Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware found today malware bytes twice


  • This topic is locked This topic is locked
30 replies to this topic

#1 Tierra93

Tierra93

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 06 October 2016 - 01:21 PM

I run malwarebytes daily and today it keeps finding malware (I've ran twice today) - something about uniblue and PC Machanic - but I don't have them (I know they're malware) and haven't downloaded anything for a long time and it's been a couple weeks since anything has needed updating and I make sure nothing is checked on updates.

I've not done anything out of the ordinary. Checked email (online - no program - didn't have anything suspicious and I delete anything with an attachment but nothing with an attachment anyway), checked NHK World, weather, NASA NG and AZ HW PODs, that's about it. Nothing to download and don't download anything but updates and been a couple weeks since any updates but Windows.

Attached Files


Edited by Tierra93, 06 October 2016 - 01:23 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 AM

Posted 07 October 2016 - 10:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing suspicious was found on your logs.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Run the Malwarebytes programs and post the log for my review.

#3 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 07 October 2016 - 05:23 PM

Hi,

 

It found 5 treats:

 

# AdwCleaner v6.021 - Logfile created 07/10/2016 at 15:16:42
# Updated on 06/10/2016 by ToolsLib
# Database : 2016-10-07.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : 93 - PUGET-117561
# Running from : C:\Users\93\Desktop\adwcleaner_6.021.exe
# Mode: Scan
# Support : https://toolslib.net/forum



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Uniblue


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\93\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\93\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\4\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\4\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1567 Bytes] - [06/10/2016 10:52:42]
C:\AdwCleaner\AdwCleaner[S1].txt - [1392 Bytes] - [07/10/2016 15:16:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1465 Bytes] ##########
 

# AdwCleaner v6.020 - Logfile created 06/10/2016 at 10:52:42
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-10-06.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : 93 - PUGET-117561
# Running from : C:\Users\93\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://toolslib.net/forum



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Classes\pc-mechanic
Key Found:  [x64] HKLM\SOFTWARE\Classes\pc-mechanic
Key Found:  HKLM\SOFTWARE\Uniblue


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\93\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\93\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\4\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\4\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1411 Bytes] - [06/10/2016 10:52:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1484 Bytes] ##########
 

 

Should I clean?

 

Thank you!


Edited by Tierra93, 07 October 2016 - 05:32 PM.


#4 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 07 October 2016 - 05:41 PM

Malwarebytes didn't find anything this time but here are the logs:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/7/2016
Scan Time: 3:25 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.07.07
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: 93

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395854
Time Elapsed: 9 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/6/2016
Scan Time: 10:41 AM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.06.11
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: 93

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395645
Time Elapsed: 9 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Uniblue, HKLM\SOFTWARE\CLASSES\pc-mechanic, Quarantined, [10f3791d4e4c51e5d4ec975ffb095fa1],
PUP.Optional.Uniblue, HKLM\SOFTWARE\WOW6432NODE\CLASSES\pc-mechanic, Quarantined, [44bf1e78306aaf87f1cf6492986c7d83],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/6/2016
Scan Time: 10:41 AM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.06.11
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: 93

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395645
Time Elapsed: 9 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Uniblue, HKLM\SOFTWARE\CLASSES\pc-mechanic, Quarantined, [10f3791d4e4c51e5d4ec975ffb095fa1],
PUP.Optional.Uniblue, HKLM\SOFTWARE\WOW6432NODE\CLASSES\pc-mechanic, Quarantined, [44bf1e78306aaf87f1cf6492986c7d83],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Centurylink is my ISP (so I didn't do anything about these; however, thought should include):
 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/26/2016
Scan Time: 4:55 AM
Logfile:
Administrator: No

Version: 2.2.1.1043
Malware Database: v2016.05.26.03
Rootkit Database: v2016.05.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: 4

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 248063
Time Elapsed: 5 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.CenturyLink.ShrtCln, C:\Users\4\AppData\Roaming\Mozilla\Firefox\Profiles\enmbkpo5.default\sessionstore.js, Good: (), Bad: (centurylink.net), Replaced,[4635b624a3f67bbb46f399e0bc48f60a]

Physical Sectors: 0
(No malicious items detected)


(end)

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/11/2016
Scan Time: 5:43 AM
Logfile:
Administrator: No

Version: 2.2.1.1043
Malware Database: v2016.05.11.03
Rootkit Database: v2016.05.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: 4

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 247477
Time Elapsed: 4 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.CenturyLink.ShrtCln, C:\Users\4\AppData\Roaming\Mozilla\Firefox\Profiles\enmbkpo5.default\sessionstore.js, Good: (), Bad: (centurylink.net), Replaced,[b0ef0dc72376b0868032362f659fc23e]

Physical Sectors: 0
(No malicious items detected)


(end)

 

Thank you!



