Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups from mshta.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 kroghm

kroghm

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 02 November 2016 - 03:29 PM

A while ago a popup began appearing from a file named "mshta.exe". The file is located in C:\Windows\SysWOW64 and as far as i know it shouldn't be there.

In my last thread i tried to remove the problem with "MiniToolBox, MalwareBytes, AdwCleaner and Junkware Removal Tool" but that didn't work.

 

 

I've run a scan in the program "FRST" 

logs is in the attachments

 

- Kroghm

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 04 November 2016 - 01:19 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 kroghm

kroghm
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 05 November 2016 - 05:20 PM

Hey, 

 

Thanks for the help!

 

:step1:  Content from the security check notepad document

Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u] 
 Windows Firewall Enabled!  
Windows Defender   
 [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] 
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u] 
 Java 8 Update 31  
 [color=red][b]Java version 32-bit out of Date![/b][/color] 
 Adobe Flash Player  23.0.0.205  
 Adobe Reader XI  
 Google Chrome (53.0.2785.143) 
 Google Chrome (54.0.2840.71) 
 Google Chrome (SetupMetrics...) 
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]  
 Windows Defender MSMpEng.exe 
 Windows Defender MpCmdRun.exe   
[b][u]`````````````````System Health check`````````````````[/b][/u] 
 Total Fragmentation on Drive C:  % 
[b][u]````````````````````End of Log``````````````````````[/b][/u] 
 
:step2:  Report from MBAR
 
There was no malware found!
 
 
:step3: Content from AdwCleaner logfile
 
 
# AdwCleaner v6.030 - Logfile created 05/11/2016 at 23:12:25
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-05.1 [Server]
# Operating System : Windows 8.1  (X64)
# Username : mikkel - MIKKEL
# Running from : M:\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - nonjdcjchghhkdoolnlbekcfllmednbl
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [2907 Bytes] - [24/10/2016 20:32:11]
C:\AdwCleaner\AdwCleaner[S0].txt - [2776 Bytes] - [24/10/2016 20:29:40]
C:\AdwCleaner\AdwCleaner[S1].txt - [1288 Bytes] - [05/11/2016 23:12:25]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1361 Bytes] ##########
 


#4 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 06 November 2016 - 05:26 AM

Hello,
 

***


Copy FRST / FSRT64.exe to your desktop!

Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-4143238798-3907526775-848208118-1002\...\MountPoints2: {04671bad-5eff-11e6-830c-74d02ba35661} - "D:\autorun.exe" 
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4143238798-3907526775-848208118-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4143238798-3907526775-848208118-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
C:\Windows\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}.job
Task: {89461801-859B-4BD3-955C-958B3350205C} - System32\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067} => C:\Users\mikkel\AppData\Roaming\{84BCB~1\SYNHEL~1.EXE [2013-04-09] () <==== ATTENTION
Task: {9DFDDD1F-0767-4C00-8DA2-E389586A27DF} - System32\Tasks\{1F692A7D-7E92-471D-97ED-371B2938F76B} => Chrome.exe hxxp://ui.skype.com/ui/0/7.7.73.103.456/da/abandoninstall?page=tsProgressBar
Task: C:\windows\Tasks\Bing Powered Search rafen.job => Wscript.exe  C:\ProgramData\{CCF10992-46B3-8354-C075-1D165A3796D8}\daro.txt <==== ATTENTION
Task: C:\windows\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}.job => C:\Users\mikkel\AppData\Roaming\{84BCB~1\SYNHEL~1.EXE <==== ATTENTION
AppInit_DLLs-x32: Ȏ噎䵒 => No File
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Download and run Chrome Software Cleaner

---

How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 kroghm

kroghm
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 06 November 2016 - 06:20 AM

Hey,

 

Here are the fixlog content:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by mikkel (06-11-2016 12:06:57) Run:1
Running from M:\Users\mikkel\Desktop
Loaded Profiles: mikkel (Available Profiles: mikkel)
Boot Mode: Normal
==============================================


fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-4143238798-3907526775-848208118-1002\...\MountPoints2: {04671bad-5eff-11e6-830c-74d02ba35661} - "D:\autorun.exe" 
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4143238798-3907526775-848208118-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4143238798-3907526775-848208118-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3f4653f4&q={searchTerms}
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
C:\Windows\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}.job
Task: {89461801-859B-4BD3-955C-958B3350205C} - System32\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067} => C:\Users\mikkel\AppData\Roaming\{84BCB~1\SYNHEL~1.EXE [2013-04-09] () <==== ATTENTION
Task: {9DFDDD1F-0767-4C00-8DA2-E389586A27DF} - System32\Tasks\{1F692A7D-7E92-471D-97ED-371B2938F76B} => Chrome.exe hxxp://ui.skype.com/ui/0/7.7.73.103.456/da/abandoninstall?page=tsProgressBar
Task: C:\windows\Tasks\Bing Powered Search rafen.job => Wscript.exe  C:\ProgramData\{CCF10992-46B3-8354-C075-1D165A3796D8}\daro.txt <==== ATTENTION
Task: C:\windows\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}.job => C:\Users\mikkel\AppData\Roaming\{84BCB~1\SYNHEL~1.EXE <==== ATTENTION
AppInit_DLLs-x32: Ȏ噎䵒 => No File
EmptyTemp:
End
*****************


Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
"HKU\S-1-5-21-4143238798-3907526775-848208118-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{04671bad-5eff-11e6-830c-74d02ba35661}" => key removed successfully
HKCR\CLSID\{04671bad-5eff-11e6-830c-74d02ba35661} => key not found. 
C:\windows\system32\GroupPolicy\Machine => moved successfully
C:\windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKU\S-1-5-21-4143238798-3907526775-848208118-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-4143238798-3907526775-848208118-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully
C:\Windows\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}.job => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{89461801-859B-4BD3-955C-958B3350205C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{89461801-859B-4BD3-955C-958B3350205C}" => key removed successfully
C:\windows\System32\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9DFDDD1F-0767-4C00-8DA2-E389586A27DF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9DFDDD1F-0767-4C00-8DA2-E389586A27DF}" => key removed successfully
C:\windows\System32\Tasks\{1F692A7D-7E92-471D-97ED-371B2938F76B} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1F692A7D-7E92-471D-97ED-371B2938F76B}" => key removed successfully
C:\windows\Tasks\Bing Powered Search rafen.job => moved successfully
C:\windows\Tasks\{30F6C829-8AAE-37EC-DA7C-6338FAD7D067}.job => not found.
"Ȏ噎䵒" => Value data removed successfully.


=========== EmptyTemp: ==========


BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12068653 B
Java, Flash, Steam htmlcache => 264175767 B
Windows/system/drivers => 183445967 B
Edge => 0 B
Chrome => 626577140 B
Firefox => 0 B
Opera => 0 B


Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 230606 B
systemprofile32 => 128 B
LocalService => 47461 B
NetworkService => 1986266 B
UpdatusUser => 0 B
mikkel => 781200485 B


RecycleBin => 0 B
EmptyTemp: => 1.7 GB temporary data Removed.


================================




The system needed a reboot.


==== End of Fixlog 12:07:08 ====


 
 
-------------------------------------------------------------------------
 
 
The computer is running perfectly fine. But it usually takes a few hours before the popup appears, so i don't really know if it's fixed or not. 
 
- Kroghm


#6 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 06 November 2016 - 07:29 AM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Cleaning button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 kroghm

kroghm
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 06 November 2016 - 08:07 AM

Hey,

 

:step1:  There were no malware found

 

:step2: Content from AdwCleaner

# AdwCleaner v6.030 - Logfile created 06/11/2016 at 13:59:15
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-05.1 [Server]
# Operating System : Windows 8.1  (X64)
# Username : mikkel - MIKKEL
# Running from : M:\AdwCleaner.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support






***** [ Services ] *****






***** [ Folders ] *****


[-] Folder deleted: C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl




***** [ Files ] *****






***** [ DLL ] *****






***** [ WMI ] *****






***** [ Shortcuts ] *****






***** [ Scheduled Tasks ] *****






***** [ Registry ] *****






***** [ Web browsers ] *****


[-] [C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: nonjdcjchghhkdoolnlbekcfllmednbl




*************************


:: "Tracing" keys deleted
:: Winsock settings cleared


*************************


C:\AdwCleaner\AdwCleaner[C0].txt - [2907 Bytes] - [24/10/2016 20:32:11]
C:\AdwCleaner\AdwCleaner[C2].txt - [1042 Bytes] - [06/11/2016 13:59:15]
C:\AdwCleaner\AdwCleaner[S0].txt - [2776 Bytes] - [24/10/2016 20:29:40]
C:\AdwCleaner\AdwCleaner[S1].txt - [1440 Bytes] - [05/11/2016 23:12:25]
C:\AdwCleaner\AdwCleaner[S2].txt - [1513 Bytes] - [06/11/2016 13:58:52]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1334 Bytes] ##########

:step3: Content from JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 8.1 x64 
Ran by mikkel (Administrator) on 06-11-2016 at 14:02:02,76
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~








File System: 4 


Successfully deleted: C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio (Folder) 
Successfully deleted: C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gkojfkhlekighikafcpjkiklfbnlmeio (Folder) 
Successfully deleted: C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage-journal (File) 
Successfully deleted: C:\Users\mikkel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage (File) 






Registry: 0 










~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 06-11-2016 at 14:02:41,59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

:step4:  The computer is running fine. 

