Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop Security & Infections Check, Follow Suspicious Behaviour


  • This topic is locked This topic is locked
26 replies to this topic

#1 Geminus77

Geminus77

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 10 February 2016 - 09:27 AM

Hello

I have been noticing some peculiar behaviours with my laptop, over a period of time.  I am concerned whether it has had some breaches and would like to know if somebody could please go through it with me, to check whether it is free from infection and secure?

Some of the issues are my paswords from FF being deleted.  Boxes flashing on my laptop when i have run no program's.  My Remote desktop keeps switching from Disabled to Automatic (I am not sure if this is normal?)  My Internet Security program password was changed.  Services have been given different settings, (I noticed this when I compared a list of defaults to the settings I had at the time.  I used another list to change some to alternative settings, following that).  There have been other small things noticed over a period of time but I struggle to recall what they were?

 

I have used the following tools to try and search for issues but have been useless when it comes to making use of the logs or making full use of commands:

 

Security Check

Fabar

Minitoolbox

MBAM

MBar

Antirootkit

RKill

TFC

Adware Cleaner

JRT

Eset Online Scanner

Windows Repair All In One

 

Here is the link to my thread in the Security forum

 

http://www.bleepingcomputer.com/forums/t/604957/laptop-security-infections-check/

 

 

I have enclosed the logs from my FRST scans.

 

Thank you.

Attached Files


Edited by Geminus77, 10 February 2016 - 09:33 AM.


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 10 February 2016 - 03:35 PM

Hello Geminus77 and Welcome to the BleepingComputer. :welcome:
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

 

My Remote desktop keeps switching from Disabled to Automatic (I am not sure if this is normal?)

HKLM\...\StartupApproved\Run32: => "RemoteControl10"

Can we delete it.  Machine is not too bad.

===================

HKLM\...\StartupApproved\Run32: => "mcui_exe"   ===>>

http://www.bleepingcomputer.com/startups/mcui_exe-26421.html

http://www.systemlookup.com/Startup/22544-mcagent_exe.html


Edited by olgun52, 10 February 2016 - 03:36 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 10 February 2016 - 03:55 PM

Hello Yilmaz and thank you for your response. 

 

I have read through the points and can confirm that I am the machines administrator.  I will also follow the advice of the points.

 

I am happy for us to delete the 'RemoteControl10' registry key, if it is helpful to do so.

I do not use Mcafee and am happy to remove any traces of the program.

 

Thanks



#4 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 10 February 2016 - 04:14 PM

Hi Geminus77,
Okay.

 

Please do the following.

 

 

Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   3.88KB   7 downloads  and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program.
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Include All Browser Extensions > Tick the box next
  • Smart scan settings to replace as deep scan
  • Close all open files, folders and browsers
  • Click scan now and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.

How's the PC running now ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 10 February 2016 - 05:14 PM

Hi

When opening FRST I receive an Application Error dialogue box with the following message

"Exception EAccess\Violation in module ERUNT.exe at 00003A38.

Access violation at address 00403A38 in module ERUNT.exe.  Read of address 0076005D"

 

I have noticed that some functions in my web browser are no longer working (I try to press some buttons on a page to sign in or create an account and it does not work)

 

 

Here are the contents of the logs (Zemana has two logs in its store, I have sent both):

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
Ran by Negus1 (2016-02-10 21:22:03) Run:1
Running from C:\Users\Negus1\Desktop\New folder\New folder
Loaded Profiles: Negus1 (Available Profiles: Negus1)
Boot Mode: Normal
==============================================

