Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Pony downloader and Vawtrak by .doc hancitor injection.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Bateson

Bateson

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 31 January 2017 - 03:05 PM

I got a mail from what I thought was UPS.

 

In it was a .doc document. I opened it and it instructed me to 'enable content'. Only too late to realize that this was malware I opened it. How do I go about removing the malware? I have attached a log as instructed.

 

Here is the link to a VirusTotal scan of the file: https://virustotal.com/en/file/82e3ec80dde9adb2be1c3abe27c37940b3e0ff3b7f2b80b39e10aae540b1fb7a/analysis

 

More info on the behavior from a comment on VirusTotal:

 

".doc contains #hancitor , injects to memory

 

new behavior! injects hancitor to verclsid.exe instead of svchost

 

dl from places like : xx_Links to malware souces_xx

 

c2 : xx_Links to malware souces_xx

 

downloaded more malware via c2 instructions first 8 bytes is xor key, then after un-xor, lznt1 decompress"

 

Here is a lengthy post explaining the behavior of the virus: https://www.minerva-labs.com/post/new-hancitor-pimp-my-downloader

 

Attached Files


Edited by Bateson, 31 January 2017 - 06:12 PM.


BC AdBot (Login to Remove)

 


m

#2 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 31 January 2017 - 05:58 PM

Hello Bateson and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
 

 

Thank you for informations.

But, I can't see FRST.Txt logfile.  Please, you  send me the report.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Bateson

Bateson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 31 January 2017 - 06:12 PM

Hello Bateson and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
 

 

Thank you for informations.

But, I can't see FRST.Txt logfile.  Please, you  send me the report.

Thank you for fast reply!

Attached Files



#4 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 31 January 2017 - 08:14 PM

Hi again,
 
I did not see the file about harmful?
===============================
I’ve uninstalled the McAfee software
==============================
ATTENTION: System Restore is disabled
 
Please do System Restore enable
 
======================================

C:\TDSSKiller.3.1.0.12_31.01.2017_20.45.25_log.txt
C:\Users\Miles\Desktop\Rkill.txt

I see on the machine. Please can you post me.

=========================================

Check for all browsers,to reset the proxy settings.

 

İE Proxy reset:
a ) Under "Tools" in the browser tool bar select "Internet Options".
b ) In the "Internet Options" Window that pops up, click the "Connections" tab at the top.
c ) Click "LAN Settings" near the bottom of the "Connections" section.
d ) If the "Proxy server" checkbox is marked with a check, click it to deselect/uncheck it.
e ) Click "Ok" to close the "Local Area Network (LAN) Settings" window.
f ) Click "Ok" to close the "Internet Options" Window.
 
Now check if you are able to connect to Internet Explorer.

 

Firefox proxy reset:

http://How to reset the proxy infirefox

 

 To check your Firefox proxy settings:

  1. Click the menu button and choose Options

  2. Select the Advanced panel.
  3. Select the Network tab.
  4. In the Connection section, click Settings....
  5. Change your proxy settings:
    • If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy.
  6. Click OK to close the Connection Settings window.
  7. Click OK to close the Options window

Chrome proxy reset:

  1. Click "Customize and Control Google Chrome" menu.
  2. Click "Options" button.
  3. Under "Google Chrome Options" window select 'Under the Hood" tab
  4. In the 'Network' section, click the "Change proxy settings" button.
  5. Under "Internet Properties" window click "Lan settings" button.
  6. Under "Local Area Network (LAN) Settings" window click on the Proxy server for your LAN"
  7. If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy. (unticked)
  8. Click OK and Apply to save the settings.

================================================================================

FRST Script:
Please download this attached Attached File  Fixlist.txt   10.58KB   7 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.

 

Any issues ?

 

Regards

Yılmaz

 

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Bateson

Bateson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 31 January 2017 - 08:53 PM

Hi again,
 
I did not see the file about harmful?
===============================
I’ve uninstalled the McAfee software
==============================
ATTENTION: System Restore is disabled
 
Please do System Restore enable
 
======================================

C:\TDSSKiller.3.1.0.12_31.01.2017_20.45.25_log.txt
C:\Users\Miles\Desktop\Rkill.txt

I see on the machine. Please can you post me.

