Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender repetitively identifies presence of Trojan:Win32/Kovter


  • Please log in to reply
13 replies to this topic

#1 jwm4

jwm4

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 05 May 2016 - 12:03 AM

Defenders has identified this malware multiple times and says it has removed it, however, from research, I see that it has not removed the source of the the malware. I have lately also noticed the presence of a browser tab requesting that I update Adobe Flash Player, but it's always pointing to an inauthentic web address (semi-phonetic group of letters that mean nothing with .org or some other off-brand TLD). When I notice this page, Defender is also notifying me of the Trojan.

 

I kindly request your assistance with the permanent removal of this malware. 

 

 

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 06 May 2016 - 07:29 PM

Hello jwm4 and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
 
Please do the following.
Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

===============================================================

How is your PC now and is there still problem ?

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 10 May 2016 - 04:37 PM

Hi Yilmaz,

 

Here is the report (post cleanup), however, i pressed "NEXT" while looking for the source of the report, so Zemana cleaned some files that i would have preferred that it did not, but that's not a big deal (an Android apk for obtaining root on an S5, several Chrome extensions, a Nirsoft program (wirelessnetview) and a Firefox extension).

 

Here is the report:

 

Zemana AntiMalware 2.20.2.613 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/5/10
Operating System       : Windows 10 64-bit
Processor              : 8X Intel® Core™ i7-4702HQ CPU @ 2.20GHz
BIOS Mode              : Legacy
CUID                   : 00248004E9898A40E6DD98
Scan Type              : Smart Scan
Duration               : 2m 21s
Scanned Objects        : 18150
Detected Objects       : 5
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : ON
Detect All Extensions  : OFF
Scan Documents         : OFF
Domain Info            : NGT,1,3
 
Detected Objects
-------------------------------------------------------
 
Chrome Shortcut
Status             : Scanned
Object             : --app-id=edacconmaakjimmfgnblocblbcdcpbko
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut
 
Chrome Shortcut
Status             : Scanned
Object             : --app-id=eggkanocgddhmamlbiijnphhppkpkmkl
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut
 
SimilarSites
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\32ix0cf1.default\extensions\{e71b541f-5e72-5555-a47c-e47863195841}.xpi
MD5                : C1EAFCFCE1914A0EC677FC635066EB13
Publisher          : -
Size               : 549531
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Repair
Related Objects    :
                Browser Extension - SimilarSites
                File - %appdata%\mozilla\firefox\profiles\32ix0cf1.default\extensions\{e71b541f-5e72-5555-a47c-e47863195841}.xpi
 
wirelessnetview_setup.exe
Status             : Scanned
Object             : %homedrive%\dropbox\downloads\applications\wirelessnetview_setup.exe
MD5                : 83F28F07146A6EBD95076A1229872075
Publisher          : Nir Sofer
Size               : 129288
Version            : -
Detection          : Adware:Win32/Quarand!Icre
Cleaning Action    : Quarantine
Related Objects    :
                File - %homedrive%\dropbox\downloads\applications\wirelessnetview_setup.exe
 
tr.apk
Status             : Scanned
Object             : %homedrive%\dropbox\downloads\android\tr.apk
MD5                : E287E785D0E3E043FB0CFBFE69309D8E
Publisher          : -
Size               : 113099
Version            : -
Detection          : Malicious:Android/Tamaca!Trtr
Cleaning Action    : Quarantine
Related Objects    :
                File - %homedrive%\dropbox\downloads\android\tr.apk
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 5
Reported as safe      : 0
Failed                : 0
 
 
I've run the scan again and included the resulting report.
 
Zemana AntiMalware 2.20.2.613 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/5/10
Operating System       : Windows 10 64-bit
Processor              : 8X Intel® Core™ i7-4702HQ CPU @ 2.20GHz
BIOS Mode              : Legacy
CUID                   : 00248004E9898A40E6DD98
Scan Type              : Smart Scan
Duration               : 1m 6s
Scanned Objects        : 17864
Detected Objects       : 0
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : ON
Detect All Extensions  : OFF
Scan Documents         : OFF
Domain Info            : NGT,1,3
 
Detected Objects
-------------------------------------------------------
 
There are no detected objects
 

Edited by jwm4, 10 May 2016 - 04:39 PM.


