Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Patch Redirects - What should I do about this?


  • Please log in to reply
35 replies to this topic

#1 Ubiq

Ubiq

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 26 June 2016 - 02:35 PM

I keep getting these random redirects away from websites. It seems to be quite random, which tells me that its something in my computer, and not coming from a website that I'm trying to connect to or leave, but I could be very wrong about that.

Anyway, something redirects my browser to onohzpictureme.net with a Firefox graphic that is very convincing looking to the roomies along with a prompt to save a file called "Firefox-patch.exe".

So, how do I get rid of this? One of the roomies is going to download this one day when this thing redirects them away from their email.

Thanks if you can answer.

 

onohzpictureme.net_zpsiyld2yzl.jpg


Edited by Chris Cosgrove, 01 July 2016 - 05:04 PM.
Moved at Sleepydude's request to Virus, trojan etc logs.

Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:28 PM

Posted 26 June 2016 - 03:16 PM

Hi,

 

Can you copy the full URL then access https://www.virustotal.com click on URL tab and paste the URL then click Scan it post the resulting virustotal URL please.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 26 June 2016 - 03:30 PM

Sorry SleepyDude, I don't see well enough to read the all the numbers of the specific redirect page. And I can't copy and paste from a pic. I would have to wait for this to happen again. I guess I will know for next time that virustotal scans sites; I thought it was just exes.

 

I did scan the main url and got mixed results that I don't know how to interpret.

https://www.virustotal.com/en/url/3dd64ca6df4484b395c17327010097c077e724c969274d478fd9b8a67510a489/analysis/

 

Being risk averse, I would say that two companies finding something means I should avoid the site. However, I already knew that. What I don't know is whether there is something already on my lappie that is directing me to a malware site for more exes or is this site able to redirect computers going to normal sites like gmail and .edu addresses.

ETA: Thank you for responding!


Edited by Ubiq, 26 June 2016 - 03:34 PM.

Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


#4 buscemi

buscemi

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 26 June 2016 - 05:43 PM

Same thing happened to me today.  Here's the result I got from virustotal:

 

https://www.virustotal.com/en/url/218e2949239d4b99f06bf6504cd7040cff2845c31b34cc3f1c91c5c283b81471/analysis/1466980673/

 

It says BitDefender and Kaspersky have identified the site as Malware.



#5 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:28 PM

Posted 26 June 2016 - 05:52 PM

@buscemi: Welcome to BleepingComputer please create a separate topic for your case please to avoid confusion.

 

@Ubiq: Please run the following scan

 

 

9OoOKtajgSmoOAS611kOcmffOCc4Sw.png Install and Run Malwarebytes Free

  • Please download Malwarebytes' Anti-Malware from here or here
  • Double Click the mbam-setup-2.x.x or mbam-setup MBAM2.jpg to install the application.
  • On the last step of installation make sure you uncheck the box Enable free trial of Malwarebytes Anti-Malware Premium then click Finish.
    MBAM2_Trial.png
  • If an update is found, it will download and install the latest updates automatically if not click Update Now »
    MBAM2_Updating.png
  • Click the Settings tab, and check the box next to Scan for rootkits:
    MBAM2_Settings.png
  • Go back to the Dashboard tab, and click the Scan Now button:
    MBAM2_Scan.png
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, it will show the results:
    MBAM2_threat-detected.jpg
  • Click on Quarantine All, then click on Apply Actions.
  • To complete any actions taken you will be prompted to restart your computer...click on Yes.
    Failure to reboot normally will prevent Malwarebytes from removing all the malware.
    MBAM2_RestartPrompt.png
  • After restarting the computer, copy and paste the mbam.log in your next reply.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information


  • The log is automatically saved by MBAM and can be viewed by going to the History tab, clicking on Application Logs:
    MBAM2_Log.png
  • Select (check) the box next to Scan Log. Choose the most current scan, and click on the View button:
  • In the bottom of the Scanning History Log window that opens, click on Export > Save to Text file (*.txt) button. Save the report to your Desktop.
  • Copy & Paste the entire contents of the report log in your next reply.

 


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#6 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 26 June 2016 - 07:28 PM

On it, Sleepy Dude. Thanks!


Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


#7 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 26 June 2016 - 08:42 PM

Okay, jeez it did find stuff? How did I get this stuff? All the roomies are claiming they are innocent lambs. I guess I need to lock down the computer like I have kids, but I have no idea how to do that. :(

Anyway.

