Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Project Oreon?


  • Please log in to reply
15 replies to this topic

#1 darrylhadfield

darrylhadfield

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 11 May 2016 - 08:43 PM

So, a few days ago, no new apps installed, no BHOs in place other than ones I've had for quite some time...   I start getting random popups.
 
Usually, they're for "Project Oreon" and advertise getting Windows 10 for free (uhh... okay, yeah... gee, thanks.) but other times, they're randomized and are for completely other things. Tide somethingorother, online marketing help, etc..
 
Has anyone dealt with this before? I'm long in the tooth dealing with technology, but this one's got me stumped. Malwarebytes and Avast report no issues, and like I said - no new apps installed, no browser helper objects... I've trolled through the usual places (appdata, common files, system32) and haven't found anything out of the ordinary.
 
Any help would be appreciated.
 
Cheers.

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:35 PM

Posted 12 May 2016 - 05:59 AM

Welcome to BC...

 

If your Avast is the free version it could be responsible...

Could be some exploiting of Adobe Flash or other vulnerable program that is missing the latest security update or a zero day exploit.

Use the programs below to find and remove adware and malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Edited by buddy215, 12 May 2016 - 09:36 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 12 May 2016 - 09:15 AM

Working on the west coast, in meetings - taking a red-eye home tonight; will touch this when I hit the airport tonight. Thanks for the input, and more soon.

Cheers,

D.



#4 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 12 May 2016 - 07:51 PM

1. CCleaner:
Cleaning Complete - 18.510seconds
5,045mb removed
 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
2.AdwCleaner:
 
>>>> File did not save to desktop. (I had to redact information, but when I closed the file, it was not present on the desktop - file was saved to: "C:\AdwCleaner\AdwCleaner[S1].txt"
>>>> Immediately after re-opening my browser, got a popup for: http://promote.buy-targeted-traffic.com/btt_1.html
 
 
# AdwCleaner v5.116 - Logfile created 12/05/2016 at 20:03:05
# Updated 09/05/2016 by Xplode
# Database : 2016-05-09.1 [Server]
# Operating system : Windows 7 Enterprise Service Pack 1 (X64)
# Username : [REDACTED]
# Running from : C:\Users\[REDACTED]\Desktop\cleanup\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Users\[REDACTED]\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmglolhoplikcoamfgjgammjbgchgjdd
[#] Folder Deleted : C:\Users\[REDACTED]\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmglolhoplikcoamfgjgammjbgchgjdd
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\[REDACTED]\AppData\Roaming\Mozilla\Firefox\Profiles\4mf9nira.default\prefs.js] Deleted : user_pref("socialfixer.100005926540589/typeahead_new", "for (;;);{\"__ar\":1,\"payload\":{\"entries\":[{\"uid\":100005926540589,\"type\":\"user\",\"text\":\"Darryl AE Hadfield\",\"photo\":\"hxxps:\\/\[...]
[-] [C:\Users\[REDACTED]\AppData\Roaming\Mozilla\Firefox\Profiles\4mf9nira.default\prefs.js] Deleted : user_pref("socialfixer.657903572/typeahead_new", "for (;;);{\"__ar\":1,\"payload\":{\"entries\":[{\"uid\":657903572,\"photo\":\"hxxps:\\/\\/scontent-ord1-1.xx.fbcdn.net\\/hprofile-xpl1\\/v\\/t1.0-1\\/[...]
[-] [C:\Users\[REDACTED]\AppData\Roaming\Mozilla\Firefox\Profiles\4mf9nira.default\prefs.js] Deleted : user_pref("socialfixer.100005926540589/typeahead_new", "for (;;);{\"__ar\":1,\"payload\":{\"entries\":[{\"uid\":100005926540589,\"type\":\"user\",\"text\":\"Darryl AE Hadfield\",\"photo\":\"hxxps:\\/\[...]
[-] [C:\Users\[REDACTED]\AppData\Roaming\Mozilla\Firefox\Profiles\4mf9nira.default\prefs.js] Deleted : user_pref("socialfixer.657903572/typeahead_new", "for (;;);{\"__ar\":1,\"payload\":{\"entries\":[{\"uid\":657903572,\"photo\":\"hxxps:\\/\\/scontent-ord1-1.xx.fbcdn.net\\/hprofile-xpl1\\/v\\/t1.0-1\\/[...]
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [2275 bytes] - [12/05/2016 20:03:05]
C:\AdwCleaner\AdwCleaner[S1].txt - [2302 bytes] - [12/05/2016 20:00:53]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2421 bytes] ##########
 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
3.Junkware Removal Tool:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 7 Enterprise x64 
Ran by darryl (Administrator) on Thu 05/12/2016 at 20:13:17.74
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 26 
 
