Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Viruses (Adware.Elex/Gen:Variant.Zusy)


  • This topic is locked This topic is locked
14 replies to this topic

#1 MrOkram

MrOkram

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 31 May 2017 - 01:39 PM

Hello, i'm having a problem of recurring viruses, by that i mean even thought i used AdwCleaner and JunkWare Remover i even used Malwarebyte Root Kit remover i'm still getting those pesky viruses back, one way or another.

Currently i have BitDefender Free (Up to date) and Immunet (Also Up To Date) working together, and from time to time BitDefender blocks some adresses and threats.

Problem is that after 4 days of not scanning with AdwCleaner i got around 50 problems, and my PC starts to slow down considerably, i also recently got some weird start up sound, and in Volume Mixer until today i had "Name Not Available".

(I must note that this is not the first time i ran AdwCleaner, first time i ran it i had quite a bit of services and stuff running, i'll also add that to the post, if needed i can upload all the AdwCleaner logs)

Today i downloaded immunet to work with BitDefender and in the meantime i ran AdwCleaner, it cleaned some registry entries, 6 of them and one service and 4 folders, that was the first scan, second scan had only 1 folder and 6 registry entries( PC froze next time it started), third scan had only 1 service named "scan" and 2 registry entries.

Using Junkware it removed couple of folders and stuff, and then after that i used MWByte Root Kit Remover, it detected couple of malwares and deleted them, after reboot i didn't have the weird sound startup, but BitDefender and Immunet still deteced some malware and PC is still somewhat slower then usual. The virus in this case is "Gen:Variant.Zusy" and it's detected in "Windows/Temp" folder, ran AdwCleaner one last time and it says no threats detected, so i'll be posting the log before that last scan, for the JunkWare scan i deleted the log accidentally, i also have FRST log files.

Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 PM

Posted 01 June 2017 - 09:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Wireshark 2.2.1 (64-bit) (HKLM-x32\...\Wireshark) (Version: 2.2.1 - The Wireshark developer community, hxxps://www.wireshark.org)
---

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
Edge HomeButtonPage: HKU\S-1-5-21-2692224483-198761024-553053318-1001 -> hxxp://www.ourluckysites.com/?type=hp&ts=1495010984&z=86c655fe1585d22838d5ab4g2z7t9wde8gbeftab7g&from=che0812&uid=WDCXWD5000AAKX-001CA0_WD-WCAYUAV1805518055
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\elwo0ytk.default -> luck
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\elwo0ytk.default -> luck
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\elwo0ytk.default -> luck
CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.ourluckysites.com/search/?type=ds&ts=1495010984&z=86c655fe1585d22838d5ab4g2z7t9wde8gbeftab7g&from=che0812&uid=WDCXWD5000AAKX-001CA0_WD-WCAYUAV1805518055&q={searchTerms}
CHR Profile: C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-26] <==== ATTENTION
CHR Extension: (Tampermonkey) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-12-07]
CHR Extension: (Avast SafePrice) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-03-18]
CHR Extension: (Avast Online Security) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-04-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
S3 MBAMFarflt; \??\C:\WINDOWS\system32\drivers\farflt.sys [X]
S3 MBAMProtection; \??\C:\WINDOWS\system32\drivers\mbam.sys [X]
S3 MBAMWebProtection; \??\C:\WINDOWS\system32\drivers\mwac.sys [X]
S3 PCASp60; System32\Drivers\PCASp60.sys [X]
U2 snare; no ImagePath
Task: {909B04D3-4596-424C-8664-3CC2FD533BEF} - \Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents -> No File <==== ATTENTION
Task: {B98846F0-7E65-4B2A-9B42-90F4C2AEBA0A} - \Powokcltas -> No File <==== ATTENTION
Task: {DB75070A-0C2B-444D-9F7B-D57C646B5CEA} - \Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic -> No File <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:SummaryInformation [63]
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\Marko\Downloads\4kvideodownloader_4.2.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\adwcleaner_6.047.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\FreeYouTubeDownload_4.1.47.525_r.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\ImmunetSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\JRT(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\regassassin-setup-1.03.exe:BDU [0]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Please let me know what problem persists with this computer.

#3 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 01 June 2017 - 11:28 AM

Here's Fixlog as requested.

So far the PC is working normally, but in the log is saw some key could not be removed.