 

:step5: Is it important to have an antivirus program and if it is what should i use?



#8 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 06 November 2016 - 08:48 AM

Is it important to have an antivirus program and if it is what should i use?

Yes it is important, but I do not recommend a special antivirus software.

You have Windows Firewall and Defender, that is OK.

You will get some preventive tips, when the cleaning process of your pc is done.

---


Hello,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

---


:step4: How the computer is running now?


---


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 kroghm

kroghm
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 06 November 2016 - 10:33 AM

Hey,

 

:step2:  Malwarebytes content

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Scan Date: 06-11-2016
Scan Time: 16:23
Logfile: 
Administrator: Yes


Version: 2.2.1.1043
Malware Database: v2016.11.06.06
Rootkit Database: v2016.10.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled


OS: Windows 8.1
CPU: x64
File System: NTFS
User: mikkel


Scan Type: Threat Scan
Result: Completed
Objects Scanned: 313471
Time Elapsed: 4 min, 47 sec


Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled


Processes: 0
(No malicious items detected)


Modules: 0
(No malicious items detected)


Registry Keys: 0
(No malicious items detected)


Registry Values: 0
(No malicious items detected)


Registry Data: 0
(No malicious items detected)


Folders: 0
(No malicious items detected)


Files: 0
(No malicious items detected)


Physical Sectors: 0
(No malicious items detected)




(end)
:step3:  Content from FSS
 
Farbar Service Scanner Version: 27-01-2016
Ran by mikkel (administrator) on 06-11-2016 at 16:32:30
Running from "M:\"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============


Firewall Disabled Policy: 
==================




System Restore:
============


System Restore Policy: 
========================




Action Center:
============




Windows Update:
============


Windows Autoupdate Disabled Policy: 
============================




Windows Defender:
==============


Other Services:
==============




File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed




**** End of log ****

:step4:  The computer is running fine 



#10 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 07 November 2016 - 03:27 AM

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.

***


How the computer is running now?
Is mshta.exe problem gone?

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 kroghm

kroghm
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 07 November 2016 - 06:50 AM

Hey, 

 

Here is the log content:

 

C:\AdwCleaner\quarantine\files\sguakppcqcwhwyofxgzzeuwftbrdscok\PluginsWhiteListing.dll a variant of Win32/Toolbar.Conduit.AR potentially unwanted application cleaned by deleting
C:\Users\mikkel\AppData\Roaming\uTorrent\updates\3.3.2_30303.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application cleaned by deleting
C:\Users\mikkel\AppData\Roaming\{84BCB207-A1EE-DF71-CAD8-F8A3160A059D}\SynHelper.exe a variant of Win32/DealPly.EA potentially unwanted application cleaned by deleting
C:\Users\mikkel\Downloads\utorrent.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application cleaned by deleting
M:\PowerISO6-x64.exe a variant of Win32/FusionCore.I potentially unwanted application deleted
M:\Torchlight II\steam_api.dll a variant of Win32/HackTool.Crack.BQ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\57e868C.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\6165606.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\67856F5.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\77e719B.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\7ee60B2.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\8ab8D1A.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\90b55B3.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\95b5ECB.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\9a7509F.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
M:\Users\mikkel\Desktop\MW2\9b7617D.tmp MSIL/GameHack.DJ potentially unsafe application cleaned by deleting
 
The computer is running fine. I've noticed that my SSD just lost 9gb of space since yesterday without downloading anything. Don't know if it is a problem? 
I don't really know if the mshta problem is gone. The file is still there. 
I've also noticed that the log shows uTorrent as a thread. I've tried uninstalling it but it dosn't seem to let me do it. 


#12 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 07 November 2016 - 07:09 AM

mshta.exe is a file from Microsoft:
https://en.wikipedia.org/wiki/HTML_Application
 

***


It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

===================================

Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step2: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step3: Use only one anti-virus software and keep it up-to-date.

:step4: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step5: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step6: Use Strong passwords!

:step7: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 kroghm

kroghm
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 07 November 2016 - 07:59 AM

Okay :) Thanks for the help Jo!

 

-Kroghm



#14 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:05 PM

Posted 07 November 2016 - 04:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users