#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 10 May 2016 - 05:00 PM

How is your PC now running  and is there still a problem ? What is it ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 10 May 2016 - 05:07 PM

My PC has not run with any noticeable issues, other than the one identified in my OP. The fake Adobe flashplayer update only pops up after my computer has been sitting idle for a while, so I'll have to wait to see whether that recurs. I don't believe any of the deleted programs were the source of the problem. The Android apk is irrelevant to this PC. The Chrome and Firefox extensions have been on this computer and others for months to years without causing problems. Nirsoft is a known provider of small, helpful Windows programs; the wirelessnetview is recommended by a number of reputable PC technical sites for troubleshooting wireless issues. All of those programs run on another PC I have, but it doesn't exhibit the fake Adobe popup found on this one, so there is no correlation of behavior among the programs and problem on differing PC's.



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 10 May 2016 - 06:54 PM

Hi there,

 

Thank you.

 

Step 1:
 FRST Script:
 Please download this attached Attached File  Fixlist.txt   5.32KB   8 downloads and save it in the same directory as FRST

  • Close any open browsers or any other programs that are open
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 11 May 2016 - 03:53 PM

This program appears to have made a number of undesirable changes to my computer, such as eliminating scheduled backup tasks, deleting protected cookie lists, deleting Chrome extensions, modified Windows domain policy settings, modified my password manager in some manner yet to be determined, and modified other personalized configurations of Windows. Please let me know if any additional programs you plan to use will have such wide ranging impacts, as I might not want to use them. I have never had that experience with bleeping computer tools previously.
 
Thanks!
 
 
 
 
 
 
 
 
 
 
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by jwm4 (2016-05-11 15:43:03) Run:1
Running from C:\Users\jwm4\Desktop
Loaded Profiles: jwm4 (Available Profiles: Jim & jwm4 & ann)
Boot Mode: Normal
==============================================
 
 
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-471456211-1128354712-3898517561-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-5F32B16BBB92}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
CustomCLSID: HKU\S-1-5-21-471456211-1128354712-3898517561-1001_Classes\CLSID\{f655a448-58b7-134f-63cf-59cbff42b85b0}\InprocServer32 -> 0x2746ACF1B354D10195B5279DC06AD101030000000B00000000000000 => No File
Task: {29C5D9AA-F772-40EE-8CFC-9A145B3B8AFB} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {2A0E8E0F-152C-4DE2-B0B3-534B4D60F8D4} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
AlternateDataStreams: C:\ProgramData\TEMP:58A5270D [209]
AlternateDataStreams: C:\ProgramData\TEMP:F8AF2BB9 [220]
AlternateDataStreams: C:\Users\jwm4\Desktop\FRST64.exe:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\jwm4\AppData\Local\Temp:tInfo [8]
AlternateDataStreams: C:\Users\jwm4\Documents\Dropbox Documents:com.dropbox.attributes [168]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\...\Run: [Power2GoExpress10] => 0
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\...\Run: [QNPlus] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\S-1-5-21-471456211-1128354712-3898517561-1001 -> {4D22A37F-E536-47E4-9C41-2F13E8307C1D} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-05] (LastPass)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-05] (LastPass)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-05] (LastPass)
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-05] (LastPass)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-05] (LastPass)
FF Extension: LastPass - C:\Users\jwm4\AppData\Roaming\Mozilla\Firefox\Profiles\32ix0cf1.default\extensions\support@lastpass.com [2016-03-09]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
2016-04-11 14:24 - 2016-04-11 14:24 - 00000000 __HDC C:\ProgramData\{05EE3202-A879-4F9D-895C-AC535855E0A9}
C:\ProgramData\boost_interprocess
2016-05-04 05:37 - 2016-02-06 02:54 - 00000500 _____ C:\WINDOWS\Tasks\Macrium-Backup-{DADDA4FC-A4D6-4AEF-BCA6-A41C7190A477}.job
2016-05-04 03:23 - 2016-01-06 04:23 - 00000518 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 60c1b5b1-2b20-4444-ad04-556611266d4c.job
2016-05-03 23:25 - 2016-02-29 17:48 - 00000000 ____D C:\Users\jwm4\AppData\Roaming\Modano
C:\Users\jwm4\AppData\Roaming\Atom
C:\Users\jwm4\AppData\Roaming\winscp.rnd
2015-08-31 19:02 - 2016-04-06 18:32 - 0002644 _____ () C:\Users\jwm4\AppData\Local\OfficeMix_16_0.txt
2015-12-22 01:36 - 2016-02-04 16:18 - 0000600 _____ () C:\Users\jwm4\AppData\Local\PUTTY.RND
2015-11-13 17:09 - 2015-11-13 17:09 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
C:\Users\ann\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpguffuj.dll
C:\Users\jwm4\AppData\Local\Temp\amazoncct.dll
C:\Users\jwm4\AppData\Local\Temp\AYSG.exe
C:\Users\jwm4\AppData\Local\Temp\BDSVS.exe
C:\Users\jwm4\AppData\Local\Temp\cct.dll
C:\Users\jwm4\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpskfuz4.dll
C:\Users\jwm4\AppData\Local\Temp\JavaIC.dll
C:\Users\jwm4\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\msscct32.dll
C:\Users\jwm4\AppData\Local\Temp\npp.6.8.6.Installer.exe
C:\Users\jwm4\AppData\Local\Temp\npp.6.8.8.Installer.exe
C:\Users\jwm4\AppData\Local\Temp\npp.6.9.1.Installer.exe
C:\Users\jwm4\AppData\Local\Temp\OTEIIFHO.exe
C:\Users\jwm4\AppData\Local\Temp\pushbullet_watchdog.exe
C:\Users\jwm4\AppData\Local\Temp\reflectPatch.exe
C:\Users\jwm4\AppData\Local\Temp\SUEFWZN.exe
C:\Users\jwm4\AppData\Local\Temp\xmlUpdater.exe
C:\Users\jwm4\AppData\Local\Temp\YSearchUtil.dll
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Emptytemp:
Reboot:
End 
 
