Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy settings changed, not by me


  • Please log in to reply
13 replies to this topic

#1 skypilotpete

skypilotpete

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 31 March 2016 - 08:52 PM

This morning I found myself unable to access any https sites. I tracked the problem down to the fact that somehow my network settings had been changed to connect via a proxy. Once I deselected this option, I was able to connect again without any problems. I have been advised by the technical support desk at my ISP that this is often caused by malware, and that it means that the offenders can potentially skim important log-in information. I have done a series of scans, but I am unable to tell if the results show anything significant or not.

 

I have run full scans using Malwarebytes, Microsoft Security Essentials, Hitman Pro and ADWCleaner.

 

Malwarebytes reported no malware but one PUP - PUP.Optional.Spigot

 

Microsoft Security Essentials and Hitman Pro reported no threats.

 

The ADWCleaner log is posted below. 

 

Is anyone able to tell me if I am likely to have been compromised in any way, and if there is any further action I should take?

 

I run Windows 7 64 Home Premium. My security setup is Malwarebytes Home Premium, Microsoft Security Essentials, Hitman Pro (paid version), Windows Firewall.

 

# AdwCleaner v5.108 - Logfile created 01/04/2016 at 11:06:22
# Updated 30/03/2016 by Xplode
# Database : 2016-03-30.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Chris - CHRIS-PC
# Running from : C:\Users\Chris\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Users\Chris\Favorites\abc
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_lfmhcpmkbdkbgbmkjoiopeeegenkdikp_0.localstorage
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCSuiteContactsView
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCSuiteMessagesView
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : lfmhcpmkbdkbgbmkjoiopeeegenkdikp
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [489 bytes] - [01/04/2016 11:04:29]
C:\AdwCleaner\AdwCleaner[C2].txt - [1779 bytes] - [01/04/2016 11:06:22]
C:\AdwCleaner\AdwCleaner[R0].txt - [907 bytes] - [24/02/2014 08:59:06]
C:\AdwCleaner\AdwCleaner[R1].txt - [1215 bytes] - [02/03/2014 11:35:54]
C:\AdwCleaner\AdwCleaner[R2].txt - [1139 bytes] - [02/03/2014 11:40:36]
C:\AdwCleaner\AdwCleaner[R3].txt - [2433 bytes] - [13/01/2015 20:55:08]
C:\AdwCleaner\AdwCleaner[R4].txt - [1367 bytes] - [15/02/2015 16:21:33]
C:\AdwCleaner\AdwCleaner[S0].txt - [930 bytes] - [24/02/2014 08:59:47]
C:\AdwCleaner\AdwCleaner[S1].txt - [3866 bytes] - [02/03/2014 11:36:14]
C:\AdwCleaner\AdwCleaner[S2].txt - [3689 bytes] - [02/03/2014 11:41:17]
C:\AdwCleaner\AdwCleaner[S3].txt - [2397 bytes] - [13/01/2015 20:56:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2507 bytes] ##########
 


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 12 April 2016 - 03:55 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 skypilotpete

skypilotpete
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 12 April 2016 - 08:45 PM

Thank you for your help. It is greatly appreciated.

 

SECURITY CHECK LOG:

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 31  
 Java version 32-bit out of Date! 
  Adobe Flash Player 12.0.0.70 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox 37.0.2 Firefox out of Date!  
 Google Chrome (49.0.2623.110) 
 Google Chrome (49.0.2623.112) 
 Google Chrome (Plugins...) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Malwarebytes Anti-Ransomware mbarw.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 6% 
````````````````````End of Log`````````````````````` 
 
MALWAREBYTES ANTI-ROOTKIT
The scan said no malware was found. However, at the very beginning of the scan I got this message:
"Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.... Do you want to remove this value and restart the tool?" I selected "NO" and continued with the scan.
 
MBAR.LOG

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.04.12.09
  rootkit: v2016.04.09.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17914
Chris :: CHRIS-PC [administrator]
 
13/04/2016 10:55:02 AM
mbar-log-2016-04-13 (10-55-02).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 385565
Time elapsed: 8 minute(s), 17 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#4 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 13 April 2016 - 01:44 AM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 skypilotpete

skypilotpete
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 13 April 2016 - 06:10 AM

1) MBAR Log: No malicious items detected

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.04.13.03
  rootkit: v2016.04.09.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17914
Chris :: CHRIS-PC [administrator]
 
13/04/2016 7:58:08 PM
mbar-log-2016-04-13 (19-58-08).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 385799
Time elapsed: 6 minute(s), 47 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
2) ADWCLEANER - NOTHING FOUND
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [2317 octets] ##########
# AdwCleaner v5.110 - Logfile created 13/04/2016 at 20:05:55
# Updated 10/04/2016 by Xplode
# Database : 2016-04-11.4 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Chris - CHRIS-PC
# Running from : C:\Users\Chris\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [489 bytes] - [01/04/2016 10:04:29]
C:\AdwCleaner\AdwCleaner[C2].txt - [2590 bytes] - [01/04/2016 10:06:22]
C:\AdwCleaner\AdwCleaner[R0].txt - [907 bytes] - [24/02/2014 07:59:06]
C:\AdwCleaner\AdwCleaner[R1].txt - [1215 bytes] - [02/03/2014 10:35:54]
C:\AdwCleaner\AdwCleaner[R2].txt - [1139 bytes] - [02/03/2014 10:40:36]
C:\AdwCleaner\AdwCleaner[R3].txt - [2433 bytes] - [13/01/2015 19:55:08]
C:\AdwCleaner\AdwCleaner[R4].txt - [1367 bytes] - [15/02/2015 15:21:33]
C:\AdwCleaner\AdwCleaner[S0].txt - [930 bytes] - [24/02/2014 07:59:47]
C:\AdwCleaner\AdwCleaner[S1].txt - [3866 bytes] - [02/03/2014 10:36:14]
C:\AdwCleaner\AdwCleaner[S2].txt - [3689 bytes] - [02/03/2014 10:41:17]
C:\AdwCleaner\AdwCleaner[S3].txt - [3737 bytes] - [13/01/2015 19:56:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [3810 bytes] ##########
 
3) JRT LOG
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Chris (Administrator) on Wed 13/04/2016 at 20:10:23.15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
File System: 25 
 
Successfully deleted: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\cclltri2.default\extensions\staged (Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GLFZTGB (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6NUMPLH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFF5D7QJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OAFAA4R9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OH18GWUO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OM16NG5X (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RMGC1O77 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SI4FTIF8 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GLFZTGB (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6NUMPLH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFF5D7QJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OAFAA4R9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OH18GWUO (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OM16NG5X (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RMGC1O77 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SI4FTIF8 (Temporary Internet Files Folder) 
 
Deleted the following from C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\cclltri2.default\prefs.js
user_pref(extensions.lastpass.746fe227af1e9a779407c2d08a27c0aacf181aa109e34a0f95d520c321248451.searchforsiteswithinaddressbar, true);
user_pref(extensions.lastpass.searchforsiteswithinaddressbar, true);
 
 
 
Registry: 0 


#6 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 13 April 2016 - 06:26 AM

Hi,

:step1: Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program

***


:step2: ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

***


:step3: How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 skypilotpete

skypilotpete
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 14 April 2016 - 02:59 AM

1) The Sophos scan said "Your computer is clean. Number of threats found:0". It did not provide a link to a log file, and I couldn't find one.

 

2) Emsisoft Emergency Kit log:

 

Emsisoft Emergency Kit - Version 11.0
Last update: 14/04/2016 5:20:21 PM
User account: Chris-PC\Chris
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 14/04/2016 5:20:34 PM
Value: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\EASYMAIL POP3 OBJECT -> EVENTMESSAGEFILE detected: Adware.Win32.BBuddy (A)
Value: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\EASYMAIL POP3 OBJECT -> EVENTMESSAGEFILE detected: Adware.Win32.BBuddy (A)
Value: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\EASYMAIL POP3 OBJECT -> TYPESSUPPORTED detected: Adware.Win32.BBuddy (A)
Value: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\EASYMAIL POP3 OBJECT -> TYPESSUPPORTED detected: Adware.Win32.BBuddy (A)