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 AM

Posted 08 October 2016 - 08:30 AM

Clean this items with the AdwCleneaner tool.

Key Found: HKLM\SOFTWARE\Classes\pc-mechanic
Key Found: [x64] HKLM\SOFTWARE\Classes\pc-mechanic
Key Found: HKLM\SOFTWARE\Uniblue

===

Leave the Malwarebytes alone. Nothing to worry about.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#6 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 October 2016 - 09:59 AM

Thank you.

I ran AdwCleneaner; however, it only found the uniblue and not the PC machanic. It found 4 other threats on chrome (which I don't use). What do you think happened to the PC Machanic threats since they weren't there now?


I noticed they no longer have an uninstall button for AdwCleneaner. What is the proper way to get rid of it now?

I checked over the link, and I do everything on it. I keep everything updated and don't do any social media, use strong passwords and change them often, don't use IE or the other MS browser (my computer came with FF and Chrome - and I use FF - haven't even opened the MS browsers), usually only FF with several security add-ons, rarely use chrome (can't think of last time on this computer if ever). No pirated or P2P software, and when updating always check to see if something bundled and uncheck it, and it had been a couple weeks (except for windows) since anything needed updating and run malwarebytes daily and it never found this before. I don't even open email from people I don't know or expect and no one sends me attachments as they know I'll delete the email. So, really can't figure out where this came from.

Thank you very much.

Edited by Tierra93, 08 October 2016 - 10:10 AM.


#7 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 October 2016 - 10:14 AM

PS I've noticed the last two days, that although I run manually Windows Defender every few hours that I'm on the computer it keeps giving me a yellow banner and says it's unprotected - even though I've updated and ran quick scans within a few minutes. 

 

I checked the settings and everything is on for Windows Defender, so I don't understand why it thinks it's not working properly.

 

Could this be more malware problems?


Edited by Tierra93, 08 October 2016 - 10:16 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 AM

Posted 08 October 2016 - 12:30 PM

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#9 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 October 2016 - 07:21 PM

Farbar Service Scanner Version: 27-01-2016 Ran by 93 (administrator) on 08-10-2016 at 17:20:22 Running from "C:\Users\93\Desktop" Microsoft Windows 10 Home (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => File is digitally signed C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed C:\Windows\System32\drivers\afd.sys => File is digitally signed C:\Windows\System32\drivers\tdx.sys => File is digitally signed C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed C:\Windows\System32\dnsrslvr.dll => File is digitally signed C:\Windows\System32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\System32\mpssvc.dll => File is digitally signed C:\Windows\System32\bfe.dll => File is digitally signed C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed C:\Windows\System32\SDRSVC.dll => File is digitally signed C:\Windows\System32\vssvc.exe => File is digitally signed C:\Windows\System32\wscsvc.dll => File is digitally signed C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed C:\Windows\System32\wuaueng.dll => File is digitally signed C:\Windows\System32\qmgr.dll => File is digitally signed C:\Windows\System32\es.dll => File is digitally signed C:\Windows\System32\cryptsvc.dll => File is digitally signed C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed **** End of log ****

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 AM

Posted 09 October 2016 - 08:44 AM

Could this be a false positive.

Refer to this article and let me know if trying the suggestions made a difference.

http://windowsreport.com/windows-defender-shield-overlay-windows-10/

#11 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 October 2016 - 09:55 AM

Thank you. 

 

I've not seen that X over the white shield.  It's the banner part at the top that is usually green, sometime a little after a scan (I did do one full but most have been quick) is yellow with an message about not being properly detected.  It's not found anything on either quick or full scans, just the yellow banner stating it needs to scan and I'd already recently done it (usually less than a hour).



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 AM

Posted 10 October 2016 - 08:55 AM

Do you have all the latest Microsoft important updates?

Not just Windows Defender?

#13 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 10 October 2016 - 03:40 PM

Yes.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 AM

Posted 11 October 2016 - 09:36 AM

Let see what this tool will fix/find.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

#15 Tierra93

Tierra93
  • Topic Starter

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 11 October 2016 - 05:53 PM

There isn't one for windows 10 and it says not to run on windows 8.1 - is this OK for windows 10?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users