Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could use some advise on cleaning my mother-in-law's potentially infected comput


  • Please log in to reply
18 replies to this topic

#1 Trakkur

Trakkur

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2016 - 06:19 PM

Hi all!

 

It has been a long time I posted here, but well...I'm back!

 

This time it is my mother-in-law's Windows 10 (Home Edition) computer that is the victim.

 

Earlier today she was browsing online for information on the presidential election primaries while using Mozilla Firefox and ended up on a page that gave her a warning about a virus or unwanted activity on the computer and a very loud piercing sire along with a phone number. 

 

Yup! My 76 year old mother-in-law panicked due to the sound and called the number - 1-855-816-4648. The person that answered identified himself as being from Microsoft, with the name of Flea.

 

This person then proceeded to ask her all sorts of questions; what browser do you use? do you have Internet Explorer? What is your network? All of which she answered to the best of her ability, and then this guy asked for a remote session using GoToAssist from fastsupport.com. He poked around in the computer, but being a bit panicked and not technically saavy she was not sure what he was doing --- then called her daughters (including my wife) who immediately had her shut down the computer, hang up on the attacked and called me and got me on the line with Mom.

 

Unfortunately this person had unfettered control for a time period of maybe 15-30 minutes or more...I'm unclear. The assist session was opened at 2:36pm EST on 3/4/16 and I wasn't called until 3:36pm. 

 

I advised her to leave the computer off, call the bank and credit card companies and get alerts on her accounts in case of theft....which she did, but only after turning the computer back on for an undetermined length of time (maybe 10 minutes) - during which she accessed files with account credentials (passwords too!) logged in to some accounts and was on the phone with the bank when I arrived -- I immediately unplugged it and took it home with me. 

 

The computer is isolated, not on any network - I have a Malware-bytes scan running on it now, after which I would likely run Windows Defender scans to see what - if anything - is on the machine.

 

Looking at the security/system/application event logs I see some accounts elevation activity - which concerns me. 

 

What steps would you very fine folks recommend I take to insure that this computer is root-kit, malware, virus, key-logger, etc. free?

 

I'm eagerly awaiting your advice.

 

Thanks,

-Rob



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 04 March 2016 - 07:49 PM

Chances are no serious malware or damage was done before breaking off the connection. Post the MBAM

results of what was found and deleted/ quarantined. Run some more scans to clean up the computer and remove

adware and malware. I take it she did not give her CC number to the criminal.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2016 - 07:51 PM

Thank you for the reply. I will read through it and let you know the results. 

 

I currently have her computer isolated off of any network. Can I download all of the tools you mentioned and move them via a USB stick to the machine? I don't want it on the network until I know it is clean.



#4 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 04 March 2016 - 07:51 PM

How many pics, documents, music etc etc are on this PC that need to be saved ??

 

If it is not a monumental amount.....transfer them to a thumb drive or external hard drive......

 

and then Reset the PC. This will uninstall all third party programs and will give her a fresh install of windows 10

 

Simple, and effective.....providing there is not too much pics documents etc etc

 

Third party programs are simple to reinstall

 

Resetting lets you choose whether to keep your files or remove them, and then reinstalls Windows.

 

To get started, go to Settings > Update & security > Reset this PC > Get started and choose an option.

 

( I still advise storing any valuable pics etc on a thumb drive or similar)


Edited by Condobloke, 04 March 2016 - 07:54 PM.

Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#5 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2016 - 07:54 PM

How many pics, documents, music etc etc are on this PC that need to be saved ??

 

If it is not a monumental amount.....transfer them to a thumb drive or external hard drive......

 

and then Reset the PC. This will uninstall all third party programs and will give her a fresh install of windows 10

 

Simple, and effective.....providing there is not too much pics documents etc etc

 

Third party programs are simple to reinstall

 

Thank you for the suggestion, but that really isn't an option --- I was urged (begged practically) to not do that if possible.



