The system is infected with Win32.Trojan.WisdomEyes.

Edited by tienchien, 30 May 2017 - 06:35 AM.

to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.

Please follow these guidelines:

• Read and follow the instructions in the sequence they are posted.
• print or copy & save instructions.
• back up all your private data / music / important files on another (external) drive before using our tools.
• Do not install / uninstall any applications, unless otherwise instructed.
• Use only that tools you have been instructed to use.
• Copy and Paste the log files inside your post, unless otherwise instructed.
• Ask for clarification, if you have any questions.
• Stay with this topic ‘til you get the “all clean” post.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***

Please download Security Analysis by Rocket Grannie from here

• Save it to your Desktop.
• Close your security software to avoid potential conflicts.
• Double click RGSA.exe
• Click OK on the copyright-disclaimer
• When finished, a Notepad window will open with the results of the scan.
• The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
• Please copy and paste the contents of that log in this topic.
• Note:

If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.

***

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page.
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
• Double click on downloaded file. OK self extracting prompt.
• MBAR will start. Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".

With some infections, you may see two messages boxes.

• 'Could not load protection driver'. Click 'OK'.
• 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

• If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
  If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***

No infection found. In my C drive there is software, which when I scan it with VirusTotal.com it still detects Win32.Trojan.WisdomEyes.

 

Thanks verry much.

 

 

----------------------------------------------------------------------------------------------------

Edited by tienchien, 30 May 2017 - 07:17 AM.

Hello again,

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.

• rkill.exe
• rkill.com
• rkill.scr
• WiNlOgOn.exe
• uSeRiNiT.exe

Do not reboot your computer after running rkill as the malware programs will start again.

---

Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.

• Double-click mb3-setup-1878.1878-3.4.5.2467.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish.
• On the Dashboard, click the 'Update Now >>' link
• After the update completes, click the 'Scan Now >>' button.
• Or, on the Dashboard, click the Scan Now >> button.
• If an update is available, click the Update Now button.
• A Threat Scan will begin.
• When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.

How to get logs: (Export log to save as txt)

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Export'.
• Click 'Text file (*.txt)'
• In the Save File dialog box which appears, click on Desktop.
• In the File name: box type a name for your scan log.
• A message box named 'File Saved' should appear stating "Your file has been successfully exported".
• Click Ok
• Attach that saved log to your next reply.

(Copy to clipboard for pasting into forum replies or tickets)

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Copy to Clipboard'
• Paste the contents of the clipboard into your reply.

---

Emsisoft Emergency Kit

• Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
• Save EmsisoftEmergencyKit.exe to your Desktop.
• Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
  
• Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
• Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
• Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
  
• Choose Yes, then wait for EEK to finish updating.
• Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
• Wait for the scan to finish.
  
• If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
• If Emsisoft Emergency Kit asks to reboot, please do so immediately.
• The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
  
• Please Copy and Paste the contents of the scan log in your next reply.

***

How the computer is running now?

***

I did all that you told me. But as in previous times, no infection was detected. It seems my system is clean, but sometimes it has very strange behavior that I can not explain.

 

After all, I am very thankful to you.

Edited by tienchien, 30 May 2017 - 10:41 AM.

The system is infected with Win32.Trojan.WisdomEyes, but I do not know how to fix it.

How do you know about Trojan.WisdomEyes?

---

You could Uninstall Chrome

restart the pc

Re-install Chrome but enable only plugins/addons that you really need!

---

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 

Start
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction <======= ATTENTION
CHR Extension: (Chrome Media Router) - C:\Users\iSu\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-30]
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

I use https://www.virustotal.com to scan a file on drive c, and I get an infection. I will do what you told after hours. thank you very much.

I use https://www.virustotal.com to scan a file on drive c, and I get an infection. I will do what you told after hours. thank you very much.

Please go to virustotal to scan the file(s):
Virus Total
click on Browse, and upload that above mentioned file(s) for analysis:

Then click Submit. Allow the file(s) to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

---

ESET Online Scanner

• Click here to download the installer for ESET Online Scanner and save it to your Desktop.
• Disable all your antivirus and antimalware software - see how to do that here.
• Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
• Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
• Select Enable detection of potentially unwanted applications.
• Click Advanced Settings, then place a checkmark in the following:
  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Click Start to begin scanning.
• ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
• When the scan is done, click List threats (only available if ESET Online Scanner found something).
• Click Export, then save the file to your desktop.
• Click Back, then Finish to exit ESET Online Scanner.

Open the scan log and copy and paste the content to your next reply.
 

***

Edited by Jo*, 31 May 2017 - 05:43 AM.

Wow, what did you do with my browser?

Right now, I no longer receive ads when I use the browser. I tried to get rid of them for 2 years but failed, even when I reinstalled windows many times.

Thank you very much.

 

 

 

Strange, now I can not find the file that Virutotal detected "Win32.Trojan.WisdomEyes". It is located in the path: C:\Program Files\ASUSTeKcomputer.Inc\Sonic Suite 3\Foundation\ Of software called SS3Svc32.exe. It is a legitimate software that I install from my Z270f mobo asus cd driver. Now when I'm on the path above, Fodel \Foundation simply does nothing.

 

PS: esetsmartinstaller_enu.exe Report found nothing.

Edited by tienchien, 31 May 2017 - 08:27 AM.

Can you tell me how your computer is running now and if there are any remaining malware related problems.

I just downloaded the MSI Afterburner software from the MSI home page. Installed on the machine, and immediately I get the message ???

 

 

Looks like my system has something so that malicious code can come back. Hix

 

 

 

 

Edited by tienchien, 31 May 2017 - 09:32 AM.

Please translate what your AV (Kapersky) reports.

What I can see is:

1. You use torrents what is a high risk for getting malware
2. Kapersky detects a file in a temp folder, which could be related to your torrent/download
3. If malware comes along with your download, it is ok that Kapersky detects it
4. if no malware, Kapersky makes a false positive detection, which is an issue for Kapersky Support/Forums

Yeah, that was a false positive.

My system is working fine. I will note your reminder about the torrent And I know it is illegal. Thank you all for the help, again.

Edited by tienchien, 31 May 2017 - 11:03 AM.

***

It Appears That Your Pc Is Clean!

***

Clean up:

***

Right-click AdwCleaner.exe and select Run As Administrator.

• Click on the Uninstall button.
• A window will open, press the Confirm button.
• AdwCleaner will uninstall now.

***

Clean up with delfix:

• please download delfix to your desktop.
• Close all other programms and start delfix.
• Please check all the boxes and run the tool.
• delfix will now delete all found traces of our removal process

***

Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

===================================

Here are some Preventive tips to reduce the potential for spyware infection in the future

Make sure you keep your Windows OS current.

• Windows Vista / 7 / 8 users can update via
  Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).

Avoid P2P

• If you think you're using a "safe" P2P program, only the program is safe, not the data.
• You will share files from unsafe sources, and these may be infected.
• Some bad guys use P2P filesharing as an important chanel to spread their wares.

Use only one anti-virus software and keep it up-to-date.

Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

Use Strong passwords!

Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.

***