 

Here is the log file. Please let me know if there is more I need to do. Thank you!!

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/26/2016
Scan Time: 8:33 PM
Logfile: MalwareBytes-Onohz.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.26.05
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Bertie Wooster

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 331634
Time Elapsed: 25 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.Spigot, HKU\S-1-5-21-1003476878-1449378223-913611131-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{524BCECF-2480-47DC-95FE-767E831E278F}, , [3f4e936e8812d2647ad52b89bc4729d7],

Registry Values: 2
PUP.Optional.Spigot, HKU\S-1-5-21-1003476878-1449378223-913611131-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{524BCECF-2480-47DC-95FE-767E831E278F}|URL, http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}, , [3f4e936e8812d2647ad52b89bc4729d7]
PUP.Optional.Spigot, HKU\S-1-5-21-1003476878-1449378223-913611131-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{524BCECF-2480-47DC-95FE-767E831E278F}|OSDFileURL, file:///C:/Program%20Files%20(x86)/Common%20Files/Spigot/Search%20Settings/yahoo_ie.xml, , [b1dcd32e0298270f70e01f956d967987]

Registry Data: 0
(No malicious items detected)

Folders: 0


Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


#8 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:28 PM

Posted 27 June 2016 - 03:29 AM

Hi,

 

Lets run another check...

 

9OoOKtajgSmoOAS611kOcmffOCc4Sw.pngAdwCleaner Scan and Remove

Download AdwCleaner from here to the Desktop

  • Close all open windows and browsers
  • Right click on the AdwCleaner_Icon.gif icon and choose Run as Administrator to execute the program
    (When the Tool opens for the first time you have to accept the Terms of use - click J'accepte/I Agree)
    AdwCleaner_Clean.png
  • Click the Scan button and wait for the scan to finish, only then the Clean button becomes active
  • Click the Clean button and wait, once done it may ask to reboot, allow it.
  • On reboot a log will be presented please copy/paste that in your next reply. The report is saved to C:\AdwCleaner\AdwCleaner[S0].txt

 


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#9 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 28 June 2016 - 02:58 AM

Sorry for the late reply.

Ran the AdwCleaner and it seemed to find stuff and then clean the stuff. However, I'm still getting the redirects like in my first post.

Log below:

 

# AdwCleaner v5.200 - Logfile created 27/06/2016 at 13:08:35
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-14.1 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1

(X64)
# Username : Bertie Wooster - JEEVES
# Running from : C:\Users\Bertie Wooster\Downloads

\adwcleaner_5.200.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\Partner
[#] Folder Deleted : C:\ProgramData\Application Data\Partner
[-] Folder Deleted : C:\windows\SysWOW64\config

\systemprofile\AppData\LocalLow\Application Updater
[-] Folder Deleted : C:\windows\SysWOW64\config

\systemprofile\AppData\LocalLow\AVG Secure Search
[-] Folder Deleted : C:\Users\Bertie Wooster\AppData\Local

\Google\Chrome\User Data\Default\Extensions

\mpphfcjpaldmedbbomcdhgonmhjngfig

***** [ Files ] *****

[-] File Deleted : C:\Users\Bertie Wooster\AppData\Roaming

\Mozilla\Firefox\Profiles\yeov11up.default-

1384654965289\invalidprefs.js

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : RunAsStdUser Task for VeohWebPlayer
[-] Task Deleted : AVG-Secure-Search-Update_JUNE2013_TB_rmv
[-] Task Deleted : AVG-Secure-Search-Update_JUNE2013_TB_rmv

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Google\Chrome\Extensions

\fcfenmboojpjinhpgggodefccipikbpd
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-

6F6E-4B53-A66E-4E65E497C8C0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-

6AC5-4836-82D5-D46260C44B17}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-

30F6-4464-9E53-596A90AFF023}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-

5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-

55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3

-4402-4121-8B35-733216D61217}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6

-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093

-D46F-40DF-A608-47E162EC799D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6

-EA47-4AC3-AED6-A66D8DC9E1D8}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-