#6 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 04 March 2016 - 08:06 PM

You can use a flash drive to load the programs onto the infected computer except for the Eset Online scanner. But keep in

mind they will want to check for updates before scanning. I really don't see a need for that precaution. I suggest you download

direct to the computer. But it is up to you.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 04 March 2016 - 08:06 PM

ok....I can understand that......( to not do that if possible.)......my advise was based solely on the fact that you are unsure of exactly what transpired.

 

buddy215's instructions are good....I would add that a quick look in programs and features for the goto assist program would be prudent.......and maybe read HERE  first


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#8 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2016 - 10:15 PM

Ok, I've attached the files as requested...

 

Malware Bytes

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/4/2016
Scan Time: 5:57 PM
Logfile: GrammaLaine_malware_report_3-4-2016.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.09.22.05
Rootkit Database: v2015.09.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Elaine

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 419534
Time Elapsed: 20 min, 53 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.OptimizerPro, C:\Users\Elaine\Documents\Optimizer Pro, , [e30adb579fec01358db9fbb5f11350b0],

Files: 4
PUP.Optional.OutBrowse, C:\Users\Elaine\Downloads\Free_Download.exe, , [3ab366cc5932c3737bbd07ea02ff9d63],
PUP.Optional.MindSpark, C:\Users\Elaine\Downloads\UtilityChest.exe, , [9459e250414a191d816c97c6b0559070],
PUP.Optional.Binkiland, C:\Users\Elaine\AppData\LocalLow\Microsoft\Internet Explorer\Services\FavIcon.icoWSE_Binkiland, , [da13bb777f0cda5c88eb95f4dd27a060],
PUP.Optional.OptimizerPro, C:\Users\Elaine\Documents\Optimizer Pro\CookiesException.txt, , [e30adb579fec01358db9fbb5f11350b0],

Physical Sectors: 0
(No malicious items detected)

(end)

 

Adwcleaner

 

# AdwCleaner v5.037 - Logfile created 04/03/2016 at 21:21:12
# Updated 28/02/2016 by Xplode
# Database : 2016-02-28.2 [Local]
# Operating system : Windows 10 Home  (x64)
# Username : Elaine - GRAMMASNEWTOY
# Running from : C:\Users\Elaine\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

Folder Found : C:\Users\Elaine\AppData\Roaming\Mozilla\Firefox\Profiles\5owryexv.default\extensions\shopcbtoolbar2@befrugal.com

***** [ Files ] *****

***** [ DLL ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\C3F6D7A0BA2FDE84EB329997B1FF786D
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
Key Found : [x64] HKLM\SOFTWARE\Classes\Installer\Products\C3F6D7A0BA2FDE84EB329997B1FF786D

***** [ Web browsers ] *****

*************************

C:\AdwCleaner\AdwCleaner[R0].txt - [3449 bytes] - [13/11/2013 16:11:02]
C:\AdwCleaner\AdwCleaner[S0].txt - [3465 bytes] - [13/11/2013 16:15:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [1377 bytes] - [04/03/2016 21:21:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1450 bytes] ##########

 

JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 10 Home x64
Ran by Elaine (Administrator) on Fri 03/04/2016 at 21:28:31.65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 2

Successfully deleted: C:\Users\Elaine\AppData\Roaming\Mozilla\Firefox\Profiles\5owryexv.default\extensions\foxmarks@kei.com\chrome\content\newuser.js (File)
Successfully deleted: C:\Users\Elaine\Documents\optimizer pro (Folder)

 

Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AB709F2B-7D4F-49D8-A93A-7106D70452BE} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E28CA979-066D-4918-97AD-9CC3872D3012} (Registry Key)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/04/2016 at 21:30:16.26
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

ESet is still running at this time - over an hour and already found 45 threats. I will post it once available.

 

 

Please let me know what you find and suggest I do.

 

Thanks,

-Rob


Edited by Trakkur, 04 March 2016 - 10:44 PM.