=========================================

Check for all browsers,to reset the proxy settings.

 

İE Proxy reset:
a ) Under "Tools" in the browser tool bar select "Internet Options".
b ) In the "Internet Options" Window that pops up, click the "Connections" tab at the top.
c ) Click "LAN Settings" near the bottom of the "Connections" section.
d ) If the "Proxy server" checkbox is marked with a check, click it to deselect/uncheck it.
e ) Click "Ok" to close the "Local Area Network (LAN) Settings" window.
f ) Click "Ok" to close the "Internet Options" Window.
 
Now check if you are able to connect to Internet Explorer.

 

Firefox proxy reset:

http://How to reset the proxy infirefox

 

 To check your Firefox proxy settings:

  1. Click the menu button and choose Options

  2. Select the Advanced panel.
  3. Select the Network tab.
  4. In the Connection section, click Settings....
  5. Change your proxy settings:
    • If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy.
  6. Click OK to close the Connection Settings window.
  7. Click OK to close the Options window

Chrome proxy reset:

  1. Click "Customize and Control Google Chrome" menu.
  2. Click "Options" button.
  3. Under "Google Chrome Options" window select 'Under the Hood" tab
  4. In the 'Network' section, click the "Change proxy settings" button.
  5. Under "Internet Properties" window click "Lan settings" button.
  6. Under "Local Area Network (LAN) Settings" window click on the Proxy server for your LAN"
  7. If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy. (unticked)
  8. Click OK and Apply to save the settings.

================================================================================

FRST Script:
Please download this attached attachicon.gifFixlist.txt and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.

 

Any issues ?

 

Regards

Yılmaz

 

 

 

Thanks for taking the time to help me. The file that infected me was deleted. It was a word document send from a phishing UPS mail delivery e-mail.

Attached Files



#6 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 01 February 2017 - 01:55 PM

Hi Bateson,

I understand,thanks.

Java 8 Update 71 
Java SE Development Kit 7 Update 55 

This is an important security vulnerability in your system. Need to update.

 

Step 1:

Java update:
Updating Java and Clearing Cache:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

  • Download the latest version of Java Runtime Environment (JRE) 8
  • Recommended Version is 8 Update 121
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows Offline (64-bit)  and save the file.
  • Close any programs you may have running - especially your web browser.
  • Please ,in the process uninstalled the older version.

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Step 2:

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

 

Step 3:

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 Bateson

Bateson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 01 February 2017 - 03:01 PM

Hi Bateson,

I understand,thanks.

Java 8 Update 71 
Java SE Development Kit 7 Update 55 

This is an important security vulnerability in your system. Need to update.

 

Step 1:

Java update:
Updating Java and Clearing Cache:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

  • Download the latest version of Java Runtime Environment (JRE) 8
  • Recommended Version is 8 Update 121
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows Offline (64-bit)  and save the file.
  • Close any programs you may have running - especially your web browser.
  • Please ,in the process uninstalled the older version.

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Step 2:

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

 

Step 3:

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)

 

 

Thanks again! :)

Attached Files



#8 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 01 February 2017 - 04:53 PM

Hi Bateson,

 

I think this may be the basis of your problem   ==> USPS

http://www.stamps.com/download/

 

Zemana AntiMalware log:

STAMP.exe
Status             : Scanned
Object             : %programfiles%\stamp\stamp.exe
MD5                : 69B1FF798D9548AC7C32B8B642A9F7BD
Publisher          : -
Size               : 53130752
Version            : 0.36.0.0
Detection          : Heur.Malicious!Pc
Cleaning Action    : Quarantine
Related Objects    :
                File - %programfiles%\stamp\stamp.exe
                Reference - C:\Users\Public\Desktop\STAMP.lnk

===============================================================

Please open RogueKiller again.

  • Close all the running processes
  • Double click the RogueKiller icon to run the program again.
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Make sure only the following lines are checked:-
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Hola -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12A61307-94CD-4F8E-94BC-918E511FAA81} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\VNT -> Found
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\VNT -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\Hola -> Found
[PUP.Gen1] (X64) \Software\Zona -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\Hola -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\Zona -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\VNT -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\VNT -> Found
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zona) -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1C52B8B6-FFA2-12F6-0A5A-E8301F96A568} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7D367FDF-8E9F-EE67-25C5-ECABBBAD5692} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FE139F4C-CE5B-121A-8A2D-191FA2226094} -> Found
  • Now click the Delete button.
  • Please copy and paste the report in your next reply. A copy of the RKreport.txt can be found on your desktop.