6F6E-4B53-A66E-4E65E497C8C0}
[-] Key Deleted : HKCU\Software\Microsoft\Windows

\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-

4E65E497C8C0}
[-] Key Deleted : HKCU\Software\Microsoft\Windows

\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-

E9021F207706}
[-] Key Deleted : HKCU\Software\Microsoft\Windows

\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-

4E65E497C8C0}
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-

5c48dc4b7bb7}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Installer\UserData\S-1-5-18\Components

\00E944CB89111313EAF35A0553F547F9
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Installer\UserData\S-1-5-18\Components

\53F55AF3F4049ED3FA6EA6F88E414E24
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Installer\UserData\S-1-5-18\Components

\68E4BF4B11615E03C97732FD581AB607
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Installer\UserData\S-1-5-18\Components

\8CE3DDAB2D152683FBCEB4866BCD2B0F
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Installer\UserData\S-1-5-18\Components

\AF6CE16AFEA5C9A39B766468A8B35C21
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Installer\UserData\S-1-5-18\Components

\FB1E44269B58F433A8C8E671E37CFDCF

***** [ Web browsers ] *****

[-] [C:\Users\Bertie Wooster\AppData\Local\Google\Chrome

\User Data\Default\Web Data] [Search Provider] Deleted :

isearch.avg.com
[-] [C:\Users\Bertie Wooster\AppData\Local\Google\Chrome

\User Data\Default\Web Data] [Search Provider] Deleted :  `+
[-] [C:\Users\Bertie Wooster\AppData\Local\Google\Chrome

\User Data\Default\Web Data] [Search Provider] Deleted :

ask.com
[-] [C:\Users\Bertie Wooster\AppData\Local\Google\Chrome

\User Data\Default\Secure Preferences] [Extension] Deleted :

fcfenmboojpjinhpgggodefccipikbpd
[-] [C:\Users\Bertie Wooster\AppData\Local\Google\Chrome

\User Data\Default\Secure Preferences] [Extension] Deleted :

mpphfcjpaldmedbbomcdhgonmhjngfig

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [4546 bytes] -

[27/06/2016 13:08:35]
C:\AdwCleaner\AdwCleaner[S1].txt - [4509 bytes] - [27/06/2016

13:04:52]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4692

bytes] ##########
 


Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


#10 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:28 PM

Posted 28 June 2016 - 03:21 AM

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#11 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 28 June 2016 - 03:59 AM

Not really sure how to read that log but I don't recall installing anything called "Bonjour". I also thought I uninstalled Spybot a bit a ago because it was using up too much juice. When looking around to confirm I still had Spybot, I found a Rosetta Stone listing in Windows Task Manager. I don't see that listed in the log below, but I know I didn't download that. Nor would the roomies. Pronunciator is what our school uses. Did this happen because I downloaded Steam? :(

 

Log below:

 

 

SecurityCheck by glax24 & Severnyj v.1.4.0.40 [21.05.16]
WebSite: www.safezone.cc
DateLog: 28.06.2016 04:44:00
Path starting: C:\Users\Bertie Wooster\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Bertie Wooster
VersionXML: 3.14is-25.06.2016
___________________________________________________________________________