Successfully deleted: C:\Windows\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\Windows\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9N0PHYRN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8PR7PUM (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JM4UUBHO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L65WXPSR (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOI61ZKX (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NIAS4GQ2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQ3R4C1P (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\darryl.HADFIELD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y5C4VXZL (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9N0PHYRN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8PR7PUM (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JM4UUBHO (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L65WXPSR (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOI61ZKX (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NIAS4GQ2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQ3R4C1P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y5C4VXZL (Temporary Internet Files Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_15C2AE1175129CAA6B07DA05460BF9AE (Registry Value) 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 05/12/2016 at 20:15:13.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
4. ESET OnlineScan:
 
...Click the Start button....
>>>> ERROR: Must select an option, one of either:  "Enable" or "Disable"   ".... detection of Potentially unwanted applications".
>>>>  I've chosen "enable".  There are also Advanced Options, none of which I have changed, but of which, "remove found threats" and "Enable anti-stealth technology" are both checked.
 
 
C:\Users\[REDACTED]\Desktop\Filing\[REDACTED]\thumbs.asp ASP/Small.A trojan cleaned by deleting
C:\Users\[REDACTED]\Documents\[REDACTED]\[REDACTED]\menu.asp ASP/Small.A trojan cleaned by deleting
C:\Users\[REDACTED]\Documents\[REDACTED]\[REDACTED]\Backup\images\favicon.ico ASP/Small.A trojan cleaned by deleting
 

redacted PII.



#5 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:35 PM

Posted 12 May 2016 - 08:34 PM

Run another scan using MBAM using the instructions below.

  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.

 

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 12 May 2016 - 11:49 PM

MBAM didn't prompt for DB updates, so I forced it.

On the "Scan" tab, there was no "Scan Now" button - the button says "Start Scan".  Clicked it.

 

1. MBAM Detailed Log:

NO "View Detailed Log" link.  Clicked on "Save Results" instead, got this:

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/13/2016
Scan Time: 12:31 AM
Logfile: MBAM Log.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.05.13.01
Rootkit Database: v2016.05.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: [REDACTED]
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 485152
Time Elapsed: 11 min, 22 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2. CCleaner: Windows Startups

 

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run GoogleChromeAutoLaunch_15C2AE1175129CAA6B07DA05460BF9AE Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Yes HKCU:Run GoogleDriveSync Google "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
Yes HKCU:Run KeePass Password Safe 2 Dominik Reichl "C:\Users\darryl.HADFIELD\Dropbox\KeePass\KeePass.exe"
Yes HKCU:Run MySQL Notifier Oracle Corporation C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySqlNotifier.exe
Yes HKLM:Run Apoint Alps Electric Co., Ltd. "C:\Program Files\DellTPad\Apoint.exe"
Yes HKLM:Run AvastUI.exe AVAST Software "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
Yes HKLM:Run BTMTrayAgent Microsoft Corporation rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
Yes HKLM:Run DivXMediaServer C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
Yes HKLM:Run Dropbox Dropbox, Inc. "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes HKLM:Run GwxControlPanelMonitor UltimateOutsider "C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe" /traymode
Yes HKLM:Run IMSS Intel Corporation "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe" 60
Yes HKLM:Run IntelPROSet Intel® Corporation "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PROSet/Wireless
Yes HKLM:Run Logitech Download Assistant Microsoft Corporation C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
Yes HKLM:Run Malwarebytes Anti-Malware Malwarebytes "C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe"
Yes HKLM:Run RtHDVBg_MAXX6 Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX6 /WAVES_SUBTYPE_FOR_LYNC
Yes HKLM:Run RtHDVCpl Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" /s
Yes HKLM:Run USB3MON Intel Corporation "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
Yes HKLM:Run vmware-tray.exe VMware, Inc. "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
Yes HKLM:Run WavesSvc Waves Audio Ltd. "C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe"
Yes HKLM:Run wermgr Microsoft Corporation C:\ProgramData\Microsoft\Windows\WER\wermgr.exe
Yes Startup User MagicDisc.lnk MagicISO, Inc. C:\Program Files (x86)\MagicDisc\MagicDisc.exe
 