fixlist content:
*****************

start
HKLM\...\StartupApproved\Run32: => "mcui_exe"   
HKLM\...\StartupApproved\Run32: => "RemoteControl10"
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\StartupApproved\Run: => ""
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\StartupApproved\Run: => "Messenger (Yahoo!)"
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\Run: [Messenger (Yahoo!)] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\MountPoints2: {f90f4bde-c90f-11e5-bf66-e0db55d1bde1} - "E:\AutoRun.exe"
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\MountPoints2: {f90f4c14-c90f-11e5-bf66-e0db55d1bde1} - "E:\AutoRun.exe"
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Application Agent] => "C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3967747739-2900106041-3195292124-1001 -> DefaultScope {A7DDE481-24DB-4ECA-824F-78BF582B2CBC} URL =
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: HKLM-x32 {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} hxxp://www.pcpitstop.com/nirvana/controls/pcmatic.cab
FF ProfilePath: C:\Users\Negus1\AppData\Roaming\Mozilla\Firefox\Profiles\o5weckcf.default-1383419016258
FF Plugin-x32: @meadco.com/neptune plugin,version=2.0.0.29 -> C:\PROGRA~2\MEADCO~1\npmeadax.dll [No File]
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF HKLM-x32\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman => not found
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
2016-02-09 21:20 - 2016-02-09 21:20 - 02178872 _____ (Reason Software Company Inc.) C:\Users\Negus1\Desktop\ShouldIRemoveIt_Setup.exe
2016-02-04 11:14 - 2016-02-04 11:14 - 00000000 ____D C:\Users\Negus1\AppData\Local\TempTaskUpdateDetection4F7264D9-9558-46E1-A4F6-EA9A0B6A82CF
2016-01-11 17:30 - 2016-01-11 17:31 - 00000000 ____D C:\ProgramData\F-Secure
2016-01-11 17:30 - 2016-01-11 17:30 - 00000000 ____D C:\Users\Negus1\AppData\Local\F-Secure
2016-02-10 13:43 - 2013-11-02 14:37 - 00000000 ____D C:\Users\Negus1\AppData\Local\CrashDumps
2016-02-09 20:10 - 2014-01-16 23:19 - 00000000 ____D C:\Users\Negus1\AppData\Roaming\MPC-HC
2016-02-08 21:07 - 2014-01-16 23:04 - 00000000 ____D C:\Users\Negus1\AppData\Roaming\vlc
2013-11-03 22:25 - 2013-11-03 22:25 - 0007874 _____ () C:\Users\Negus1\AppData\Local\WiDiSetupLog.20131103.222544.txt
2013-09-30 11:10 - 2013-09-30 11:10 - 0000057 _____ () C:\ProgramData\Ament.ini
Emptytemp:
end

*****************

HKLM\...\StartupApproved\Run32: => "mcui_exe" => Error: No automatic fix found for this entry.
HKLM\...\StartupApproved\Run32: => "RemoteControl10" => Error: No automatic fix found for this entry.
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\StartupApproved\Run: => "" => value not found.
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\...\StartupApproved\Run: => "Messenger (Yahoo!)" => value not found.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Messenger (Yahoo!) => value removed successfully
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoViewContextMenu => value removed successfully
"HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f90f4bde-c90f-11e5-bf66-e0db55d1bde1}" => key removed successfully
HKCR\CLSID\{f90f4bde-c90f-11e5-bf66-e0db55d1bde1} => key not found.
"HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f90f4c14-c90f-11e5-bf66-e0db55d1bde1}" => key removed successfully
HKCR\CLSID\{f90f4c14-c90f-11e5-bf66-e0db55d1bde1} => key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Bitdefender Wallet Application Agent => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-3967747739-2900106041-3195292124-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{0E5F0222-96B9-11D3-8997-00104BD12D94}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{0E5F0222-96B9-11D3-8997-00104BD12D94}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{FFB3A759-98B1-446F-BDA9-909C6EB18CC7}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{FFB3A759-98B1-446F-BDA9-909C6EB18CC7}" => key removed successfully
FF ProfilePath: C:\Users\Negus1\AppData\Roaming\Mozilla\Firefox\Profiles\o5weckcf.default-1383419016258 => FRST is scripted not to move this directory.
"HKLM\Software\Wow6432Node\MozillaPlugins\@meadco.com/neptune plugin,version=2.0.0.29" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6" => key removed successfully
C:\Program Files (x86)\Yahoo!\Shared\npYState.dll => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ffpwdman@bitdefender.com => value removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully
C:\Users\Negus1\Desktop\ShouldIRemoveIt_Setup.exe => moved successfully
C:\Users\Negus1\AppData\Local\TempTaskUpdateDetection4F7264D9-9558-46E1-A4F6-EA9A0B6A82CF => moved successfully
C:\ProgramData\F-Secure => moved successfully
C:\Users\Negus1\AppData\Local\F-Secure => moved successfully
C:\Users\Negus1\AppData\Local\CrashDumps => moved successfully
C:\Users\Negus1\AppData\Roaming\MPC-HC => moved successfully
C:\Users\Negus1\AppData\Roaming\vlc => moved successfully
C:\Users\Negus1\AppData\Local\WiDiSetupLog.20131103.222544.txt => moved successfully
C:\ProgramData\Ament.ini => moved successfully
EmptyTemp: => 468.8 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 21:22:45 ====

