Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible RAT/persistent trovi


  • Please log in to reply
6 replies to this topic

#1 raymj49

raymj49

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 07 April 2017 - 09:05 AM

tried to run FRST, but bitdefender (although i allowed the application) "detected infected items" in 5 intances and were disinfected


Edited by hamluis, 07 April 2017 - 09:09 AM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:03 AM

Posted 08 April 2017 - 07:34 AM

Use Download Revo Uninstaller Freeware to uninstall Search Protect from your computer.

 

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download Malwarebytes to your desktop.
  • Double-click mb3-setup-1878.1878-3.0.6.1469.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 14 April 2017 - 10:17 PM

there is no search protect found, following the rest of the instructions

#4 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 18 April 2017 - 08:00 PM

Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 4/18/2017 Scan Time: 2:35 AM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2017.04.18.01 Rootkit Database: v2017.04.02.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: jennifer raymond Scan Type: Threat Scan Result: Completed Objects Scanned: 282951 Time Elapsed: 5 min, 9 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)
# AdwCleaner v6.045 - Logfile created 17/04/2017 at 02:36:33 # Updated on 28/03/2017 by Malwarebytes # Database : 2017-04-16.1 [Server] # Operating System : Windows 7 Professional Service Pack 1 (X64) # Username : jennifer raymond - MYLITTLEBOX # Running from : C:\Users\jennifer raymond\Desktop\ad.exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Web browsers ] ***** No malicious Firefox based browser items found. Chrome pref Found: [C:\Users\jennifer raymond\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com Chrome pref Found: [C:\Users\jennifer raymond\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com Chrome pref Found: [C:\Users\jennifer raymond\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - hxxp://www.trovi.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=M4BEE1170-E192-464B-BF0F-08615B2EB0D4 ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [1048 Bytes] - [26/10/2016 00:06:56] C:\AdwCleaner\AdwCleaner[C10].txt - [3052 Bytes] - [06/03/2017 09:00:49] C:\AdwCleaner\AdwCleaner[C11].txt - [3067 Bytes] - [07/04/2017 08:01:53] C:\AdwCleaner\AdwCleaner[C2].txt - [1458 Bytes] - [01/12/2016 20:27:50] C:\AdwCleaner\AdwCleaner[C3].txt - [1794 Bytes] - [12/12/2016 04:59:03] C:\AdwCleaner\AdwCleaner[C4].txt - [2029 Bytes] - [12/12/2016 07:10:24] C:\AdwCleaner\AdwCleaner[C5].txt - [2953 Bytes] - [22/12/2016 07:27:24] C:\AdwCleaner\AdwCleaner[C6].txt - [2346 Bytes] - [10/01/2017 18:22:37] C:\AdwCleaner\AdwCleaner[C7].txt - [2823 Bytes] - [25/01/2017 20:05:38] C:\AdwCleaner\AdwCleaner[C8].txt - [2962 Bytes] - [28/01/2017 21:52:01] C:\AdwCleaner\AdwCleaner[C9].txt - [2902 Bytes] - [28/02/2017 14:36:54] C:\AdwCleaner\AdwCleaner[S0].txt - [1174 Bytes] - [25/10/2016 23:59:54] C:\AdwCleaner\AdwCleaner[S10].txt - [3080 Bytes] - [06/03/2017 08:59:48] C:\AdwCleaner\AdwCleaner[S11].txt - [3052 Bytes] - [07/04/2017 00:43:01] C:\AdwCleaner\AdwCleaner[S12].txt - [2449 Bytes] - [17/04/2017 02:36:33] C:\AdwCleaner\AdwCleaner[S1].txt - [1321 Bytes] - [30/10/2016 18:58:10] C:\AdwCleaner\AdwCleaner[S2].txt - [1557 Bytes] - [01/12/2016 20:26:14] C:\AdwCleaner\AdwCleaner[S3].txt - [1841 Bytes] - [12/12/2016 04:58:13] C:\AdwCleaner\AdwCleaner[S4].txt - [2027 Bytes] - [12/12/2016 07:05:26] C:\AdwCleaner\AdwCleaner[S5].txt - [2838 Bytes] - [22/12/2016 07:26:40] C:\AdwCleaner\AdwCleaner[S6].txt - [2384 Bytes] - [10/01/2017 18:22:02] C:\AdwCleaner\AdwCleaner[S7].txt - [2821 Bytes] - [25/01/2017 18:39:31] C:\AdwCleaner\AdwCleaner[S8].txt - [2960 Bytes] - [28/01/2017 21:50:08] C:\AdwCleaner\AdwCleaner[S9].txt - [2931 Bytes] - [28/02/2017 14:19:10] ########## EOF - C:\AdwCleaner\AdwCleaner[S12].txt - [3180 Bytes] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.1.3 (04.10.2017) Operating System: Windows 7 Professional x64 Ran by jennifer raymond (Administrator) on Tue 04/18/2017 at 19:46:10.74 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 16 Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2IATS3PE (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GPYYHUF (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6W9F7X9A (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EXRPQ1WH (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JM7TAQ1I (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSMI3OAD (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KWZLMUEJ (Temporary Internet Files Folder) Successfully deleted: C:\Users\jennifer raymond\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGD5CEFG (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2IATS3PE (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GPYYHUF (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6W9F7X9A (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EXRPQ1WH (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JM7TAQ1I (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSMI3OAD (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KWZLMUEJ (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGD5CEFG (Temporary Internet Files Folder) Registry: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 04/18/2017 at 19:51:28.60 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
one otherthin, i have rootkits checked off/enabledin MbaM scan,but in thelogs it says it is not enabled

#5 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:03 AM

Posted 19 April 2017 - 04:42 AM

That is hard to read. Your AdwCleaner log doesn't show you deleted what it found. Please rerun it and be sure to click on Clean when scan finishes.

 

Reset Google Chrome:

You can restore your browser settings in Chrome at any time. You might need to do this if apps or extensions you installed changed your settings without your knowledge. Your saved bookmarks and passwords won't be cleared or changed.

  1. On your computer, open Chrome.
  2. At the top right, click More > Settings. (three vertical dots)
  3. At the bottom, click Show advanced settings.
  4. Under the section "Reset settings,” click Reset settings.
  5. In the box that appears, click Reset. ​

Scan using the FREE Eset Online Scanner.

Free Virus Scan | Online Virus Scan from ESET | ESET

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 26 April 2017 - 09:06 PM

resset chrome, running eset, for some reason i can't seem to post normally in my replies, may be why the logs look all compacted

#7 raymj49

raymj49
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 26 April 2017 - 10:15 PM

AdwCleaner v6.046 - Logfile created 26/04/2017 at 21:52:54
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-25.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : jennifer raymond - MYLITTLEBOX
# Running from : C:\Users\jennifer raymond\Desktop\ad.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****

[-] [C:\Users\jennifer raymond\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\jennifer raymond\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\jennifer raymond\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://www.trovi.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=M4BEE1170-E192-464B-BF0F-08615B2EB0D4&SearchSource=55&CUI=&UM=5&UP=SPC27910EC-7D31-4DBD-836B-DC15408739FC&SSPV=


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users