 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3. CCleaner: Scheduled Tasks

 

Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task DropboxUpdateTaskMachineCore Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes Task DropboxUpdateTaskMachineUA Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task klcp_update "C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe" /verysilent /update /freq=30
Yes Task MySQLNotifierTask Oracle Corporation "C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" --c
Yes Task PCDDataUploadTask "uaclauncher.exe" -lloc dataupload --ignoresecondarysplash --runsilently --skipidlewait
Yes Task SafeZone scheduled Autoupdate 1458686866 Avast Software C:\Program Files\AVAST Software\SZBrowser\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task SystemToolsDailyTest "uaclauncher.exe" -silentenumeration -st SystemToolsDailyTest --ignoresecondarysplash --runsilently
 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4. CCleaner: Installed Programs

 

7-Zip 15.11 beta (x64) Igor Pavlov 11/18/2015 4.71 MB 15.11
7-Zip 15.14 (x64 edition) Igor Pavlov 2/16/2016 4.87 MB 15.14.00.0
ASUS EzLink Utility ASUSTeK Computer Inc. 11/18/2015 1.00.09
Avast Free Antivirus AVAST Software 5/7/2016 11.2.2262
Bonjour Apple Inc. 12/11/2015 1.74 MB 2.0.2.0
calibre Kovid Goyal 5/4/2016 175 MB 2.56.0
CCleaner Piriform 5/12/2016 5.17
Cisco WebEx Meetings Cisco WebEx LLC 12/16/2015
Combined Community Codec Pack 64bit 2015-10-18 CCCP Project 11/17/2015 36.6 MB 2015.10.19.0
Dell Command | Update Dell Inc. 11/13/2015 62.9 MB 2.1.0
Dell Data Vault 11/13/2015
Dell SupportAssist Dell 3/26/2016 197 MB 1.2.6793.01
Dell SupportAssistAgent Dell 5/10/2016 18.3 MB 1.2.2.8
Dell System Detect Dell 2/16/2016 6.12.0.5
Dell Touchpad ALPS ELECTRIC CO., LTD. 2/9/2016 10.1207.101.109
DisplayLink Core Software DisplayLink Corp. 11/18/2015 26.5 MB 7.9.630.0
DisplayLink Graphics DisplayLink Corp. 11/18/2015 4.19 MB 7.9.658.0
doubleTwist Sync doubleTwist Corporation 12/11/2015 4.0.4.19778
Dropbox Dropbox, Inc. 5/10/2016 4.3.22
ESET Online Scanner v3 5/12/2016
FlashFXP 5 OpenSight Software LLC 4/25/2016 5.3.0.3929
Google Chrome Google Inc. 11/13/2015 50.0.2661.102
Google Drive Google, Inc. 4/28/2016 35.2 MB 1.29.2074.1528
GWX Control Panel UltimateOutsider 4/27/2016
Intel® Dynamic Platform and Thermal Framework Intel Corporation 11/13/2015 8.0.10002.14
Intel® Management Engine Components Intel Corporation 11/19/2015 10.0.31.1000
Intel® Network Connections Drivers Intel 11/13/2015 916 KB 19.5
Intel® Processor Graphics Intel Corporation 12/19/2015 20.19.15.4312
Intel® USB 3.0 eXtensible Host Controller Driver Intel Corporation 11/13/2015 3.0.2.54
Intel® Wireless Bluetooth®(patch version 17.1.1504.516) Intel Corporation 11/13/2015 53.2 MB 17.1.1411.0506
Intel® PROSet/Wireless Software Intel Corporation 11/13/2015 413 MB 17.15.0
K-Lite Codec Pack 12.0.1 Standard KLCP 3/2/2016 87.5 MB 12.0.1
Logitech Unifying Software 2.50 Logitech 11/16/2015 4.59 MB 2.50.25
Magic ISO Maker v5.5 (build 0281) 11/16/2015
MagicDisc 2.7.106 11/16/2015
Malwarebytes Anti-Malware version 2.2.1.1043 Malwarebytes 5/7/2016 66.8 MB 2.2.1.1043
