB Adapter (HKLM-x32\...\{D9198056-A296-4583-A790-C0E73694CFE8}) (Version:  - D-Link)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve )
DVD Decrypter (Remove Only) (HKLM-x32\...\DVD Decrypter) (Version:  - )
FastStone Capture 7.3 (HKLM-x32\...\FastStone Capture) (Version: 7.3 - FastStone Soft)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
Google Drive (HKLM-x32\...\{9C350701-AC04-48BA-A435-BD5E0D82897E}) (Version: 1.25.0523.2491 - Google, Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Talk Plugin (HKLM-x32\...\{CA3DD97D-1FD7-37A7-BD5C-FC4430C8B8E6}) (Version: 5.41.2.0 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.15 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.22.5 - Google Inc.) Hidden
Google+ Auto Backup (HKLM-x32\...\{A50DE037-B5C0-4C8A-8049-B0C576B313D1}) (Version: 1.0.21.81 - Google)
Gyazo 1.0 (HKLM-x32\...\{6DB8C365-E719-4BA5-9594-10DFC244D3FD}_is1) (Version:  - Toshiyuki Masui)
HandBrake 0.9.5 (HKLM-x32\...\HandBrake) (Version: 0.9.5 - )
HP Deskjet 1050 J410 series Basic Device Software (HKLM\...\{F294770E-F869-400F-81C3-614B5F13CA54}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 1050 J410 series Help (HKLM-x32\...\{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}) (Version: 140.0.66.66 - Hewlett Packard)
iCloud (HKLM\...\{CE97E4D3-9F91-4D72-8A29-ED9EA90E5A15}) (Version: 2.1.3.25 - Apple Inc.)
iDemo (HKLM-x32\...\{33ADC0AF-7A48-498A-9FE5-75533F00AED9}) (Version: 1.3.0 - Plutinosoft LLC)
iFunbox (v2.7.2386.747), iFunbox DevTeam (HKLM-x32\...\iFunbox_is1) (Version: v2.7.2386.747 - )
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.7.0 - LIGHTNING UK!)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.0.0.1046 - Intel Corporation)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Junk Mail filter update (HKLM-x32\...\{F6F30C28-38AA-4DBA-AE0B-7E30238E61BB}) (Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
LibreOffice 5.0 Help Pack (English (United States)) (HKLM-x32\...\{B4DF5984-0AD2-40C1-8380-5E4C6820731C}) (Version: 5.0.3.2 - The Document Foundation)
LibreOffice 5.0.3.2 (HKLM-x32\...\{D61E7AA0-0380-49B9-8DDD-7685E2306176}) (Version: 5.0.3.2 - The Document Foundation)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Manga Studio Debut 4.0 (HKLM-x32\...\Manga Studio Debut 4.0) (Version:  - )
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Expression Encoder 4 (HKLM-x32\...\Encoder_4.0.3205.0) (Version: 4.0.3205.0 - Microsoft Corporation)
Microsoft Expression Encoder 4 Screen Capture Codec (HKLM-x32\...\{F9EC30D1-F688-4708-9850-CB5120074AAA}) (Version: 4.0.3205.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.0.162.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{820B6609-4C97-3A2B-B644-573B06A0F0CC}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{45898170-E68C-4F02-AA35-C2186BF347A3}) (Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{B39A6825-EA20-43EA-AB2D-A6BC0298D9A1}) (Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Mozilla Firefox 41.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 41.0.2 (x86 en-US)) (Version: 41.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Multimedia Card Reader (HKLM-x32\...\{41068A8C-3F30-46B6-978A-EA692F28D1AF}) (Version: 1.7.915.93 - Fitipower) Hidden
Multimedia Card Reader (HKLM-x32\...\InstallShield_{41068A8C-3F30-46B6-978A-EA692F28D1AF}) (Version: 1.7.915.93 - Fitipower)
Need For Speed™ World (HKLM-x32\...\{7B2CC3DF-64FA-44AE-8F57-B0F915147E4F}_is1) (Version: 1.0.0.1599 - Electronic Arts)
NEF Codec (HKLM-x32\...\{D6506521-0959-4FA3-875F-E2E28830B0D2}) (Version: 1.00.0000 - Nikon)
Nikon Message Center (HKLM-x32\...\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}) (Version: 0.92.000 - Nikon)
Nikon RAW Codec (HKLM-x32\...\{C8616041-2802-4DE2-B3BD-6285AAD65C2A}) (Version: 1.00.0000 - Nikon)