 

 

Zemana AntiMalware 2.19.2.852 (Installed)

-------------------------------------------------------
Scan Result            : Terminated
Scan Date              : 2016/2/10
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel® Core™ i5-3210M CPU @ 2.50GHz
BIOS Mode              : UEFI
CUID                   : 00FFB515D43888427EC2CA
Scan Type              : Deep Scan
Duration               : 0m 20s
Scanned Objects        : 5937
Detected Objects       : 10
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Yes
Include All Extensions : Yes
Scan Documents         : No
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Default
Status             : Scanned
Object             : %programfiles%\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Default

VTzilla
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\info@virustotal.com.xpi
MD5                : B8982FC0877AEB8D106F4F3160A8E2DC
Publisher          : -
Size               : 21731
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - VTzilla
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\info@virustotal.com.xpi

NoScript
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
MD5                : 4C06FA73D9934FC73250766FB769ECE9
Publisher          : -
Size               : 562130
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - NoScript
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

SQLite Manager
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\sqlitemanager@mrinalkant.blogspot.com.xpi
MD5                : 3B1EC1C95304D3641223B43E1C8C033F
Publisher          : -
Size               : 266657
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - SQLite Manager
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\sqlitemanager@mrinalkant.blogspot.com.xpi

Password Exporter
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{b17c1c5a-04b1-11db-9804-b622a1ef5492}.xpi
MD5                : EE3D4E7EA14BFBF827F3060C7F9F0A22
Publisher          : -
Size               : 85756
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Password Exporter
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{b17c1c5a-04b1-11db-9804-b622a1ef5492}.xpi

Adblock Plus
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
MD5                : F4741D13447199718BB610E392A9DECD
Publisher          : -
Size               : 1001911
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Adblock Plus
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

Norton Identity Safe
Status             : Scanned
Object             : %programdata%\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nsbu_22.0.0.110\coffaddon
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Norton Identity Safe

Ghostery
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\firefox@ghostery.com.xpi
MD5                : A8B1903E632A3FE9CE3020177E513DCD
Publisher          : -
Size               : 1955324
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Ghostery
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\firefox@ghostery.com.xpi

Adblock Plus Pop-up Addon
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\adblockpopups@jessehakanen.net.xpi
MD5                : 59BBEE83C1121FC339928B9101A52A7D
Publisher          : -
Size               : 151374
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Adblock Plus Pop-up Addon
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\adblockpopups@jessehakanen.net.xpi

DuckDuckGo Plus
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\jid1-zadieub7xozojw@jetpack.xpi
MD5                : 0E55B8DC30E155E9CC12C77B8FB7457A
Publisher          : -
Size               : 139159
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - DuckDuckGo Plus
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\jid1-zadieub7xozojw@jetpack.xpi
 

 

 

Zemana AntiMalware 2.19.2.852 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/2/10
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel® Core™ i5-3210M CPU @ 2.50GHz
BIOS Mode              : UEFI
CUID                   : 00FFB515D43888427EC2CA
Scan Type              : Deep Scan
Duration               : 24m 27s
Scanned Objects        : 227290
Detected Objects       : 12
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Yes
Include All Extensions : Yes
Scan Documents         : No
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Default
Status             : Scanned
Object             : %programfiles%\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Default

VTzilla
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\info@virustotal.com.xpi
MD5                : B8982FC0877AEB8D106F4F3160A8E2DC
Publisher          : -
Size               : 21731
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - VTzilla
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\info@virustotal.com.xpi