Windows 7(6.1.7601) Service Pack 1 (x64) HomePremium Lang: English(0409)
Installation date OS: 10.01.2011 14:18:52
LicenseStatus: Windows® 7, HomePremium edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [339.1 Gb] Used: [101.3 Gb] Free: [237.8 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18349
User Account Control enabled
Notify of download and installation
Date install updates: 2016-06-25 21:32:16
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2010 x86 v.14.0.7015.1000
---------------------------- [ Antivirus_WMI ] ----------------------------
Microsoft Security Essentials (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Microsoft Security Essentials (enabled and up to date)
Windows Defender (disabled and out of date)
Spybot - Search and Destroy (enabled and out of date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Microsoft Security Essentials v.4.9.218.0
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes Anti-Malware version 2.2.1.1043 v.2.2.1.1043
Spybot - Search & Destroy v.2.4.40
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft Silverlight v.5.1.50428.0
7-Zip 9.20
VLC media player v.2.2.1 Warning! Download Update
OpenOffice 4.1.1 v.4.11.9775 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.0 v.7.0.102 Warning! Download Update
^Optional update.^
Skype Launcher v.2.01 Warning! Download Update
^Optional update.^
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 91 v.8.0.910.14 Warning! Download Update
Uninstall old version and install new one.
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.3.3.17 Warning! Download Update
^Please use Apple Software Update tool.^
QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.
Bonjour Service (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.2.5.1.17730 Warning! Download Update
Adobe Flash Player 22 ActiveX v.22.0.0.192
Adobe Flash Player 22 NPAPI v.22.0.0.192
Adobe Acrobat Reader DC v.15.016.20045
------------------------------- [ Browser ] -------------------------------
Google Chrome v.51.0.2704.103 Warning! Download Update
Mozilla Firefox 47.0 (x86 en-US) v.47.0
Safari v.5.34.57.2 Warning! This software is no longer supported.
----------------------------- [ EmailClient ] -----------------------------
Mozilla Thunderbird (3.1.10) v.3.1.10 (en-US) Warning! Download Update
Windows Live Mail v.15.4.3502.0922
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe v.47.0.0.5999
------------------ [ AntivirusFirewallProcessServices ] -------------------
Microsoft Network Inspection (NisSrv) - The service is running
Spybot-S&D 2 Scanner Service (SDScannerService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe v.2.4.40.217
Spybot-S&D 2 Security Center Service (SDWSCService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe v.2.3.39.2
Spybot-S&D 2 Updating Service (SDUpdateService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe v.2.4.40.77
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe v.2.4.40.129
Microsoft Antimalware Service (MsMpSvc) - The service is running
C:\Program Files\Microsoft Security Client\MsMpEng.exe v.4.9.218.0
Microsoft Network Inspection (NisSrv) - The service is running
C:\Program Files\Microsoft Security Client\NisSrv.exe v.4.9.218.0
Windows Defender (WinDefend) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Skype Click to Call v.8.3.0.9150 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.
----------------------------- [ End of Log ] ------------------------------
 


Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


#12 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:28 PM

Posted 28 June 2016 - 04:38 AM

Not really sure how to read that log but I don't recall installing anything called "Bonjour". I also thought I uninstalled Spybot a bit a ago because it was using up too much juice. When looking around to confirm I still had Spybot, I found a Rosetta Stone listing in Windows Task Manager. I don't see that listed in the log below, but I know I didn't download that. Nor would the roomies. Pronunciator is what our school uses.

 
Bonjour is installed with iTunes that you need to update using the link on the log.
 

Did this happen because I downloaded Steam? :(

 
No if you downloaded Steam from the original source and only install legal games...
 
- Spybot - Search & Destroy v.2.4.40 is installed I think malwarebytes that you have now is better, run a scan every week to make sure nothing passes the Antivirus.
- remove Adobe AIR v.2.5.1.17730 I doubt you need it, it can be installed again if needed
- the most critical part update Java 8 Update 91 v.8.0.910.14
 
Java is a major security problem, remove the old versions and install the latest version, go to the Java download page and click from the link Windows Offline this file will not include any unneeded extras like the ASK Toolbar. When java is installed its extremely important to update immediately when you get a notification pop-up from the Java Updater.
 
If you only need java for the installed games and not for websites you can disable java support in the browser and only enable it when you need it. You can Enable/Disable Java by executing the following steps:
Click  Start > Control Panel > Java/Java (32-bit), click the Security tab and uncheck the box Enable Java content in the browser and click OK
javapanel.jpeg

- Update Skype and Uninstall Skype Click to Call


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#13 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 28 June 2016 - 08:07 PM

SleepyDude

Did everything you suggested and got rid of the stuff I didn't install. Ran that last Security check again and the log is below. I bought my copy of Baldur's Gate from Steam. I was going to mod it with a popular mod, but I'm too nervous to do that now.

I haven't gotten the redirect in a few hours; does that mean the lappie is clean now?

 

ETA: I just noticed the Spybot is still there after I uninstalled from Control Panel and restarted computer. How do I get rid of it?

Also, I downloaded the Java from your link after uninstalling. Do I need to try to update some other way, or wait for it to prompt me for an update?
Thank you!