Nikon Transfer (HKLM-x32\...\{E9757890-7EC5-46C8-99AB-B00F07B6525C}) (Version: 1.1.0 - Nikon)
Nostalgia Casino (HKLM-x32\...\nostalgia) (Version: 16.3.4.10395 - )
NVIDIA PhysX (HKLM-x32\...\{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}) (Version: 9.10.0513 - NVIDIA Corporation)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.2.0 - Frank Heindörfer, Philip Chinery)
PhotoShowExpress (HKLM-x32\...\{3250260C-7A95-4632-893B-89657EB5545B}) (Version: 2.0.063 - Sonic Solutions) Hidden
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Picture Control Utility (HKLM-x32\...\{87441A59-5E64-4096-A170-14EFE67200C3}) (Version: 1.1.0 - Nikon)
PlanetSide 2 (HKLM-x32\...\Steam App 218230) (Version:  - Sony Online Entertainment)
QuickTime 7 (HKLM-x32\...\{80CEEB1E-0A6C-45B9-A312-37A1D25FDEBC}) (Version: 7.78.80.95 - Apple Inc.)
RAR Password Unlocker 4.2.0.0 (HKLM-x32\...\{B789FA51-6A71-408F-92DE-EDE4A517B8F9}_is1) (Version:  - Password Unlocker Studio)
RBVirtualFolder64Inst (HKLM\...\{9D6DFAD6-09E5-445E-A4B5-A388FEEBD90D}) (Version: 1.00.0000 - Roxio, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2005 Runtime (HKLM-x32\...\{026C3D27-9BE1-46BE-BEAE-6DE38A0F4FBE}) (Version: 8.0 - RealNetworks) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (HKLM-x32\...\{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}) (Version: 9.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM-x32\...\RealPlayer 15.0) (Version:  - RealNetworks)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6141 - Realtek Semiconductor Corp.)
RealUpgrade 1.1 (HKLM-x32\...\{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}) (Version: 1.1.0 - RealNetworks, Inc.) Hidden
RescuePRO Deluxe 5.1.2.7 (HKLM-x32\...\{38D9AAB8-116B-40BB-A801-50B71DF82D24}_is1) (Version: 5.1.2.7 - LC Technology International, Inc.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rollercoaster Rush™ (HKLM-x32\...\Rollercoaster Rush™) (Version: 32.0.0.0 - Shockwave.com)
Roxio Creator Starter (HKLM-x32\...\{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}) (Version: 12.1.77.0 - Roxio)
Roxio File Backup (HKLM\...\{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}) (Version: 1.3.2 - Roxio) Hidden
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Toolbars (HKLM-x32\...\{981029E0-7FC9-4CF3-AB39-6F133621921A}) (Version: 1.0.4051 - Skype Technologies S.A.)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SMPlayer 0.6.9 (HKLM-x32\...\SMPlayer) (Version: 0.6.9 - RVM)
Sonic CinePlayer Decoder Pack (HKLM-x32\...\{9A00EC4E-27E1-42C4-98DD-662F32AC8870}) (Version: 4.3.0 - Sonic Solutions) Hidden
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
THX TruStudio PC (HKLM-x32\...\{010A785B-F920-4350-821B-6309909C20BB}) (Version: 1.0 - Creative Technology Limited)
TinyBurn (HKLM-x32\...\{48A4899C-DACD-44DD-9B9A-748737E95002}) (Version: 1.0.0 - TinyBurn.com)
Tribes: Ascend (HKLM-x32\...\Steam App 17080) (Version:  - Hi-Rez Studios)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VC80CRTRedist - 8.0.50727.6195 (HKLM-x32\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
Videora iPod touch Converter 6 (HKLM-x32\...\Videora iPod touch Converter) (Version: 6 - Red Kawa)
ViewNX (HKLM-x32\...\{F007CBCE-D714-4C0B-8CE9-9B0D78116468}) (Version: 1.1.0 - Nikon)
VirtualDJ Home FREE (HKLM-x32\...\{B515962D-C979-44AC-9912-F7BB499B4B2C}) (Version: 7.3 - Atomix Productions)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
War of the Vikings Early Access (HKLM-x32\...\Steam App 234530) (Version:  - Fatshark)
War Thunder (HKLM-x32\...\Steam App 236390) (Version:  - Gaijin Entertainment)
Warframe (HKLM-x32\...\Steam App 230410) (Version:  - Digital Extremes)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)