NoScript
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
MD5                : 4C06FA73D9934FC73250766FB769ECE9
Publisher          : -
Size               : 562130
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - NoScript
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

SQLite Manager
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\sqlitemanager@mrinalkant.blogspot.com.xpi
MD5                : 3B1EC1C95304D3641223B43E1C8C033F
Publisher          : -
Size               : 266657
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - SQLite Manager
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\sqlitemanager@mrinalkant.blogspot.com.xpi

Password Exporter
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{b17c1c5a-04b1-11db-9804-b622a1ef5492}.xpi
MD5                : EE3D4E7EA14BFBF827F3060C7F9F0A22
Publisher          : -
Size               : 85756
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Password Exporter
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{b17c1c5a-04b1-11db-9804-b622a1ef5492}.xpi

Adblock Plus
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
MD5                : F4741D13447199718BB610E392A9DECD
Publisher          : -
Size               : 1001911
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Adblock Plus
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

Norton Identity Safe
Status             : Scanned
Object             : %programdata%\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nsbu_22.0.0.110\coffaddon
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Norton Identity Safe

Ghostery
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\firefox@ghostery.com.xpi
MD5                : A8B1903E632A3FE9CE3020177E513DCD
Publisher          : -
Size               : 1955324
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Ghostery
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\firefox@ghostery.com.xpi

Adblock Plus Pop-up Addon
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\adblockpopups@jessehakanen.net.xpi
MD5                : 59BBEE83C1121FC339928B9101A52A7D
Publisher          : -
Size               : 151374
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Adblock Plus Pop-up Addon
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\adblockpopups@jessehakanen.net.xpi

DuckDuckGo Plus
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\jid1-zadieub7xozojw@jetpack.xpi
MD5                : 0E55B8DC30E155E9CC12C77B8FB7457A
Publisher          : -
Size               : 139159
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - DuckDuckGo Plus
                File - %appdata%\mozilla\firefox\profiles\o5weckcf.default-1383419016258\extensions\jid1-zadieub7xozojw@jetpack.xpi

slimcomputer-setup.exe
Status             : Scanned
Object             : %userprofile%\desktop\df\new folder\slimcomputer-setup.exe
MD5                : 20FD2CA22EED564BD6F190240CB17D94
Publisher          : Slimware Utilities, Inc.
Size               : 670016
Version            : 1.3.0.0
Detection          : Scareware:Win32/FakeOptimizer!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %userprofile%\desktop\df\new folder\slimcomputer-setup.exe

stflt.sys
Status             : Scanned
Object             : %systemroot%\system32\drivers\stflt.sys
MD5                : B9657A0AFF28C1CB114ACC0CB93EE4BB
Publisher          : Crawler, LLC
Size               : 51496
Version            : 4.0.1.1
Detection          : Win32/Browser.Hijacker.Crawler!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %systemroot%\system32\drivers\stflt.sys


Cleaning Result
-------------------------------------------------------
Cleaned               : 11
Reported as safe      : 0
Failed                : 1

Failed Objects
-------------------------------------------------------
Norton Identity Safe
Status             : Scanned
Object             : %programdata%\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nsbu_22.0.0.110\coffaddon
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Norton Identity Safe


 


Edited by Geminus77, 10 February 2016 - 05:37 PM.


#6 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 11 February 2016 - 11:42 AM

Hi Geminus77,
Please do the following for me
 
Step 1:

Please download SystemLook from one of the links below and save it to your Desktop.
Download 1
Download 2

  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
:filefind
mcui_exe

:folderfind
RemoteControl10

:regfind
mcui_exe
RemoteControl10
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan.
  • Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on scann
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 11 February 2016 - 12:30 PM

Hi Yilmaz

Sorry for my delay.  I have been out for most of the day.

 

Here are the logs:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 17:13 on 11/02/2016 by Negus1
Administrator - Elevation successful

========== filefind ==========

Searching for "mcui_exe"
No files found.

========== folderfind ==========

Searching for "RemoteControl10"
No folders found.

