Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about possible infections.


  • This topic is locked This topic is locked
5 replies to this topic

#1 dmburkus

dmburkus

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 16 February 2016 - 12:23 AM

I just joined and hope that I am not repeating a question asked by someone else.  I had advanced cataract blindness, and while I had surgery last summer, the result (while a vast improvement over blindness) also has its limitations -- meaning I am no longer able to scan lists easily.  Anyway, I was not able to notice anything related to these issues, so I will risk wasting your time by asking. 
 
First, I am currently living in South Korea.  My PC is running Windows 7 Ultimate, and I connect to the internet via a "WiFi egg" from Olleh.  My browser is Firefox.  My Antivirus is Avast.  I have Malwarebytes, Spybot, Super Antispyware, and PC Cleaner.  Malwarebytes has consistently given negative results, and usually Super turns up a bunch of .squlte cookies, as does Spybot.
Last Autumn my PC was fried because of wiring issues (the fault of the landlord), and a friend of mine finally helped to rebuilt the machine (new main board and graphics card, and so forth) last month.  The Windows 7 Ultimate OS was installed on a new hard drive, and the updates are up-to-date.  Last week the machine started acting strangely, and I immediately ran an Avast boot time scan:
 
 
◎ The Avast boot time scan gave four possible results (but took no action against these files):
 
C:\Windows\SoftwareDistribution\b3f9074b7df61a848757b46cbb5d73d95d56e1db\>netfx_FullLP.mzz  {file is a decompression bomb}

C:\Windows\SoftwareDistribution\Download\b3f9074b7df61a848757b46cbb5d73d95d56e1db  {file is a decompression bomb}


C:\Windows\SoftwareDistribution\6fd1f78198329ed3207a888e1062f2dd46e03\>netfx_FullLP.mzz  {file is a decompression bomb}

C:\Windows\SoftwareDistribution\Download\6fd1f78198329ed3207a888e1062f2dd46e03  {file is a decompression bomb}
 
 
◎ Then I tried to run Malwarebytes, and the PC crashed.
 
 
◎ I also tried to run a Dr. Web scan after the Avast boot time scan finished, and it indicated that the DNS Hosts file was corrupted, which Dr. Web repaired.
 
 
After this the machine appeared to be working properly again.
 
 
Then, a couple of days ago, the machine suddenly lost the ability to connect to the internet (this happened while I was away from the machine -- it was working fine before, while I was working on my translations, and when I came back, no internet).  Again, I ran an Avast boot time scan, and it turned up the same files as before, and nothing else.
 
 
◎ I ran Dr. Web, and the machine crashed (shut down) twice during successive scans (the first time I thought I had inadvertently bumped the power switch, which on this PC is very sensitive, so I restarted the PC and restarted the scan, but it shut down again when approximately 75% through).
 
 
◎ TDSSKiller turned up no rootkits.
 
 
◎ RogueKiller gave the following results:
 
¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)