========================= Devices: ================================

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Device ID: ROOT\*TEREDO\0000
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


========================= Memory info: ===================================

Percentage of memory in use: 29%
Total physical RAM: 8174.46 MB
Available physical RAM: 5741.79 MB
Total Virtual: 16347.12 MB
Available Virtual: 13950.41 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:918.22 GB) (Free:469.36 GB) NTFS

========================= Users: ========================================

User accounts for \\FAMILY-PC

Administrator            Suzy                     Guest                    
Sean                     Mikey                     Mikey1                    
Steve                    


**** End of log ****
 

 

There appears to be dormant remnants of a malware proxy



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 05 November 2015 - 10:23 PM

I noticed that, follow the instructions below please.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 05 November 2015 - 11:32 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Home Premium x64
Ran by Suzy on 05/11/2015 at 22:32:11.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\PCDEventLauncherTask



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Chrome


[C:\Users\Suzy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Suzy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Suzy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Suzy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05/11/2015 at 22:34:58.93
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

I scanned with AdwCleaner, it finished scanning and popped up a window that says "AdwCleaner found no malicious program on your computer!". So, it has nothing to clean, doesn't reboot, and has no log.
 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/11/2015
Scan Time: 10:42 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.06.01
Rootkit Database: v2015.11.04.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Suzy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 632463
Time Elapsed: 27 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 06 November 2015 - 06:22 AM

Alright, what about the Malwarebytes log? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 06 November 2015 - 06:41 AM

It's there in the bottom half of my post



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 06 November 2015 - 07:46 AM

Oups my bad, I mistook it for the AdwCleaner log. Follow the instructions below please.

Download RegScanner from NirSoft. Once downloaded, extract the content of the .zip archive and launch RegScanner.exe. In the Find String zone, enter savingtoyou. Click on every items under Scan the following base keys and click on Scan. Once the scan is done, click on View followed by HTML Report - All Items. This will open a page in your webrowser displaying the results. Right-click on the page and select Save as then save the page (it'll be in an .html format). Once done, upload that file on Dropbox, Google Drive or OneDrive and post the download URL for it here please.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 06 November 2015 - 09:41 AM

I don't have/use any of those services so hopefully me putting the results in this post is acceptable:

 

Registry Key     Name     Type     Data     Key Modified Time     Data Length

 

HKCR\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}\InprocServer32         REG_SZ    C:\ProgramData\savingtoyou\wKOesVa607H988.x64.dll    22/11/2014 1:14:47 PM    50

 

HKCR\Wow6432Node\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}\InprocServer32         REG_SZ    C:\ProgramData\savingtoyou\wKOesVa607H988.dll    22/11/2014 1:14:41 PM    46

 

HKLM\SOFTWARE\Classes\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}\InprocServer32         REG_SZ    C:\ProgramData\savingtoyou\wKOesVa607H988.x64.dll    22/11/2014 1:14:47 PM    50

 

HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}\InprocServer32         REG_SZ    C:\ProgramData\savingtoyou\wKOesVa607H988.dll    22/11/2014 1:14:41 PM    46

 

HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}\InprocServer32         REG_SZ    C:\ProgramData\savingtoyou\wKOesVa607H988.dll    22/11/2014 1:14:41 PM    46

 

------

 

As far as I can tell, "C:\ProgramData\savingtoyou\" doesn't exist, probably cleaned out in one of the many scans I did

 

Also, RegScanner would have found more entries if I hadn't already changed them before creating this thread.

Here's what they were: (I changed them all to "File" instead of "savingtoyou")


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids]
"savingtoyou"=hex(0):

[HKEY_CLASSES_ROOT\.]
@="savingtoyou"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}]
@="savingtoyou"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}]
@="savingtoyou"

[HKEY_USERS\S-1-5-21-1109677539-3397356278-2367938664-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids]
"savingtoyou"=hex(0):



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 06 November 2015 - 09:48 AM

If you enable your hidden files and system files (if you don't know how, let me know), do you see the C:\ProgramData\savingtoyou folder or not? As for all these entries, I'll put together a Registry fix in a .reg file for it, but it needs to be approved first by an Instructor. Will get on it now.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 06 November 2015 - 10:17 AM

No, if I enable hidden files and system files that folder isn't there.