Value: HKEY_USERS\S-1-5-21-1230928476-594481330-780946881-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1230928476-594481330-780946881-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
 
Scanned 79873
Found 6
 
Scan end: 14/04/2016 5:21:04 PM
Scan time: 0:00:30
 
Value: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\EASYMAIL POP3 OBJECT -> TYPESSUPPORTED Adware.Win32.BBuddy (A)
Value: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\EASYMAIL POP3 OBJECT -> EVENTMESSAGEFILE Adware.Win32.BBuddy (A)
Value: HKEY_USERS\S-1-5-21-1230928476-594481330-780946881-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1230928476-594481330-780946881-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Setting.DisableTaskMgr (A)
 
Quarantined 4
 
3) The computer appears to be running well, but I haven't noticed any problems with the way it runs at any time. The only problem I have had is the proxy settings being changed without my knowledge, and I haven't had any problems since manually changing them back to the default of "no proxy". I wish I had written down what proxy it had been changed to - but it didn't occur to me at the time. It was only later that I was told that changing proxy settings was a typical malware behaviour.


#8 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 14 April 2016 - 03:27 AM

Hello again,

:step1: We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/


***


:step2: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
- Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
- Microsoft: Unprecedented Wave of Java Exploitation
- Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 8 and save it to your desktop.
  • Under "Java Platform, Standard Edition"...click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select (click on) the download link for your operating system (Windows x86 Offline: jre-8u66-windows-i586.exe or Windows x64: jre-8u66-windows-x64.exe) and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-8u66-windows-i586.exe (or jre-8u66-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it. The McAfee Security Scan Plus may be installed unless you uncheck the McAfee installation box when updating Java.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. However, be aware that the Java updater prompts you to make Yahoo Search your browser's default search engine and home page...the option is pre-checked.

***


:step3: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 skypilotpete

skypilotpete
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 14 April 2016 - 03:55 AM

I have tried running TFC twice, and each time it has started running, and then I get the message "TFC has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." I have rebooted the computer and tried again, but it has happened each time I have tried to run it. The second time I closed all my anti virus and anti malware software, but that didn't help.

 

I will wait to hear from you about this before I proceed to the next steps.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 14 April 2016 - 04:02 AM

OK, no Problem.

Skip TFC and proceed to the next steps (Java Update and ESET Scan).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 skypilotpete

skypilotpete
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 14 April 2016 - 05:37 AM

I have updated Java to Version 8 Update 77 (build 1.8.0_77-b03)

 

ESET SCAN LOG

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\PitchPerfect\pitchperfect.exe.vir a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\PitchPerfect\pitchperfectsetup_v2.12.exe.vir a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\AdwCleaner\Quarantine\C\Users\Chris\AppData\Roaming\Search Protection\SP.exe.vir a variant of Win32/Toolbar.Widgi.J potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Users\Chris\AppData\Roaming\Search Protection\Uninstall.exe.vir a variant of Win32/Toolbar.Widgi.J potentially unwanted application deleted
D:\My Documents\Downloads\ImgBurn\SetupImgBurn_2.5.8.0.exe Win32/OpenCandy potentially unsafe application deleted
D:\My Documents\Downloads\MediaInfo\MediaInfo_GUI_0.7.67_Windows.exe Win32/OpenCandy potentially unsafe application deleted
D:\My Documents\Downloads\MediaInfo\MediaInfo_GUI_0.7.68_Windows.exe Win32/OpenCandy potentially unsafe application deleted
D:\My Documents\Downloads\MediaInfo\MediaInfo_GUI_0.7.69_Windows.exe Win32/OpenCandy potentially unsafe application deleted
D:\My Documents\Downloads\Nero 7 Ultimate\Nero-7.10.1.0_eng_trial.exe Win32/Toolbar.AskSBar potentially unwanted application deleted
D:\My Documents\Downloads\Outlook Express\outlookexpress-setup.exe Win32/DownloadAdmin.G potentially unwanted application deleted
D:\My Documents\Downloads\Pitch Perfect Guitar Tuner\ppsetup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
D:\My Documents\Downloads\Pitch Perfect Instument Tuner\ppsetup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
D:\My Documents\Downloads\Portforward\PFPortChecker.exe Win32/InstallMonetizer.AN potentially unwanted application deleted
D:\My Documents\Downloads\Portforward\Portforward-Setup-Static-IP-Address.exe Win32/InstallMonetizer.AN potentially unwanted application deleted
D:\My Documents\Downloads\Speccy\spsetup128.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted


#12 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 14 April 2016 - 06:15 AM

It Appears That Your Pc Is Now Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure :step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 skypilotpete

skypilotpete
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide, South Australia
  • Local time:09:41 PM

Posted 14 April 2016 - 08:48 PM

Thank you very much for your patient and helpful advice and direction.



#14 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:11 PM

Posted 15 April 2016 - 02:42 AM

You are welcome.
Glad we could help.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users