¤¤¤ Driver : [NOT LOADED 0xc000035f] ¤¤¤
[Address] EAT @explorer.exe (BeginBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736309AE)
[Address] EAT @explorer.exe (BeginBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736249A1)
[Address] EAT @explorer.exe (BeginPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73650731)
[Address] EAT @explorer.exe (BufferedPaintClear) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73626395)
[Address] EAT @explorer.exe (BufferedPaintInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362940E)
[Address] EAT @explorer.exe (BufferedPaintRenderAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736308ED)
[Address] EAT @explorer.exe (BufferedPaintSetAlpha) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7363E6B3)
[Address] EAT @explorer.exe (BufferedPaintStopAllAnimations) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7363D395)
[Address] EAT @explorer.exe (BufferedPaintUnInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736294AB)
[Address] EAT @explorer.exe (CloseThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73626A18)
[Address] EAT @explorer.exe (DrawThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73623982)
[Address] EAT @explorer.exe (DrawThemeBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7363D9DA)
[Address] EAT @explorer.exe (DrawThemeEdge) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73643B52)
[Address] EAT @explorer.exe (DrawThemeIcon) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736535E7)
[Address] EAT @explorer.exe (DrawThemeParentBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736253E5)
[Address] EAT @explorer.exe (DrawThemeParentBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736251BF)
[Address] EAT @explorer.exe (DrawThemeText) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73624EA1)
[Address] EAT @explorer.exe (DrawThemeTextEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736263E6)
[Address] EAT @explorer.exe (EnableThemeDialogTexture) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362FCAF)
[Address] EAT @explorer.exe (EnableTheming) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73652FEB)
[Address] EAT @explorer.exe (EndBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73623F9A)
[Address] EAT @explorer.exe (EndBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73623F9A)
[Address] EAT @explorer.exe (EndPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736506CC)
[Address] EAT @explorer.exe (GetBufferedPaintBits) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73624BAF)
[Address] EAT @explorer.exe (GetBufferedPaintDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736304BC)
[Address] EAT @explorer.exe (GetBufferedPaintTargetDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73630473)
[Address] EAT @explorer.exe (GetBufferedPaintTargetRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73652E7F)
[Address] EAT @explorer.exe (GetCurrentThemeName) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736305DD)
[Address] EAT @explorer.exe (GetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73630FB1)
[Address] EAT @explorer.exe (GetThemeBackgroundContentRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362CD2E)
[Address] EAT @explorer.exe (GetThemeBackgroundExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362F8BF)
[Address] EAT @explorer.exe (GetThemeBackgroundRegion) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7363165D)
[Address] EAT @explorer.exe (GetThemeBitmap) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362BF93)
[Address] EAT @explorer.exe (GetThemeBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73627C1F)
[Address] EAT @explorer.exe (GetThemeColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362616C)
[Address] EAT @explorer.exe (GetThemeDocumentationProperty) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73652932)
[Address] EAT @explorer.exe (GetThemeEnumValue) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362616C)
[Address] EAT @explorer.exe (GetThemeFilename) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73652412)
[Address] EAT @explorer.exe (GetThemeFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362FF21)
[Address] EAT @explorer.exe (GetThemeInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362616C)
[Address] EAT @explorer.exe (GetThemeIntList) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736523B1)
[Address] EAT @explorer.exe (GetThemeMargins) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736286E9)
[Address] EAT @explorer.exe (GetThemeMetric) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736306E2)
[Address] EAT @explorer.exe (GetThemePartSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7362CDB1)
[Address] EAT @explorer.exe (GetThemePosition) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73652350)
[Address] EAT @explorer.exe (GetThemePropertyOrigin) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73643FBB)
[Address] EAT @explorer.exe (GetThemeRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73633611)
[Address] EAT @explorer.exe (GetThemeStream) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736339D9)
[Address] EAT @explorer.exe (GetThemeString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x736522E4)
[Address] EAT @explorer.exe (GetThemeSysBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73653172)
[Address] EAT @explorer.exe (GetThemeSysColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73643274)
[Address] EAT @explorer.exe (GetThemeSysColorBrush) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7365301E)

     RogueKiller has apparently dealt with the files it discovered, and the PC now seems to be working properly again.
 
 
     I downloaded the following today (mostly because they were "recommended" on the download page of the DDS.scr):  DDS.scr; Adw Cleaner; ComboFix; Junkware Removal Tool; Defogger; AdwCleaner; and OSHI Unhooker.  I ran DDS.scr (and have the two .txt logs), but have not run any of the others.  (I am not really very good with computers and prefer not to run things that I do not know until someone with a lot more experience suggests I do so.)
 
     My main question is, has the infection really been cured (as I said, it appeared to be cured last week, and then suddenly resurfaced without my having done anything)?  Where might these files have come from (I do not surf the web, and mostly limit my on-line activity to searches in on-line dictionaries and the occasion Google search; I also use Tumblr, and suspect that this may have been where the infection came from -- and have subsequently unfollowed all of the blogs that I had joined since the problems started, as well as a number of others just as a precaution) and how can I avoid them (my translations are published in a Tumblr blog, so I can not avoid the site entirely, but is there a way to block these types of infections being downloaded)?  Are there any other tools -- from the above list or others -- that I should run (regularly, or now) to make sure the machine is clean?  A major request, I guess.

     Thank you all for your patience, and for any help or suggestions you may be able to provide.  Please have a good day.
 
 
-- Daniel M. Burkus


I would like to add an update: apparently all is not well. The PC just crashed/shut down spontaneously (while I was reading the news). The machine has 3 hard drives, and one of the hard drives that was off suddenly turned on (I heard it start up) and then the PC went off. I have always supposed that I was running full scans, but...I do not know what to think now.  And when I entered "safe mode" and tried to run a freshly downloaded version of Dr. Web, the machine crashed again during the scan.

Any help would be appreciated. Thank you all very much.


-- Daniel M. Burkus


Edited by dmburkus, 16 February 2016 - 07:30 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 16 February 2016 - 03:12 PM

Hi Daniel :)

My name is Aura and I'll be assisting you with your issue. To get started, I'll need you to provide me a fresh pair of FRST logs. Once done, I'll go over them, and prepare my first reply that will also address every questions you asked so far.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;
Your next reply should include:
  • Copy/pasted content of the FRST.txt log;
  • Copy/pasted content of the Addition.txt log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 dmburkus

dmburkus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 16 February 2016 - 07:20 PM

Dear Aura,

 

Thank you very much for taking the time and effort to help me solve this problem.

