Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by rogue antispyware (Advanced Identity Protector)


  • Please log in to reply
5 replies to this topic

#1 cidlc

cidlc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 08 February 2017 - 10:11 PM

I use Windows 10 x64 bit.

 

16602503_1521051061262442_74209976727132

This is a screenshot of what it looks like. I have done absolutely nothing to try to delete this malware, since I want to make sure you guys can help me so I can COMPLETELY remove it. Please help!

 

Thanks in advance!



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:37 AM

Posted 08 February 2017 - 11:01 PM

Hi cidlc,

 

My name's John and I'll help you with your issue.

 

First, please create a restore point.

 

Then download and install Revo Uninstaller and use it to uninstall the application. Use the strongest settings and delete the found, leftover, files and registry settings.

 

Then...

 

2hrmr9e.jpg  Please download rKill to your desktop.

  • Right click the file Run As Administrator.
  • If you have any difficulty running the the tool please use an alternative from this page
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • Please copy and paste the log that appears in your reply

 

2a507m.jpg Please download Zemana AntiMalware and install it

  • Run the application
  • Click "Next" and then Scan
  • When the scan has finished click Next to remove any threats.
  • Click the bars in the top right corner to display the logs, double click your log

aatxrp.jpg


  • copy and paste the log into your reply

 

34hammr.jpg Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • please copy and paste the log into your reply.

If prompted by your firewall allow DIG.exe
If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

 

 

149nkg7.jpg Please download Farbar Service Scanner and run it

  • Please check all of the boxes then click Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log into your reply.

 

 

Please include in your reply

  • Did the uninstall work?
  • rKill log
  • Zemana log
  • Security Check log
  • FSS log

How is your machine running now?

 

John


Edited by TsVk!, 08 February 2017 - 11:07 PM.


#3 cidlc

cidlc
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 08 February 2017 - 11:32 PM

The uninstall worked and all remaining files were removed.

 

Rkill log:

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 02/08/2017 11:20:19 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * TrustedInstaller [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * agp440 [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  0.0.0.0 a.ads1.msn.com
  0.0.0.0 a.ads2.msads.net
  0.0.0.0 a.ads2.msn.com
  0.0.0.0 a.rad.msn.com
  0.0.0.0 a-0001.a-msedge.net
  0.0.0.0 a-0002.a-msedge.net
  0.0.0.0 a-0003.a-msedge.net
  0.0.0.0 a-0004.a-msedge.net
  0.0.0.0 a-0005.a-msedge.net
  0.0.0.0 a-0006.a-msedge.net
  0.0.0.0 a-0007.a-msedge.net
  0.0.0.0 a-0008.a-msedge.net
  0.0.0.0 a-0009.a-msedge.net
  0.0.0.0 ac3.msn.com
  0.0.0.0 ad.doubleclick.net
  0.0.0.0 adnexus.net
  0.0.0.0 adnxs.com
  0.0.0.0 ads.msn.com
  0.0.0.0 ads1.msads.net
  0.0.0.0 ads1.msn.com
 
  20 out of 136 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 02/08/2017 11:20:28 PM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)

 

 
 
Zemana log:
Zemana AntiMalware 2.72.2.101 (Installed)


-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/2/8
Operating System       : Windows 10 64-bit
Processor              : 2X Intel(R) Pentium(R) CPU G3258 @ 3.20GHz
BIOS Mode              : UEFI
CUID                   : 1255A139F09B08509801A3
Scan Type              : System Scan
Duration               : 1m 58s
Scanned Objects        : 101877
Detected Objects       : 3
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2


Detected Objects
-------------------------------------------------------


Internet Explorer Homepage
Status             : Scanned
Object             : https://search.avira.net/#web/result?source=art&q=
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Homepage


Internet Explorer URL
Status             : Scanned
Object             : https://search.avira.net/#web/result?source=art&q=
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer URL


Internet Explorer URL
Status             : Scanned
Object             : https://search.avira.net/#web/result?source=art&q=
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer URL




Cleaning Result
-------------------------------------------------------
Cleaned               : 3
Reported as safe      : 0
Failed                : 0

Security Check log:
Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender             
AVG AntiVirus Free Edition   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Zemana AntiMalware    
 Java 8 Update 121  
 Java version 32-bit out of Date! 
 Adobe Flash Player 24.0.0.194  
 Google Chrome (56.0.2924.87) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 Zemana AntiMalware ZAM.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 

 

 

FSS log:
Farbar Service Scanner Version: 27-01-2016
Ran by Cristopher (administrator) on 08-02-2017 at 23:26:32
Running from "C:\Users\Cristopher\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============

 

 
 
 
AVG Free Antivirus removed FSS as soon as it finished scanning.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:37 AM

Posted 08 February 2017 - 11:51 PM

I think AVG interrupted FSS and deleted it. Could you please temporarily disable AVG and then re-download and re-run FSS.

 

then...

 

malwarebytes_icon_mini_by_linux_rules-d9 Please download and install MalwareBytes Anti-Malware.

  • Run the program.
  • Click Scan Now.
  • If threats are detected, clickRemove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the HISTORY tab.
  • Click Application Logs, followed by the first Scan Log.
  • Click Export, followed by Copy to Clipboard. Paste the log in your next reply.

 

Please include in your reply

  • FSS log
  • MBAM log

John



#5 cidlc

cidlc
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 February 2017 - 06:40 PM

 

Farbar Service Scanner Version: 27-01-2016

Ran by Cristopher (administrator) on 09-02-2017 at 07:03:01
Running from "C:\Users\Cristopher\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****

 

 

Malwarebytes

www.malwarebytes.com
 
-Log Details-
Scan Date: 2/9/17
Scan Time: 7:06 AM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1217
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-R3DB9T8\Cristopher
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 453555
Time Elapsed: 2 min, 28 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
PUP.Optional.SysTweak, C:\USERS\CRISTOPHER\APPDATA\LOCAL\Systweak, Quarantined, [321], [335041],1.0.1217
 
File: 1
PUP.Optional.SysTweak, C:\USERS\CRISTOPHER\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [321], [115211],1.0.1217
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)

 

Everything seems to be fine. I have not experienced any interruptions.



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:37 AM

Posted 09 February 2017 - 06:56 PM

It appears to be completely removed.

 

Let's do one last scan for any leftovers and remove possible leftover temps.

 

iyeji0.jpg  Please download Adware Removal Tool and run it.

  • Click Yes at the prompt and then Agree to the terms
  • Click Scan and wait for it to complete
  • Click OK and then Clean
  • Keep clicking OK at the various prompts.
  • When you get to the last screen don't click finish, but rather Save this result
  • Save to a text file, open the file and copy and paste the contents into your reply
  • Click Finish

 

 

Next...

 

Please download and install CCleaner. Run the tool and use it to clean up your temp files. I highly recommend against using the registry cleaner.

 

To finish up, let's remove the tools we have used...

BWuhenj.png Download DelFix and move the executable to your Desktop;

  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Remove disinfection tools;
    • Create registry backup;
  • Once all the options mentioned above are checked, click on Run;
  • After DelFix is done running a log will open. Please copy and paste the log in your next reply

 

 

You can also uninstall Zemana, MBAM, Revo and CCleaner now if you wish. Revo and CCleaner are great tools to have on hand though. You may wish to keep them.

 

How did you go?

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users