#9 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 05 March 2016 - 04:22 AM

Looks like you didn't allow MBAM or AdwCleaner to delete/ quarantine what they found. Please

rerun both and allow them to remove what was found by choosing clean when AdwCleaner finishes scanning

and marking all that MBAM found to be deleted/ Quarantined once its scan finishes.

 

  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
  • POST THE LOG FOR  REVIEW.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2016 - 11:58 AM

buddy215

 

Thanks for the reply, I noticed that I hadn't done that last night when I got home from work - so I did it again.

 

Here are the mbam, ADWCleaner logs - and the ESETScan log.

 

mbam

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/5/2016
Scan Time: 11:24 AM
Logfile: mbam_results.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.05.05
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Elaine

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 398120
Time Elapsed: 24 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Binkiland, C:\Users\Elaine\AppData\LocalLow\Microsoft\Internet Explorer\Services\FavIcon.icoWSE_Binkiland, Quarantined, [ef3a8004fa9fda5c5ee057959271ee12],

Physical Sectors: 0
(No malicious items detected)

(end)

 

ADWCleaner

 

# AdwCleaner v5.037 - Logfile created 05/03/2016 at 11:53:34
# Updated 28/02/2016 by Xplode
# Database : 2016-02-28.2 [Local]
# Operating system : Windows 10 Home  (x64)
# Username : Elaine - GRAMMASNEWTOY
# Running from : C:\Users\Elaine\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLL ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1739 bytes] - [04/03/2016 21:23:01]
C:\AdwCleaner\AdwCleaner[R0].txt - [3449 bytes] - [13/11/2013 16:11:02]
C:\AdwCleaner\AdwCleaner[S0].txt - [3465 bytes] - [13/11/2013 16:15:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [1537 bytes] - [04/03/2016 21:21:12]
C:\AdwCleaner\AdwCleaner[S2].txt - [890 bytes] - [05/03/2016 11:53:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [962 bytes] ##########

 

 

ESETScan

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe.vir a variant of MSIL/AdvancedSystemProtector.B potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\AspManager.exe.vir a variant of MSIL/AdvancedSystemProtector.F potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Communication.dll.vir Win32/Systweak.F potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\filetypehelper.exe.vir a variant of MSIL/AdvancedSystemProtector.F potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\scandll.dll.vir a variant of MSIL/AdvancedSystemProtector.F potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Troubleshooter\asp-fixer.com.vir MSIL/AdvancedSystemProtector.G potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Troubleshooter\asp-fixer.exe.vir MSIL/AdvancedSystemProtector.G potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Troubleshooter\asp-fixer.pif.vir MSIL/AdvancedSystemProtector.G potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Troubleshooter\asp-fixer.scr.vir MSIL/AdvancedSystemProtector.G potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Troubleshooter\firefox.com.vir MSIL/AdvancedSystemProtector.G potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Advanced System Protector\Troubleshooter\iexplore.exe.vir MSIL/AdvancedSystemProtector.G potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyPC Backup\MPCBClient.dll.vir a variant of Win32/MyPCBackup.D potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyPC Backup\MyPC Backup.exe.vir MSIL/MyPCBackup.A potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\RegClean Pro\Cloud_Backup_Setup.exe.vir Win32/MyPCBackup.A potentially unwanted application deleted
C:\AdwCleaner\Quarantine\C\Program Files (x86)\RegClean Pro\Cloud_Backup_Setup_Intl.exe.vir Win32/MyPCBackup.A potentially unwanted application deleted
C:\AdwCleaner\Quarantine\C\Program Files (x86)\RegClean Pro\RegCleanPro.exe.vir a variant of Win32/Systweak potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\RegClean Pro\systweakasp.exe.vir MSIL/AdvancedSystemProtector.C potentially unwanted application deleted
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir a variant of Win64/Systweak.A potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\2qps5ahf.default\extensions\{02df6ed9-d89d-425c-afc3-3a79ad6ce5ef}.xpi JS/BrowseFox.A potentially unwanted application deleted
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\chrome\content\core\aad567ecdfea4e4e3c4c3af57a33ff53.js JS/Toolbar.Crossrider.G potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\102.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\104.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\14.js JS/Toolbar.Crossrider.O potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\180.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\184.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\192.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\195.js JS/Toolbar.Crossrider.K potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\220.js JS/Toolbar.Crossrider.B potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\221.js JS/Toolbar.Crossrider.K potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\223.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\242.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\262.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\263.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\268.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\273.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\289.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\301.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\47.js JS/Toolbar.Crossrider.M potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\64.js JS/Toolbar.Crossrider.P potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\91.js JS/Toolbar.Crossrider.B potentially unwanted application cleaned by deleting
C:\Users\Elaine\Desktop\Old Firefox Data\nxq9pofn.default-1412458664818\extensions\EJHVSGU55273264@PBVE110833407.com\extensionData\plugins\93.js JS/Toolbar.Crossrider.J potentially unwanted application cleaned by deleting
C:\Users\Elaine\Downloads\CouponPrinter.exe a variant of Win32/Adware.Coupons.AA application cleaned by deleting
C:\Users\Elaine\Downloads\mahjongworldexentpowered-setup(1).exe Win32/DownloadAdmin.G potentially unwanted application deleted
C:\Users\Elaine\Downloads\mahjongworldexentpowered-setup.exe Win32/DownloadAdmin.G potentially unwanted application deleted
C:\Users\Elaine\Downloads\UtilityChest.exe a variant of Win32/AdInstaller potentially unwanted application cleaned by deleting