Microsoft .NET Framework 4.6.1 Microsoft Corporation 1/15/2016 38.8 MB 4.6.01055
Microsoft Lync Web App Plug-in Microsoft Corporation 1/22/2016 23.5 MB 15.8.8308.920
Microsoft Office Professional Plus 2016 Microsoft Corporation 11/16/2015 16.0.4266.1001
Microsoft Project Professional 2016 Microsoft Corporation 1/13/2016 16.0.4266.1001
Microsoft Visio Professional 2016 Microsoft Corporation 11/20/2015 16.0.4266.1001
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 12/13/2015 348 KB 8.0.59193
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 12/13/2015 620 KB 8.0.59192
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Corporation 11/17/2015 788 KB 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 11/17/2015 596 KB 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 12/11/2015 1.28 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 Microsoft Corporation 12/11/2015 17.4 MB 11.0.51106.1
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Microsoft Corporation 3/18/2016 17.1 MB 12.0.30501.0
Microsoft Visual J# 2.0 Redistributable Package - SE (x64) Microsoft Corporation 2/16/2016
Minimal ADB and Fastboot version 1.3.1 Sam Rodberg 12/13/2015 2.05 MB 1.3.1
mIRC mIRC Co. Ltd. 4/27/2016 7.45
Mozilla Firefox 45.0.2 (x86 en-US) Mozilla 4/26/2016 88.8 MB 45.0.2
Mozilla Maintenance Service Mozilla 4/26/2016 250 KB 45.0.2.5941
MySQL Connector C++ 1.1.6 Oracle and/or its affiliates 11/29/2015 33.2 MB 1.1.6
MySQL Connector J Oracle Corporation 11/29/2015 13.6 MB 5.1.37
MySQL Connector Net 6.9.8 Oracle 11/29/2015 15.3 MB 6.9.8
MySQL Connector/C 6.1 Oracle Corporation 11/29/2015 70.2 MB 6.1.6
MySQL Connector/ODBC 5.3 Oracle Corporation 11/29/2015 31.2 MB 5.3.4
MySQL Documents 5.6 Oracle Corporation 11/29/2015 60.2 MB 5.6.27
MySQL Examples and Samples 5.6 Oracle Corporation 11/29/2015 3.51 MB 5.6.27
MySQL Installer for Windows - Community Oracle Corporation 11/29/2015 2.56 MB 1.4.12.0
MySQL Notifier 1.1.6 Oracle 11/29/2015 1.64 MB 1.1.6
MySQL Workbench 6.3 CE Oracle Corporation 11/29/2015 139 MB 6.3.5
Nitro Pro 9 Nitro 11/17/2015 239 MB 9.0.7.5
O2Micro Flash Memory Card Windows Driver O2Micro International LTD. 11/13/2015 3.58 MB 3.0.08.41
paint.net dotPDN LLC 1/15/2016 27.8 MB 4.0.9
Realtek Audio COM Components Realtek Semiconductor Corp. 11/13/2015 599 KB 1.0.2
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 11/13/2015 6.0.1.6075
Skype™ 7.18 Skype Technologies S.A. 2/16/2016 79.9 MB 7.18.112
ST Microelectronics 3 Axis Digital Accelerometer Solution ST Microelectronics 11/18/2015 4.10.0055
Transmission-Qt Transmission 4/11/2016 27.6 MB 2.84.8
v.Clone Iomega 12/13/2015 292 MB 1.2.15.16456
VMware Virtual Disk Development Kit VMware, Inc. 12/13/2015 60.1 MB 1.00.0000
VMware vSphere Client 6.0 VMware, Inc. 2/16/2016 472 MB 6.0.0.6376
VMware vSphere Update Manager Client 6.0a VMware, Inc. 4/8/2016 66.6 MB 6.0.0.25713
VMware Workstation VMware, Inc. 5/2/2016 376 MB 12.1.1
WebLinkActiveX ADS 1/17/2016 2.30 MB 6.0.0
Windows Driver Package - Weblink USB (usbser) Ports  (06/19/2012 1.0.0.0) Weblink USB 1/17/2016 06/19/2012 1.0.0.0


