Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible hijacking


  • This topic is locked This topic is locked
12 replies to this topic

#1 Damien88

Damien88

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 23 April 2016 - 10:42 PM

Ref -- Damien88

 

Attached File  CheckResults.txt   58.59KB   8 downloads

Attached File  ESET.txt   4.16KB   3 downloads

Attached File  TDSSKiller.3.1.0.9_24.04.2016_09.11.48_log.txt   758.01KB   2 downloads



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 24 April 2016 - 02:26 AM

Hello Damien88 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please follow these instructions in the order given.

 

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Damien88

Damien88
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 24 April 2016 - 03:07 AM

Satchfan, many thanks.

 

I cannot find an adwcleaner log. It showed up and I clicked it closed thinking that it had been automatically saved to the desktop. As I recall it showed only about 6 items all of which had been removed or remedied in some way. I can run it again if you wish.

 

Attached File  JRT.txt   1.35KB   3 downloads

Attached File  FRST.txt   28.56KB   5 downloads

Attached File  Addition.txt   42.37KB   3 downloads

 

 



#4 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 24 April 2016 - 03:16 AM

The Adwcleaner log should be located at C:\AdwCleaner[S1].txt. Please post the results and meanwhile I'll look at the other logs you supplied.

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Damien88

Damien88
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 24 April 2016 - 03:37 AM

Attached File  AdwCleanerS1.txt   3.02KB   6 downloads



#6 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 24 April 2016 - 04:18 AM

Well done on locating the AdwCleaner log.

I think it was just a case of some adware as there’s nothing too sinister in your logs but we’ll tidy up what was found and run another scan.

Uninstall programs

I see you are using a “Registry Cleaner”, BeClean. It's not a good idea to use registry cleaners/boosters.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid and erroneous entries does not affect system performance but it can result in "unpredictable results". Unless you have a particular problem that requires a registry edit to correct it, (and you are expert in the registry), I would suggest you leave the registry alone.

I strongly advise you to get rid of BeClean and any other cleaner/optimizer/booster/tuneup/tweak type utilities that you have on this or any other  computer.

One of the malware experts, miekiemoes, has an excellent write-up here
Another from quietman7 here

To uninstall BeClean

  • hold down the Windows logo key and press X to open a menu at the lower-left area of the screen
  • select Programs and Features from the menu
  • search and select the program and click on Uninstall
  • reboot your computer.

===================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> No File
S3 cpuz136; \??\C:\Users\damien\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [X]
2016-04-23 10:10 - 2016-04-23 10:10 - 11137520 _____ (SparkTrust) C:\Users\damien\Downloads\SparkTrust PC Cleaner Plus Setup_6B8C8A65-C74C-4C85-82EB-157D66C50FD3_.exe
2016-04-18 23:58 - 2016-04-18 23:58 - 02992384 _____ (AVG Technologies CZ, s.r.o.) C:\Users\damien\Downloads\AVG_Protection_755.exe
2016-04-24 07:37 - 2014-12-06 07:35 - 00000000 ____D C:\Users\damien\AppData\Local\Avg
2016-04-24 07:37 - 2014-03-16 07:41 - 00000000 ____D C:\Program Files (x86)\AVG
FirewallRules: [{230748B5-FCA0-4B35-9E10-549D42CFCE4D}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{66D8868A-B15F-427D-8E9B-36A1C252CF77}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{E3932EF8-AC53-42F6-A5F7-1BAF47621A79}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsm44DE.tmp\CnetInstaller-10965493.exe
FirewallRules: [{BB8A0F12-E647-4DE5-A991-50DC4C0FEBF7}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsm44DE.tmp\CnetInstaller-10965493.exe
FirewallRules: [{AA4BA905-48AC-4338-B074-638B50AF0586}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsxD901.tmp\CnetInstaller-10487494.exe
FirewallRules: [{0F75EBFC-9415-4753-8943-CA0D7FA91FF1}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsxD901.tmp\CnetInstaller-10487494.exe
FirewallRules: [{D6F53773-F0B3-46FA-B41B-559495BC6C15}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsbA0F5.tmp\CnetInstaller-10141393.exe
FirewallRules: [{3D4CABF2-6143-48E3-A297-218811AB67A4}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsbA0F5.tmp\CnetInstaller-10141393.exe
FirewallRules: [{EE7AB506-D0EA-4D60-8AD6-A451D6CCD076}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsfC1B7.tmp\CnetInstaller-10141393.exe
FirewallRules: [{83457F29-6526-4440-90F0-FE78C2429A09}] => (Allow) C:\Users\damien\AppData\Local\Temp\nsfC1B7.tmp\CnetInstaller-10141393.exe
FirewallRules: [TCP Query User{47539974-8A30-46DC-A9F2-DF55B0FF5906}C:\program files
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • start Malwarebytes-Anti-Malware and update it, (“Update” tab}
  • once it is updated, click on “Scan” tab, select Threat Scan, then click Scan.
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with next post:

Fixlog.txt
Mbam.txt


Can you tell me if there are any issues that remain.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 Damien88

Damien88
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 24 April 2016 - 06:24 AM

Thanks Satchfan.

 

BeClean has been uninstalled.

 

I've still to do the Malwarebytes scan but that will have to wait overnight unfortunately.

 

In the meantime I have run FRST and fixit programs.

 

Attached File  Fixlog.txt   5.52KB   1 downloads

 

I have also noted in the ADDITION file the following:

==================== FirewallRules (Whitelisted) ===============
FirewallRules: [{C2C7C6D6-8110-45DE-ABDB-1BF0AF1F0550}] => (Allow) C:\Program Files (x86)\Apowersoft\Video Download Capture\Video Download Capture.exe
...and multiple other Apowersoft video capture permissions.

I have been downloading relaxation videos lately from YouTube and they may have occurred there. But I am concerned about the possibility of that software capturing my screen.
=================================================================
Also a concern is SparkPlusPCCleanerPlus.exe
I originally installed and used this when it was suggested when I first lodged my post athe forum "Am I Infected."
I later uninstalled it but I notice it is still showing up when I click on tray icons notification.
Adware[S1] also showed up various SparkPlus folders.

Any thoughts?
 


Edited by Damien88, 24 April 2016 - 06:25 AM.


#8 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 24 April 2016 - 07:09 AM

I've still to do the Malwarebytes scan but that will have to wait overnight

 

Unfortunate time difference but hopefully this problem will be resolved quite quickly as there is nothing seriously wrong here.

 

Have a good sleep.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 Damien88

Damien88
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 24 April 2016 - 06:06 PM

Everything looks fine satchfan.

 

Attached File  malwarebytes.txt   1.02KB   3 downloads



#10 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 25 April 2016 - 01:56 AM

Are there any remaining problems?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 Damien88

Damien88
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 25 April 2016 - 05:11 AM

No malware issues satchan. Many thanks for your kind help. Cheers.



#12 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 25 April 2016 - 03:07 PM

I apologise for the delay but I must have missed your reply.

Your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Update installed programs

Your version of Java is out-of-date and need to be removed and updated. Having the latest updates and removing old versions ensures there are no security vulnerabilities in your system.

  • right-click in the screen’s bottom-left corner and choose the Control Panelfrom the pop-up menu
  • choose Uninstall a Program from the “Programs” category
  • click on Java 8 Update 77 and then on the Uninstall button.

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  • NEXT

    Install the latest version of Java:

    Java

    NOTE – when you install Java, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

    Java.gif

    Even though I just had you get the latest version of Java, there is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.

    More information can be found here.

    ===================================================

    Recommended programs

    SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

    ======================

    Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

    ======================

    It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

    FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

    ======================

    Download WOT

    Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:


    green if it's safe
    yellow for caution
    red for unsafe
     

    You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

    ======================

    MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    A couple of links with information here and here which can answer any questions you might have about installing/using it.

    ======================

    Unchecky

    Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

    Download and install Unchecky .

    ======================

    Download and install CryptoPrevent

    Crypto Ransomware Warning

    There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.
    [list]
  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

===================================================

I also recommend that you read the following:

Best Practices for Safe Computing - Prevention of Malware Infection by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 AM

Posted 26 April 2016 - 05:43 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users