 
 
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-471456211-1128354712-3898517561-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-5F32B16BBB92}" => key removed successfully
"HKU\S-1-5-21-471456211-1128354712-3898517561-1001_Classes\CLSID\{f655a448-58b7-134f-63cf-59cbff42b85b0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{29C5D9AA-F772-40EE-8CFC-9A145B3B8AFB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29C5D9AA-F772-40EE-8CFC-9A145B3B8AFB}" => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A0E8E0F-152C-4DE2-B0B3-534B4D60F8D4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A0E8E0F-152C-4DE2-B0B3-534B4D60F8D4}" => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" => key removed successfully
C:\ProgramData\TEMP => ":58A5270D" ADS removed successfully.
C:\ProgramData\TEMP => ":F8AF2BB9" ADS removed successfully.
"C:\Users\jwm4\Desktop\FRST64.exe" => ":com.dropbox.attributes" ADS not found.
C:\Users\jwm4\AppData\Local\Temp => ":tInfo" ADS removed successfully.
"C:\Users\jwm4\Documents\Dropbox Documents" => ":com.dropbox.attributes" ADS not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value not found.
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress10 => value not found.
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\Software\Microsoft\Windows\CurrentVersion\Run\\QNPlus => value not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKU\S-1-5-21-471456211-1128354712-3898517561-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4D22A37F-E536-47E4-9C41-2F13E8307C1D}" => key removed successfully
HKCR\CLSID\{4D22A37F-E536-47E4-9C41-2F13E8307C1D} => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95D9ECF5-2A4D-4550-BE49-70D42F71296E}" => key removed successfully
"HKCR\CLSID\{95D9ECF5-2A4D-4550-BE49-70D42F71296E}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95D9ECF5-2A4D-4550-BE49-70D42F71296E}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{95D9ECF5-2A4D-4550-BE49-70D42F71296E}" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} => value removed successfully
"HKCR\Wow6432Node\CLSID\{9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5}" => key removed successfully
"HKLM\Software\MozillaPlugins\@lastpass.com/NPLastPass" => key removed successfully
C:\Program Files (x86)\LastPass\nplastpass64.dll => moved successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@lastpass.com/NPLastPass" => key removed successfully
C:\Program Files (x86)\LastPass\nplastpass64.dll => not found.
C:\Users\jwm4\AppData\Roaming\Mozilla\Firefox\Profiles\32ix0cf1.default\extensions\support@lastpass.com => moved successfully
C:\Users\jwm4\AppData\Roaming\Mozilla\Firefox\Profiles\32ix0cf1.default\extensions\support@lastpass.com => path removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => key removed successfully
C:\ProgramData\{05EE3202-A879-4F9D-895C-AC535855E0A9} => moved successfully
C:\ProgramData\boost_interprocess => moved successfully
C:\WINDOWS\Tasks\Macrium-Backup-{DADDA4FC-A4D6-4AEF-BCA6-A41C7190A477}.job => moved successfully
C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 60c1b5b1-2b20-4444-ad04-556611266d4c.job => moved successfully
C:\Users\jwm4\AppData\Roaming\Modano => moved successfully
C:\Users\jwm4\AppData\Roaming\Atom => moved successfully
C:\Users\jwm4\AppData\Roaming\winscp.rnd => moved successfully
C:\Users\jwm4\AppData\Local\OfficeMix_16_0.txt => moved successfully
C:\Users\jwm4\AppData\Local\PUTTY.RND => moved successfully
C:\ProgramData\DP45977C.lfl => moved successfully
 