 

-----------

 

Thanks. I will be around most of the day to rerun anything and post results.

 

-Rob
 



#11 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 05 March 2016 - 12:10 PM

There is an old Firefox profile on that computer. Nothing to be concerned about just that most of the items

found by Eset were either in AdwCleaner's quarantine or the old firefox profile....both neutered.

The last four items point to downloads that contained adware. That is expected these days in almost all free downloads.

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2016 - 12:22 PM

CCleaner logs as requested:

 

Windows Startup

 

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run OneDrive Microsoft Corporation "C:\Users\Elaine\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Yes HKLM:Run BtTray  "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtTray.exe"
Yes HKLM:Run BtvStack  "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe"
Yes HKLM:Run Logitech Download Assistant Microsoft Corporation C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
Yes HKLM:Run RemoteControl10 CyberLink Corp. "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
Yes HKLM:Run RtHDVBg Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX3
Yes HKLM:Run RTHDVCPL Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
Yes Startup Common McAfee Security Scan Plus.lnk McAfee, Inc. C:\Program Files\McAfee Security Scan\3.11.292\SSScheduler.exe
Yes Startup Common MozyHome Status.lnk Mozy, Inc. C:\Program Files\MozyHome\mozystat.exe
Yes Startup User Mozy Sync.lnk Mozy, Inc. C:\Program Files\Mozy Sync\mozysync.exe

 

Sched Tasks

 

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task McAfee Remediation (Prepare) McAfee, Inc. C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe /prepare
No Task Optimize Start Menu Cache Files-S-1-5-21-1075186920-804379592-1497881619-1001  

 

 

Install

 