 

SecurityCheck by glax24 & Severnyj v.1.4.0.40 [21.05.16]
WebSite: www.safezone.cc
DateLog: 28.06.2016 20:57:47
Path starting: C:\Users\Bertie Wooster\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Bertie Wooster
VersionXML: 3.14is-25.06.2016
___________________________________________________________________________

Windows 7(6.1.7601) Service Pack 1 (x64) HomePremium Lang: English(0409)
Installation date OS: 10.01.2011 14:18:52
LicenseStatus: Windows® 7, HomePremium edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [339.1 Gb] Used: [101.2 Gb] Free: [237.9 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18349
User Account Control enabled
Notify of download and installation
Date install updates: 2016-06-25 21:32:16
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2010 x86 v.14.0.7015.1000
---------------------------- [ Antivirus_WMI ] ----------------------------
Microsoft Security Essentials (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Microsoft Security Essentials (enabled and up to date)
Windows Defender (disabled and out of date)
Spybot - Search and Destroy (enabled and out of date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Microsoft Security Essentials v.4.9.218.0
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes Anti-Malware version 2.2.1.1043 v.2.2.1.1043
Spybot - Search & Destroy v.2.4.40
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft Silverlight v.5.1.50428.0
7-Zip 9.20
VLC media player v.2.2.1 Warning! Download Update
OpenOffice 4.1.1 v.4.11.9775 Warning! Download Update
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 91 (64-bit) v.8.0.910.15 Warning! Download Update
Uninstall old version and install new one.
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.4.1.6
Bonjour Service (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.2.5.1.17730 Warning! Download Update
Adobe Flash Player 22 ActiveX v.22.0.0.192
Adobe Flash Player 22 NPAPI v.22.0.0.192
Adobe Acrobat Reader DC v.15.016.20045
------------------------------- [ Browser ] -------------------------------
Google Chrome v.51.0.2704.103 Warning! Download Update
Mozilla Firefox 47.0 (x86 en-US) v.47.0
Safari v.5.34.57.2 Warning! This software is no longer supported.
----------------------------- [ EmailClient ] -----------------------------
Windows Live Mail v.15.4.3502.0922
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe v.47.0.0.5999
------------------ [ AntivirusFirewallProcessServices ] -------------------
Microsoft Network Inspection (NisSrv) - The service is running
Spybot-S&D 2 Scanner Service (SDScannerService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe v.2.4.40.217
Spybot-S&D 2 Security Center Service (SDWSCService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe v.2.3.39.2
Spybot-S&D 2 Updating Service (SDUpdateService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe v.2.4.40.77
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe v.2.4.40.129
Microsoft Antimalware Service (MsMpSvc) - The service is running
C:\Program Files\Microsoft Security Client\MsMpEng.exe v.4.9.218.0
Microsoft Network Inspection (NisSrv) - The service is running
C:\Program Files\Microsoft Security Client\NisSrv.exe v.4.9.218.0
Windows Defender (WinDefend) - The service has stopped
----------------------------- [ End of Log ] ------------------------------
 


Edited by Ubiq, 28 June 2016 - 08:11 PM.

Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy


#14 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:28 PM

Posted 29 June 2016 - 04:32 AM

Hi,

 

- open the Command Prompt as Administrator (Tutorial)
- type the command:

sc query SDScannerService

 

Tell me the result please.
 

- Adobe AIR v.2.5.1.17730 continues on the list of installed programs!

- About java make sure you install the latest version you download and during install accept the prompt to remove the outdated versions.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#15 Ubiq

Ubiq
  • Topic Starter

  • Members
  • 246 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:28 PM

Posted 29 June 2016 - 10:02 PM

Yes, Adobe Air another one that I uninstalled via Control Panel, along with all the Skype stuff and the Rosetta Stone. Some worked and some didn't, but I don't know why. Also, wouldn't your link for the Java be the most recent version? Also, I don't recall any prompt about uninstalling prior versions. I guess I need to try removing all this stuff in Control Panel again before trying to download Java from your link above?

 

Anyway, not sure how to copy and paste the result of your instructions. Not much happened. Below is a screenshot of the result. Please let me know what I did wrong if possible. Thank you!

 

cmd-result_zpspwrzavfw.jpg


Machine: Toshiba Portege r705-P41, Dual Boot: MS Windows 7 Home Premium 64-bit; Ubuntu 15.04
CPU: Intel Core i5 460M @ 2.53GHz Arrandale 32nm Technology,
RAM: 4.0GB Dual-Channel DDR3 @ 532MHz (7-7-7-20), Motherboard: TOSHIBA Portable PC (rBGA1288 Socket)
Video Card: Intel HD Graphics Revision 2 1720 MBytes

Speccy





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users