Unfortunately the reply form indicated that the FRST.txt file was too long to include in the post, so I have attached both of them to this note.

I hope these files will provide you with everything necessary to at least suggest the next step.

Thank you, once again.  Please have a good day.

Sincerely yours,

Daniel M. Burkus

Attached Files



#4 dmburkus

dmburkus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 17 February 2016 - 06:52 PM

As a situation update:  my PC has been shutting down with increasing frequency since the above was posted, yet malware scans either show nothing (Emsisoft Emergency Kit, deep scan with latest definitions), or crash (the machine shuts down) while in progress -- including a scan by Windows Defender (two new updates for which have been received from Microsoft in as many days, possibly in response to the numerous shut-downs).

 

Another thing:  since these problems have started happening, I have noticed an A: drive icon appearing in My Computer.  My PC does not have a floppy drive -- and this icon was not present until a week or two ago.  When I checked this drive (properties), it indicates that the disc is full (all blue), .jpg image attached.  This strikes me as odd.

 

Also, since I am making a clean-breast of things as it were, there is a small built-in display on the PC unit that "used to" show the CPU temperature and cooling fans, and this has stopped working.  I will assume around the time (at the time) of the presumed infection (because of issues with my eyesight -- Aura, try to avoid cataract surgery if you can because it destroys any hopes of retaining your peripheral vision -- I can not see anything that I am not looking at directly; as the PC unit is under the table on which the monitor and keyboard sit, it is out of the range of my vision unless I stare directly at it, which I usually am not in the habit of doing).  And I have not noticed any sound from the cooling fans connected to this unit (which are quite noisy) recently.

 

     I removed the driver for the floppy player from the device manager, but when I next ran the PC, Windows reinstalled the driver.

 

-- Daniel M. Burkus

Attached Files


Edited by dmburkus, 18 February 2016 - 08:00 AM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 18 February 2016 - 05:23 PM

Hi Daniel :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience. This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)
 
I have reasons to think that you currently have software installed illegally on your system (pirated programs). BleepingComputer doesn't condone piracy, nor defeating copyright protections in order to illegally use a software. Therefore, I'll ask you to please uninstall any cracked software you are aware of on your system before we move on. If you need help identifying these programs, please let me know and I'll point them out to you.
 
warning.gifOutdated Programs Warning!

I noticed that you have outdated vulnerable programs installed on your system. I'll ask you to uninstall them since keeping outdated software installed on a system puts it more at risk of being infected. Otherwise, you can update them right now, and make sure that their outdated version is uninstalled after. We will reinstall these programs at the end of the clean-up if you decide to uninstall them now, and need them after.
  • Adobe Reader X (10.1.14);
If you have an issue when uninstalling a program, please let me know.

Malwarebytes has consistently given negative results, and usually Super turns up a bunch of .squlte cookies, as does Spybot.


Malwarebytes doesn't target cookies, while Spybot and SUPERAntiSpyware does. Since cookies aren't malicious, I would ignore these detections and leave them be (unless you have an issue with cookies, then you can delete them, but they do no harm).

Last week the machine started acting strangely, and I immediately ran an Avast boot time scan:


◎ The Avast boot time scan gave four possible results (but took no action against these files):

C:\Windows\SoftwareDistribution\b3f9074b7df61a848757b46cbb5d73d95d56e1db\>netfx_FullLP.mzz {file is a decompression bomb}
C:\Windows\SoftwareDistribution\Download\b3f9074b7df61a848757b46cbb5d73d95d56e1db {file is a decompression bomb}
C:\Windows\SoftwareDistribution\6fd1f78198329ed3207a888e1062f2dd46e03\>netfx_FullLP.mzz {file is a decompression bomb}
C:\Windows\SoftwareDistribution\Download\6fd1f78198329ed3207a888e1062f2dd46e03 {file is a decompression bomb}


The SoftwareDistribution is where Windows Updates are downloaded, extracted and installed from. avast! detections are false positives on Windows Updates files that are stored in the SoftwareDistribution folder, so I would ignore them, they are legitimate.

◎ I also tried to run a Dr. Web scan after the Avast boot time scan finished, and it indicated that the DNS Hosts file was corrupted, which Dr. Web repaired.


This is because Spybot and SUPERAntiSpyware are known to change your hosts files and use it to block known malicious and tracking hosts. As soon as the hosts file is altered from it's original form, pretty much every security software will target it saying it's "corrupt" or "hijacked", even though they contain legitimate entries. So once again, I wouldn't worry about it.