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
C:\Users\ann\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpguffuj.dll => moved successfully
C:\Users\jwm4\AppData\Local\Temp\amazoncct.dll => moved successfully
C:\Users\jwm4\AppData\Local\Temp\AYSG.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\BDSVS.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\cct.dll => moved successfully
C:\Users\jwm4\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpskfuz4.dll => moved successfully
C:\Users\jwm4\AppData\Local\Temp\JavaIC.dll => moved successfully
C:\Users\jwm4\AppData\Local\Temp\jre-8u66-windows-au.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\jre-8u71-windows-au.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\jre-8u73-windows-au.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\jre-8u77-windows-au.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\msscct32.dll => moved successfully
C:\Users\jwm4\AppData\Local\Temp\npp.6.8.6.Installer.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\npp.6.8.8.Installer.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\npp.6.9.1.Installer.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\OTEIIFHO.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\pushbullet_watchdog.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\reflectPatch.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\SUEFWZN.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\xmlUpdater.exe => moved successfully
C:\Users\jwm4\AppData\Local\Temp\YSearchUtil.dll => moved successfully
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Route, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
EmptyTemp: => 5.7 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 15:44:09 ====


#8 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 11 May 2016 - 04:26 PM

OK, this time I looked at what it wanted to delete and disallowed the deleting of perfectly fine Chrome and Firefox extensions that I have used for years and the presence of which on my machine predates the presenting malware symptoms by years. Zoom is a highly rated extension for Chrome with over 100,00 users. It seems your tools are creating a lot of false positives (Nirsoft being another example of a well-qualified and respected source of IT admin tools).

 

Here's the log:

 

# AdwCleaner v5.116 - Logfile created 11/05/2016 at 17:10:57
# Updated 09/05/2016 by Xplode
# Database : 2016-05-09.1 [Server]
# Operating system : Windows 10 Pro  (X64)
# Username : jwm4 - DELL9530
# Running from : C:\Users\jwm4\Desktop\adwcleaner_5.116.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehoopddfhgaehhmphfcooacjdpmbjlao
Folder Found : C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajondecmobodlejlcjllhojikagldgd
 
***** [ Files ] *****
 
File Found : C:\Users\jwm4\AppData\Roaming\Mozilla\Firefox\Profiles\32ix0cf1.default\extensions\cookieimporter@krk.xpi
File Found : C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lajondecmobodlejlcjllhojikagldgd
 
***** [ DLL ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : knowledgebase.macrium.com
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : homeadvisor.com
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : 1and1.com
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : shutterstock.com
[C:\Users\jwm4\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : answers.atlassian.com
[C:\Users\ann\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\ann\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[S1].txt - [2115 bytes] - [11/05/2016 17:10:57]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2188 bytes] ##########


#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 11 May 2016 - 04:26 PM

The only problem here is the deletion LPToolbar
==================================================================
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
RestoreQuarantine: C:\FRST\Quarantine
 
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
 

==================================================================================

How is it now ?

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 11 May 2016 - 05:04 PM

Here's the Mbam log. I ran it before contacting bleeping computer as well, and it showed clean then (except for the PUP's of which I was already aware and did want).

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/11/2016
Scan Time: 5:28 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.05.11.06
Rootkit Database: v2016.05.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: jwm4
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 435380
Time Elapsed: 24 min, 4 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 11 May 2016 - 05:32 PM