3D Builder Microsoft Corporation 2/7/2016  10.10.38.0
Adobe Flash Player 20 NPAPI Adobe Systems Incorporated 2/9/2016 8.40 MB 20.0.0.306
Alarms & Clock Microsoft Corporation 2/7/2016  10.1512.58020.0
Amazon Amazon.com 2/7/2016  3.1.2.8
App connector Microsoft Corporation 2/7/2016  1.3.3.0
Calculator Microsoft Corporation 2/7/2016  10.1601.49020.0
Camera Microsoft Corporation 3/2/2016  2016.225.10.0
Candy Crush Soda Saga king.com 2/15/2016  1.59.300.0
Canon Inkjet Print Utility Canon Inc. 2/7/2016  2.5.0.6
CCleaner Piriform 3/5/2016 17.6 MB 5.15
CyberLink Media Suite Essentials CyberLink Corp. 2/14/2016 98.4 MB 10.0
Dell Backup and Recovery Dell Inc. 4/30/2013 447 MB 1.0.0.6
Dell Backup and Recovery - Support Software Dell Inc. 4/30/2013  1.0.0.6
Dell Digital Delivery Dell Products, LP 4/30/2013 3.49 MB 2.2.2000.0
Dell Product Registration Dell Inc. 4/30/2013 11.1 MB 1.16.1
Dell Shop Dell Inc 2/7/2016  2.0.1.0
Dell Support Center PC-Doctor, Inc. 2/14/2016 88.5 MB 3.2.6032.125
Dell WLAN and Bluetooth Client Installation Dell Inc. 4/30/2013 50.2 MB 10.0
Dell | Getting Started with Windows 8 Dell Inc 2/7/2016  1.0.0.35
DELLOSD DELL 4/30/2013 244 KB 1.0.2.1108
eBay eBay, Inc 2/7/2016  1.6.0.34
ESET Online Scanner v3  3/4/2016  
Get Office Microsoft Corporation 2/7/2016  17.6628.23511.0
Get Skype Skype 2/7/2016  3.2.1.0
Get Started Microsoft Corporation 2/7/2016  2.6.12.0
Groove Music Microsoft Corporation 2/7/2016  3.6.15131.0
Intel® Management Engine Components Intel Corporation 8/12/2015  8.1.0.1281
Intel® Processor Graphics Intel Corporation 2/6/2016  10.18.10.4276
Kindle AMZN Mobile LLC 2/7/2016  2.1.0.2
Mail and Calendar Microsoft Corporation 3/5/2016  17.6568.46271.0
Malwarebytes Anti-Malware version 2.2.0.1024 Malwarebytes 3/4/2016 55.8 MB 2.2.0.1024
Maps Microsoft Corporation 2/7/2016  4.1601.10150.0
McAfee Security Scan Plus McAfee, Inc. 2/23/2016 10.2 MB 3.11.292.3
McAfee Virtual Technician McAfee, Inc. 2/14/2016 7.08 MB 7.7.0.366
McAfee WebAdvisor McAfee, Inc. 3/5/2016 53.4 MB 4.0.173
McAfee® Central for Dell McAfee Inc 2/7/2016  4.5.139.1
Messaging + Skype Microsoft Corporation 2/7/2016  2.13.20000.0
Microsoft Office Microsoft Corporation 4/30/2013 300 MB 15.0.4454.1510
Microsoft Office Standard 2010 Microsoft Corporation 2/14/2016 38.1 MB 14.0.7015.1000
Microsoft Solitaire Collection Microsoft Studios 2/7/2016  3.7.1041.0
Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Corporation 4/30/2013 3.85 MB 3.1.0000
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 4/30/2013 9.69 MB 8.0.59193
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 4/30/2013 17.6 MB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 8/17/2015 20.3 MB 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 Microsoft Corporation 8/17/2015 27.7 MB 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 8/17/2015 22.2 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 Microsoft Corporation 2/6/2016 20.5 MB 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Microsoft Corporation 2/6/2016 17.3 MB 11.0.61030.0
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Microsoft Corporation 2/14/2016 19.6 MB 10.0.50903
Microsoft Wi-Fi Microsoft Corporation 2/7/2016  1.1511.2.0
Money Microsoft Corporation 3/5/2016  4.8.268.0
Movies & TV Microsoft Corporation 3/4/2016  3.6.17801.0
Mozilla Firefox 44.0.2 (x86 en-US) Mozilla 3/5/2016 87.5 MB 44.0.2
Mozilla Maintenance Service Mozilla 2/17/2016 233 KB 44.0.2.5884
Mozy Sync Mozy, Inc. 8/26/2015 17.7 MB 1.3.1.4068
MozyHome Mozy, Inc. 8/26/2015 2.09 MB 2.28.2.432
MSN Food & Drink Microsoft Corporation 2/7/2016  3.0.4.336
MSN Health & Fitness Microsoft Corporation 2/7/2016  3.0.4.336
MSN Travel Microsoft Corporation 2/7/2016  3.0.4.336
News Microsoft Corporation 3/5/2016  4.8.268.0
OneNote Microsoft Corporation 2/23/2016  17.6741.18061.0
People Microsoft Corporation 3/2/2016  10.0.10500.0
Phone Microsoft Corporation 2/7/2016  2.12.14001.0
Phone Companion Microsoft Corporation 2/7/2016  10.1602.3010.0
Photos Microsoft Corporation 3/4/2016  16.302.8200.0
Reader Microsoft Corporation 2/9/2016  6.4.9926.18190
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 2/14/2016 35.1 MB 6.0.1.7544
Shared C Run-time for x64 McAfee 4/30/2013 2.76 MB 10.0.0
Solitaire Plus! version 3.0 GamesForOne.com 11/30/2015 12.4 MB 3.0
Sports Microsoft Corporation 3/5/2016  4.8.268.0
Store Microsoft Corporation 2/11/2016  2016.27.2.0
Sway Microsoft Corporation 2/23/2016  17.6741.45271.0
Twitter Twitter Inc. 2/17/2016  4.3.4.0
Voice Recorder Microsoft Corporation 2/7/2016  10.1512.21110.0
Weather Microsoft Corporation 3/5/2016  4.8.277.0
Windows Live Essentials Microsoft Corporation 4/30/2013  16.4.3505.0912
Windows Reading List Microsoft Corporation 2/7/2016  6.3.9654.20947
Windows Scan Microsoft Corporation 2/7/2016  6.3.9654.17133
Xbox Microsoft Corporation 2/18/2016  14.14.16008.0
Xbox 360 SmartGlass Microsoft Corporation 2/7/2016  1.4.3.0
Xbox One SmartGlass Microsoft Corporation 2/7/2016  2.2.1510.30008