 

Thanks very much



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 06 November 2015 - 10:30 AM

Alright. I submitted my fix to an Instructor, waiting for her approval :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 06 November 2015 - 05:30 PM

Alright so I wrote the script. Prior to downloading and running it, let's create a Restore Point.

rONW46K.pngCreate a new System Restore Point
  • For Windows 7, click on the Windows Start Menu, right-click on Computer and select Properties;
  • For Windows 8, bring the cursor in the bottom left-corner of the screen and wait for the metro preview to open, then right-click on it and select System;
  • For Windows 8.1, right-click on the Windows logo in the bottom-left corner and select System;
  • Click on Advanced System Settings in the left pane;
  • Click on the System Protection tab;
  • Click on the Create... button;
  • Enter a descriptive name for the System Restore point you are about to create, and click on Create;
  • Wait until the creation is complete;
Once done, download Script.bat and save it (or move it on your Desktop). Once done, right-click on it and select Run as Administrator. A command prompt should open and close quickly, then a file called Output.txt will appear on your Desktop. Copy and paste its content here.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 sparklestar

sparklestar
  • Topic Starter

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 06 November 2015 - 10:19 PM

Short answer: The content of Output.txt is just one line:

 

The operation completed successfully.

 

 

Long answer:

 

When I run the batch file, the dos window comes up, and shows the first line of the script and then it just sits there with the window open. After a while of it sitting there, I opened the output.txt and it just has one line saying Permanently delete (this key) (yes/no?). So I closed the output.txt, and then I went back to the dos window and typed yes and pressed enter, and then it shows the next line of the script and sits there. I opened the output.txt file and it shows the next thing (yes/no), and it only shows one line, it has overwritten the previous line, it's not appending. So I closed output.txt and typed yes and enter again.

Then, realizing the log is only going to show the last thing, I started marking and copying and pasting the whole dos window to notepad before each yes, since the final yes would make the window disappear. So here is the last dos screen copy I could make:

-----

C:\Windows\system32>REG DELETE "HKEY_CLASSES_ROOT\CLSID\{466c4559-5906-4dc4-9491
-4fbf269bd6b4}"  1>C:\Users\Suzy\Desktop\Output.txt
yes

C:\Windows\system32>REG DELETE "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{466c4559-59
06-4dc4-9491-4fbf269bd6b4}"  1>C:\Users\Suzy\Desktop\Output.txt
yes

C:\Windows\system32>REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\
CLSID\{466c4559-5906-4dc4-9491-4fbf269bd6b4}"  1>C:\Users\Suzy\Desktop\Output.tx
t
yes
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur
rentVersion\Explorer\FileExts\.\OpenWithProgids" /v "file"  1>C:\Users\Suzy\Desk
top\Output.txt
yes

C:\Windows\system32>REG DELETE "HKEY_USERS\S-1-5-21-1109677539-3397356278-236793
8664-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWith
Progids" /v "file"  1>C:\Users\Suzy\Desktop\Output.txt


------

Then I typed yes and enter again, and in the split second before the window closed I did see "ERROR" something.

After the script completed, I opened Output.txt and it only contains one line:

The operation completed successfully.



Now that I look at it, I can explain the error from the second last command, HKEY_USERS\S-1-5-21-1109677539-3397356278-2367938664-1000  isn't in the registry at all any more, now it's -1002. And 1002 doesn't contain savingtoyou (also 1000 didn't any more either after I manually edited it before making this thread, as I described in my post #10). So that error is no problem.

As for the first Error, I can't explain that. RegScanner found that stuff in the registry, and I never touched it after that, yet now the script can't find it, and just now I manually looked for it in the registry and it's not there. I guess the important thing is that it's gone, but yeah I don't understand that, but I don't need to.


I re-did the regscanner instructions from your post #9, and it comes back with 0 results.

 

 

I exported the section of the registry where the script added something so you could see it:

 

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.]
@="File"
"@"=""

[HKEY_CLASSES_ROOT\.\CLSID]
@="{466c4559-5906-4dc4-9491-4fbf269bd6b4}"

[HKEY_CLASSES_ROOT\.\CurVer]
@=".9"

 

--------------

 

You can see there where it says "File", I did that manual edit before creating this thread, it used to say "savingtoyou".

 

 

I rebooted the computer. Files with no extension are still listed as file type "URL:File Protocol".  On a non messed up Windows 7 it would say "File".






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users