◎ RogueKiller gave the following results:
[LOG]
RogueKiller has apparently dealt with the files it discovered, and the PC now seems to be working properly again.

It looks like your UAC was disabled, so RogueKiller simply reset it. As for the hooking processes, it is related to your UxTheme.dll file (and I also noticed that your user32.dll file was patched). Are you running or did you install any graphical tweaks by any chance? Like install a custom theme, font, etc.?

I downloaded the following today (mostly because they were "recommended" on the download page of the DDS.scr): DDS.scr; Adw Cleaner; ComboFix; Junkware Removal Tool; Defogger; AdwCleaner; and OSHI Unhooker. I ran DDS.scr (and have the two .txt logs), but have not run any of the others. (I am not really very good with computers and prefer not to run things that I do not know until someone with a lot more experience suggests I do so.)


For now, please hold on on running any of these. You can even delete them. If we need them, I'll make you download their latest version and post instructions on how to run them.

My main question is, has the infection really been cured (as I said, it appeared to be cured last week, and then suddenly resurfaced without my having done anything)? Where might these files have come from (I do not surf the web, and mostly limit my on-line activity to searches in on-line dictionaries and the occasion Google search; I also use Tumblr, and suspect that this may have been where the infection came from -- and have subsequently unfollowed all of the blogs that I had joined since the problems started, as well as a number of others just as a precaution) and how can I avoid them (my translations are published in a Tumblr blog, so I can not avoid the site entirely, but is there a way to block these types of infections being downloaded)? Are there any other tools -- from the above list or others -- that I should run (regularly, or now) to make sure the machine is clean? A major request, I guess.


Which files are you referring to? Also, except for one malicious Firefox extension, I don't see any other traces of malware on your system with what I have right now. And I'll tell you which tools and programs to run to scan your system when we get there, don't worry about it :)

I would like to add an update: apparently all is not well. The PC just crashed/shut down spontaneously (while I was reading the news). The machine has 3 hard drives, and one of the hard drives that was off suddenly turned on (I heard it start up) and then the PC went off. I have always supposed that I was running full scans, but...I do not know what to think now. And when I entered "safe mode" and tried to run a freshly downloaded version of Dr. Web, the machine crashed again during the scan.


Your system seems to be crashing a lot, and also during intensive tasks, like scans. I don't think that this issue is malware-related, but it could be overheating. Also, how does your system crashes? Does it just stops? Or does it gives you a Blue Screen of Death (BSOD)? Do you mind posting a Speccy snapshot of your computer so I can see what you're running? Make sure that your system is idle (which means, nothing else is running but Speccy) when you take it please.

HpLn1DX.pngSpeccy - Publish a snapshot
Follow the instructions below to download and install Speccy, then to publish a snapshot of your system information:
  • Download and install Speccy from Piriform (the download will start automatically a few seconds after clicking on the Speccy link);
    Note: You can opt-out the Google Toolbar installation if you want;
  • Once Speccy is installed, launch the program and give it a good minute to load all your system information;
  • After that, click on the File menu in the top left corner, and select Publish Snapshot;
  • A window will appear asking you to confirm your decision to publish a snapshot. Click on Yes;
  • A new window will appear after, with a URL link to your snapshot. Click on Copy to Clipboard button to copy that URL to your clipboard, then paste it in your next reply and post it;
I noticed that you ran RKill and TDSSKiller (multiple times) on your system. If you still have the logs, can you copy/paste their content here so I can review them? Here's the logs I'm talking about. The RKill one is on your desktop, and the TDSSKiller at the root of your C: drive.
C:\Users\Daniel Burkus\Desktop\Rkill.txt
C:\TDSSKiller.3.1.0.9_15.02.2016_14.36.18_log.txt
C:\TDSSKiller.3.0.0.34_15.02.2016_14.34.02_log.txt
C:\TDSSKiller.3.0.0.34_13.02.2016_22.15.54_log.txt
We'll also run a quick fix with FRST to remove the malicious Mozilla Firefox extension.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;


Your next reply should include:
  • Confirmation that you uninstalled every pirated software on your system;
  • Answer to my question about running/using a custom theme;
  • Answer to my question about the files you are mentioning that appears on your system;
  • Answer to my questions about your system crashes, and the URL to your Speccy snapshot;
  • Copy/pasted content of the RKill.txt log;
  • Copy/pasted content of the three TDSSKiller logs;
  • Copy/pasted content of the FRST fixlog.txt log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:31 PM

Posted 19 February 2016 - 07:46 AM

This topic is closed at the request of the op. When you want it reopened, please PM me.


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users