 



#13 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2016 - 12:24 PM

Please note that in the installs you will NOT see the Citrix assist software - I've already uninstalled it.



#14 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 05 March 2016 - 01:45 PM

If she doesn't actually use the mozy cloud backup you can disable those two in startups.

Disabling can be done using CCleaner by clicking on each item and then choose disable on the right.

There is an item there for remote control. She may or may not use that. Could be used if the comp is

connected to TV or other.

 

Uninstall:

Amazon Amazon.com 2/7/2016  3.1.2.8

Candy Crush Soda Saga king.com 2/15/2016  1.59.300.0

eBay eBay, Inc 2/7/2016  1.6.0.34
ESET Online Scanner v3  3/4/2016

McAfee WebAdvisor McAfee, Inc. 3/5/2016 53.4 MB 4.0.173

Windows Live Essentials Microsoft Corporation 4/30/2013  16.4.3505.0912


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 Trakkur

Trakkur
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2016 - 01:56 PM

If she doesn't actually use the mozy cloud backup you can disable those two in startups.

Disabling can be done using CCleaner by clicking on each item and then choose disable on the right.

There is an item there for remote control. She may or may not use that. Could be used if the comp is

connected to TV or other.

 

Uninstall:

Amazon Amazon.com 2/7/2016  3.1.2.8

Candy Crush Soda Saga king.com 2/15/2016  1.59.300.0

eBay eBay, Inc 2/7/2016  1.6.0.34
ESET Online Scanner v3  3/4/2016

McAfee WebAdvisor McAfee, Inc. 3/5/2016 53.4 MB 4.0.173

Windows Live Essentials Microsoft Corporation 4/30/2013  16.4.3505.0912

 

Mozy Cloud is used for her system backups, for the others Windows 10 uses Windows Defender for virus protection - so McAfee and Windows Live Essentials are unneeded - correct? The Amazon and eBay she may use, but can always reinstall if desired.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users