========== regfind ==========

Searching for "mcui_exe"
No data found.

Searching for "RemoteControl10"
[HKEY_CURRENT_USER\Software\VSRevoGroup\RevoUninstaller\Autoruns\HKLM\Run]
"RemoteControl10"=""C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe""
[HKEY_USERS\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\VSRevoGroup\RevoUninstaller\Autoruns\HKLM\Run]
"RemoteControl10"=""C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe""

-= EOF =-

 

 

# AdwCleaner v5.033 - Logfile created 11/02/2016 at 17:19:09
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Negus1 - NEGUS
# Running from : C:\Users\Negus1\Desktop\New folder\New folder\adwcleaner_5.033.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [584 bytes] ##########
 



#8 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 12 February 2016 - 04:35 PM

Hi

 

 

Step 1:
 Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 2:

RogueKiller by Tigzy

  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 12 February 2016 - 08:04 PM

Hi again.

I shall be away all day on Saturday.  I am unsure if you will reply before Monday but if you do, I shall be able to respond to your next instructions on Sunday.

Thank you.

 

 

Here are the latest logs:

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/02/2016
Scan Time: 23:59
Logfile: MBAM.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.12.06
Rootkit Database: v2016.02.08.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Negus1

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 382765
Time Elapsed: 32 min, 27 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

RogueKiller V11.0.11.0 [Feb  8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Negus1 [Administrator]
Started from : C:\Users\Negus1\Desktop\RogueKiller.exe
Mode : Scan -- Date : 02/13/2016 00:48:25

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3967747739-2900106041-3195292124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] o5weckcf.default-1383419016258 : user_pref("browser.startup.homepage", "http://duckduckgo.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10JPVT-75A1YT0 +++++
--- User ---
[MBR] 45dd95059c95b64e9b195a8050af03d3
[BSP] 2e1f6782091d65901b9660c563d8de5e : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1026048 | Size: 40 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1107968 | Size: 128 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1370112 | Size: 500 MB
4 - Basic data partition | Offset (sectors): 2394112 | Size: 938038 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1923495936 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1924417536 | Size: 350 MB
7 - [SYSTEM][MAN-MOUNT] Microsoft recovery partition | Offset (sectors): 1925134336 | Size: 13861 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

I hope you have a pleasant weekend.



#10 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 12 February 2016 - 08:42 PM

I shall be away all day on Saturday.  I am unsure if you will reply before Monday but if you do, I shall be able to respond to your next instructions on Sunday.


I hope you have a pleasant weekend.

:thumbup2:  Okay. Thank you. I also you have a pleasant weekend.

====================================================

 

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

=========================================================================

How is the machine running now and any issues ? Please let me know.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 14 February 2016 - 06:18 PM

Hello

I have run the Eset scanner and it produced no threats.

 

I have noticed that the service for remote desktop still switches to 'Automatic' with each restart.

 

When I open a webpage that requires log in, a box appears "PASSWORD REQUIRED - Please enter the master password for the software security device"  I am not sure what this is?

 

I have also noticed in my 'Startup Items' list, there is a disabled startup for "Microsoft Windows Based Script Host"  I am not sure if this should be there?

 

Thank you.



#12 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 15 February 2016 - 09:23 PM

I think, virus appears at startup.

F-Secure Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go HERE to run an online scan from F-Secure
  • Click on Run Now
  • it will download the scanner
  • then will open a new window
  • click on "start"
  • click on "accept"
  • the scan will start - when finished let me know if it found anything

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 15 February 2016 - 10:20 PM

Hi

It found no threats.

I have also been noticing my web browser flicker when first opening on to a web page, (such as this site and on the F Secure Site, etc...).  This happens after I have closed the PASSWORD REQUIRED box



#14 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 15 February 2016 - 10:32 PM

Please post  me the log file .

I do not think there is a problem ,but you can reset the browser.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 Geminus77

Geminus77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:29 AM

Posted 16 February 2016 - 03:52 PM

Hi

It did not produce a log file, (I ran it three times), but I  do have screen shots of the items I mentioned.

I will rest the browser and see what happens.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users