#7 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 May 2016 - 12:00 AM

If you're amenable, i'm also curious as to the reasoning for tool selection and order of operations...    I work in enterprise tech by day, but haven't really touched personal computing for the last decade or so, and I'm curious about why, so i can educate myself and not bug you guys, if this happens again (I'm still stumped as to how the hell this crap showed up in the first place; normally I have impeccable computing habits - haven't had this occur since I was dabbling in A/V signatures for a customer demo, years ago - and I KNEW it was gonna happen because I was working to MAKE it happen)..



#8 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:35 PM

Posted 13 May 2016 - 06:04 AM

The programs were selected because they are well maintained and have a good track record.

 

Please submit wermgr.exe (Yes HKLM:Run wermgr Microsoft Corporation C:\ProgramData\Microsoft\Windows\WER\wermgr.exe)

at VirusTotal - Free Online Virus and Malware Scan and allow it to be scanned by numerous security programs.

 

Suggest Disabling these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run GoogleChromeAutoLaunch_15C2AE1175129CAA6B07DA05460BF9AE Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Yes HKLM:Run DivXMediaServer C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
Yes HKLM:Run Dropbox Dropbox, Inc. "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes HKLM:Run GwxControlPanelMonitor UltimateOutsider "C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe" /traymode
Yes HKLM:Run Logitech Download Assistant Microsoft Corporation C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
Yes Startup User MagicDisc.lnk MagicISO, Inc. C:\Program Files (x86)\MagicDisc\MagicDisc.exe
 
Suggest Disabling These Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.
Yes Task DropboxUpdateTaskMachineCore Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes Task DropboxUpdateTaskMachineUA Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task klcp_update "C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe" /verysilent /update /freq=30
Yes Task PCDDataUploadTask "uaclauncher.exe" -lloc dataupload --ignoresecondarysplash --runsilently --skipidlewait
Yes Task SafeZone scheduled Autoupdate 1458686866 Avast Software C:\Program Files\AVAST Software\SZBrowser\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task SystemToolsDailyTest "uaclauncher.exe" -silentenumeration -st SystemToolsDailyTest --ignoresecondarysplash --runsilently
 
Suggest Uninstalling these programs:
7-Zip 15.11 beta (x64) Igor Pavlov 11/18/2015 4.71 MB 15.11
ESET Online Scanner v3 5/12/2016

Did you install this?....mIRC mIRC Co. Ltd. 4/27/2016 7.45
 
Update Firefox to 46
 
 
 
 
 
 
 
 
 
 

Edited by buddy215, 13 May 2016 - 06:14 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 May 2016 - 06:29 AM

The programs were selected because they are well maintained and have a good track record.

 

 

 

I can see that; my question was more in line with "why these as opposed to others", in addition to, is this a specific order? Or are these tools that are worth keeping current in my utilities folder for subsequent scanning and detection should I encounter other issues...


 

Please submit wermgr.exe (Yes HKLM:Run wermgr Microsoft Corporation C:\ProgramData\Microsoft\Windows\WER\wermgr.exe)

at VirusTotal - Free Online Virus and Malware Scan and allow it to be scanned by numerous security programs.