Hi,
 Step 1:
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-471456211-1128354712-3898517561-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-5F32B16BBB92}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
CustomCLSID: HKU\S-1-5-21-471456211-1128354712-3898517561-1001_Classes\CLSID\{f655a448-58b7-134f-63cf-59cbff42b85b0}\InprocServer32 -> 0x2746ACF1B354D10195B5279DC06AD101030000000B00000000000000 => No File
AlternateDataStreams: C:\ProgramData\TEMP:58A5270D [209]
AlternateDataStreams: C:\ProgramData\TEMP:F8AF2BB9 [220]
AlternateDataStreams: C:\Users\jwm4\Desktop\FRST64.exe:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\jwm4\AppData\Local\Temp:tInfo [8]
AlternateDataStreams: C:\Users\jwm4\Documents\Dropbox Documents:com.dropbox.attributes [168]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\...\Run: [AdobeBridge] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-471456211-1128354712-3898517561-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\S-1-5-21-471456211-1128354712-3898517561-1001 -> {4D22A37F-E536-47E4-9C41-2F13E8307C1D} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
C:\ProgramData\boost_interprocess
2016-05-04 03:23 - 2016-01-06 04:23 - 00000518 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 60c1b5b1-2b20-4444-ad04-556611266d4c.job
2015-08-31 19:02 - 2016-04-06 18:32 - 0002644 _____ () C:\Users\jwm4\AppData\Local\OfficeMix_16_0.txt
2015-12-22 01:36 - 2016-02-04 16:18 - 0000600 _____ () C:\Users\jwm4\AppData\Local\PUTTY.RND
2015-11-13 17:09 - 2015-11-13 17:09 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
C:\Users\jwm4\AppData\Local\Temp\amazoncct.dll
C:\Users\jwm4\AppData\Local\Temp\AYSG.exe
C:\Users\jwm4\AppData\Local\Temp\BDSVS.exe
C:\Users\jwm4\AppData\Local\Temp\cct.dll
C:\Users\jwm4\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpskfuz4.dll
C:\Users\jwm4\AppData\Local\Temp\JavaIC.dll
C:\Users\jwm4\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\jwm4\AppData\Local\Temp\msscct32.dll
C:\Users\jwm4\AppData\Local\Temp\npp.6.8.6.Installer.exe
C:\Users\jwm4\AppData\Local\Temp\npp.6.8.8.Installer.exe
C:\Users\jwm4\AppData\Local\Temp\npp.6.9.1.Installer.exe
C:\Users\jwm4\AppData\Local\Temp\OTEIIFHO.exe
C:\Users\jwm4\AppData\Local\Temp\pushbullet_watchdog.exe
C:\Users\jwm4\AppData\Local\Temp\reflectPatch.exe
C:\Users\jwm4\AppData\Local\Temp\SUEFWZN.exe
C:\Users\jwm4\AppData\Local\Temp\xmlUpdater.exe
C:\Users\jwm4\AppData\Local\Temp\YSearchUtil.dll
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Emptytemp:
Reboot:
End

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
====================================================================================

Step 2:

MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

Step 3:

RogueKiller scan:

  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 12 May 2016 - 03:33 PM

OK, I now feel like I'm being hacked by Bleeping Computer!  Could you please refer this case to an administrator/supervisor?

 

You've deleted perfectly normal applications that are NOT malware, including: Atom (a GITHUB CREATED AND MAINTAINED CODE EDITOR), Modano Excel Addin, DELL CREATED AND MAINTAINED DATA VAULT, LASTPASS Password Manager, Putty SSH Key Manager, MICROSOFT CREATED AND MAINTAINED Powerpoint Addin (OfficeMix), WINSCP SFTP App, and domain-based WINDOWS Group Policy settings. Either the tools you are using are broken, your judgment in using them is flawed, or you are maliciously harming my computer.

 

In addition, you are now repeating steps already performed. 

 

I will not proceed further with this process. I would like an administrator/supervisor to review this entire thread and explain to me the rationale for deleting perfectly normal programs.

 

Extremely disappointed with Bleeping Computer. 



#13 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 12 May 2016 - 04:42 PM

Hi,

C:\Users\jwm4\AppData\Roaming\Modano
C:\Users\jwm4\AppData\Roaming\Atom
C:\Users\jwm4\AppData\Roaming\winscp.rnd
C:\Users\jwm4\AppData\Local\OfficeMix_16_0.txt

I'm sorry, your think so.

This file and addresses of  deletion, it does not come meaning, those softwares to be removed. No risk for there system. Also,there not is an iterative process also. Thank you for up to now so that your patience and understanding.

 

Good day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 jwm4

jwm4
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 PM

Posted 13 May 2016 - 10:41 AM

I choose to discontinue this process. The last response, presumably from an administrator, is impossible to decipher, given its poor English. Bleeping Computer apparently has no procedures for quality control and allows poorly trained technicians free license to reconfigure users PC's, remove legitimate programs and settings, etc. While I've never had anything but excellent assistance previously, it only takes one experience like this to convince me that Bleeping Computer is no longer a "go-to" site for assistance in removing malware. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users