Any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 Bateson

Bateson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 02 February 2017 - 02:49 AM

Hi Bateson,

 

I think this may be the basis of your problem   ==> USPS

http://www.stamps.com/download/

 

Zemana AntiMalware log:

STAMP.exe
Status             : Scanned
Object             : %programfiles%\stamp\stamp.exe
MD5                : 69B1FF798D9548AC7C32B8B642A9F7BD
Publisher          : -
Size               : 53130752
Version            : 0.36.0.0
Detection          : Heur.Malicious!Pc
Cleaning Action    : Quarantine
Related Objects    :
                File - %programfiles%\stamp\stamp.exe
                Reference - C:\Users\Public\Desktop\STAMP.lnk

===============================================================

Please open RogueKiller again.

  • Close all the running processes
  • Double click the RogueKiller icon to run the program again.
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Make sure only the following lines are checked:-
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Hola -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12A61307-94CD-4F8E-94BC-918E511FAA81} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\VNT -> Found
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\VNT -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\Hola -> Found
[PUP.Gen1] (X64) \Software\Zona -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\Hola -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\Zona -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\VNT -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\VNT -> Found
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2500173985-1061868191-4228314585-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zona) -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1C52B8B6-FFA2-12F6-0A5A-E8301F96A568} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7D367FDF-8E9F-EE67-25C5-ECABBBAD5692} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FE139F4C-CE5B-121A-8A2D-191FA2226094} -> Found
  • Now click the Delete button.
  • Please copy and paste the report in your next reply. A copy of the RKreport.txt can be found on your desktop.

Any issue ?

Thanks for replying again.

 

The stamp.exe app is from this site: https://freeyourmusic.com/ - it allows you to move playlists from one music streaming service to another. Such as Spotify to Tidal, Apple to Spotify, etc.

Attached Files



#10 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 02 February 2017 - 10:27 AM

Hi Bateson,

 

How is your maschine now ?

=============================

 

ESET Online Scanner:

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked 
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Don't forget to re-enable previously switched-off protection software!


Edited by olgun52, 02 February 2017 - 10:27 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 Bateson

Bateson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 02 February 2017 - 06:21 PM

Hi Bateson,

 

How is your maschine now ?

=============================

 

ESET Online Scanner:

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked 
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Don't forget to re-enable previously switched-off protection software!

My computer is running fine. However, I am worried something has been injected and is hiding, snapping up all my passwords.

 

The scan didn't find anything.

 

Thanks again!



#12 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 03 February 2017 - 05:45 AM

My computer is running fine. However, I am worried something has been injected and is hiding, snapping up all my passwords.
 
The scan didn't find anything.
 
Thanks again!

You don't have to worry and The machine is now clean.
 
Thank you for your patience.  Please you read;
 
In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista. and Disk cleanup in Windows 10

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
 
Please take the time to carefully review this info contained below. Its invaluable.
Answers to common security questions - Best Practices
How Malware Spreads - How your system gets infected
Best Practices for Safe Computing - Prevention of Malware Infection
 
Some safety suggestions !

Best regards. :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 Bateson

Bateson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 03 February 2017 - 10:03 AM

 

My computer is running fine. However, I am worried something has been injected and is hiding, snapping up all my passwords.
 
The scan didn't find anything.
 
Thanks again!

You don't have to worry and The machine is now clean.
 
Thank you for your patience.  Please you read;
 
In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista. and Disk cleanup in Windows 10

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
 
Please take the time to carefully review this info contained below. Its invaluable.
Answers to common security questions - Best Practices
How Malware Spreads - How your system gets infected
Best Practices for Safe Computing - Prevention of Malware Infection
 
Some safety suggestions !

Best regards. :hello:

 

Thanks so much for helping me!



#14 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 03 February 2017 - 04:04 PM

You're welcome. thumbsup.gif

 

We can close nov this thread.

 

Sincerely ... :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 03 February 2017 - 04:04 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users