 

 

 

Done. Zero positives (0/56)

 

Suggest Disabling these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run GoogleChromeAutoLaunch_15C2AE1175129CAA6B07DA05460BF9AE Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Yes HKLM:Run DivXMediaServer C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
Yes HKLM:Run Dropbox Dropbox, Inc. "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes HKLM:Run GwxControlPanelMonitor UltimateOutsider "C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe" /traymode
Yes HKLM:Run Logitech Download Assistant Microsoft Corporation C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
Yes Startup User MagicDisc.lnk MagicISO, Inc. C:\Program Files (x86)\MagicDisc\MagicDisc.exe
 

 

 
Thanks - CCleaner I'll take out; the rest stay for pertinent reasons.

Suggest Disabling These Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.
Yes Task DropboxUpdateTaskMachineCore Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes Task DropboxUpdateTaskMachineUA Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task klcp_update "C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe" /verysilent /update /freq=30
Yes Task PCDDataUploadTask "uaclauncher.exe" -lloc dataupload --ignoresecondarysplash --runsilently --skipidlewait
Yes Task SafeZone scheduled Autoupdate 1458686866 Avast Software C:\Program Files\AVAST Software\SZBrowser\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task SystemToolsDailyTest "uaclauncher.exe" -silentenumeration -st SystemToolsDailyTest --ignoresecondarysplash --runsilently
 

 

 
PCDDataUploadTask is apparently clean, and a part of the PC Doctor suite from Dell, but geez, I hate the crap that thing processes. Ditched.
 
Suggest Uninstalling these programs:
7-Zip 15.11 beta (x64) Igor Pavlov 11/18/2015 4.71 MB 15.11
ESET Online Scanner v3 5/12/2016

 

 

Done, plus a few others I decided had no value to me at present.  Thanks.

 

Did you install this?....mIRC mIRC Co. Ltd. 4/27/2016 7.45
 

 

 

Yes.

 

 
Update Firefox to 46

 

 

 

And done.

 

In the last 30 minutes, no popups.. I think you've nailed it.

 

Thanks again!



#10 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:35 PM

Posted 13 May 2016 - 06:56 AM

Good...enjoyed working with you...happy surfin'

 

CCleaner....run often and as you can see has some useful tools.

 

AdwCleaner and JRT will update before using. Good to have around...same goes for MBAM.

 

Note that JRT didn't like the Chrome auto launch, either. Suggest you block it from Windows Startup....if you note a problem

after having done that you can reverse it easily using CCleaner.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 May 2016 - 07:11 AM

Spoke too soon. Just had another popup.

 

Gonna run ADWcleaner and JRT again, and will block the chrome autolaunch.



#12 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:35 PM

Posted 13 May 2016 - 07:32 AM

Those Trojans that Eset found kinda bothered me. I suggest you start another topic in the Malware Removal Forum

if the popups continue.

 

If the popups are appearing in Google Chrome...suggest you try resetting it....if that is where the popups are appearing. 

You can restore your browser settings in Chrome at any time. You might need to do this if apps or extensions you installed changed your settings without your knowledge. Your saved bookmarks and passwords won't be cleared or changed.

  1. Open Chrome.
  2. In the top right, click the icon you see: Menu  or More
  3. Click Settings.
  4. At the bottom, click Show advanced settings.
  5. Under the section "Reset settings,” click Reset settings.
  6. In the box that appears, click Reset. ​

 

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 May 2016 - 07:38 AM

ADWcleaner kept finding a couple of oddly named extension folders... I disabled the chrome auto launch, and after that, the odd extension folders disappeared and didn't get recreated.

I'm about to hop on another plane but will see if things stay clean after I start up when I get home or not - I'll post here later today.

Thanks for your help, fingers are crossed soon I can stop pestering. :)

#14 buddy215

buddy215

  • Moderator
  • 13,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:35 PM

Posted 13 May 2016 - 07:41 AM

Sounds like a plan...have a safe trip..


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 darrylhadfield

darrylhadfield
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 May 2016 - 09:03 AM

Brief aside - the trojans that eSet reported, aren't... I do webdev for giggles, and I know 100% what's in those.

 

I'm still getting whacked.. woke up to several dozen popups :(

 

Running through the process again to see what comes up..






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users