Edit: I'll post log below this as it won't upload it.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-05-2017
Ran by Marko (01-06-2017 18:06:15) Run:1
Running from C:\Users\Marko\Downloads
Loaded Profiles: Marko (Available Profiles: defaultuser0 & Marko)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
Edge HomeButtonPage: HKU\S-1-5-21-2692224483-198761024-553053318-1001 -> hxxp://www.ourluckysites.com/?type=hp&ts=1495010984&z=86c655fe1585d22838d5ab4g2z7t9wde8gbeftab7g&from=che0812&uid=WDCXWD5000AAKX-001CA0_WD-WCAYUAV1805518055
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\elwo0ytk.default -> luck
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\elwo0ytk.default -> luck
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\elwo0ytk.default -> luck
CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.ourluckysites.com/search/?type=ds&ts=1495010984&z=86c655fe1585d22838d5ab4g2z7t9wde8gbeftab7g&from=che0812&uid=WDCXWD5000AAKX-001CA0_WD-WCAYUAV1805518055&q={searchTerms}
CHR Profile: C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-26] <==== ATTENTION
CHR Extension: (Tampermonkey) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-12-07]
CHR Extension: (Avast SafePrice) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-03-18]
CHR Extension: (Avast Online Security) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-04-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
S3 MBAMFarflt; \??\C:\WINDOWS\system32\drivers\farflt.sys [X]
S3 MBAMProtection; \??\C:\WINDOWS\system32\drivers\mbam.sys [X]
S3 MBAMWebProtection; \??\C:\WINDOWS\system32\drivers\mwac.sys [X]
S3 PCASp60; System32\Drivers\PCASp60.sys [X]
U2 snare; no ImagePath
Task: {909B04D3-4596-424C-8664-3CC2FD533BEF} - \Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents -> No File <==== ATTENTION
Task: {B98846F0-7E65-4B2A-9B42-90F4C2AEBA0A} - \Powokcltas -> No File <==== ATTENTION
Task: {DB75070A-0C2B-444D-9F7B-D57C646B5CEA} - \Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic -> No File <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:SummaryInformation [63]
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\Marko\Downloads\4kvideodownloader_4.2.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\adwcleaner_6.047.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\FreeYouTubeDownload_4.1.47.525_r.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\ImmunetSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\JRT(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Marko\Downloads\regassassin-setup-1.03.exe:BDU [0]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-2692224483-198761024-553053318-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\\HomeButtonPage => value removed successfully
Firefox DefaultSearchEngine removed successfully
Firefox SearchEngineOrder.1 removed successfully
Firefox SelectedSearchEngine removed successfully
Chrome DefaultSearchURL => removed successfully
C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo => not found
C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => not found
C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\gomekmidlodglbbmalcneegieacbdmki => not found
C:\Users\Marko\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
HKLM\System\CurrentControlSet\Services\MBAMFarflt => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MBAMProtection => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MBAMWebProtection => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\PCASp60 => key removed successfully
PCASp60 => service removed successfully
HKLM\System\CurrentControlSet\Services\snare => key removed successfully
snare => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{909B04D3-4596-424C-8664-3CC2FD533BEF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{909B04D3-4596-424C-8664-3CC2FD533BEF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B98846F0-7E65-4B2A-9B42-90F4C2AEBA0A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B98846F0-7E65-4B2A-9B42-90F4C2AEBA0A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Powokcltas => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DB75070A-0C2B-444D-9F7B-D57C646B5CEA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DB75070A-0C2B-444D-9F7B-D57C646B5CEA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic => key removed successfully
C:\WINDOWS\SysWOW64\zlib.dll => ":DocumentSummaryInformation" ADS could not remove.
C:\WINDOWS\SysWOW64\zlib.dll => ":SummaryInformation" ADS could not remove.
C:\WINDOWS\SysWOW64\zlib.dll => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
C:\Users\Marko\Downloads\4kvideodownloader_4.2.exe => ":BDU" ADS removed successfully.
C:\Users\Marko\Downloads\adwcleaner_6.047.exe => ":BDU" ADS removed successfully.
C:\Users\Marko\Downloads\FreeYouTubeDownload_4.1.47.525_r.exe => ":BDU" ADS removed successfully.
C:\Users\Marko\Downloads\ImmunetSetup.exe => ":BDU" ADS removed successfully.
C:\Users\Marko\Downloads\JRT(1).exe => ":BDU" ADS removed successfully.
C:\Users\Marko\Downloads\regassassin-setup-1.03.exe => ":BDU" ADS removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 23031413 B
Java, Flash, Steam htmlcache => 696501522 B
Windows/system/drivers => 4238846519 B
Edge => 1343472 B
Chrome => 0 B
Firefox => 400191036 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 898547 B
LocalService => 50548 B
NetworkService => 1179088 B
defaultuser0 => 0 B
Marko => 505576610 B

RecycleBin => 0 B
EmptyTemp: => 5.5 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 01-06-2017 18:17:55)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\MBAMFarflt => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MBAMProtection => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MBAMWebProtection => key could not remove, key could be protected

==== End of Fixlog 18:17:56 ====


Edited by MrOkram, 01 June 2017 - 11:29 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 PM

Posted 01 June 2017 - 12:03 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 01 June 2017 - 12:04 PM

Thank you for helping out.



#6 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 01 June 2017 - 12:09 PM

Looks like it's back.

I just scanned with AdwCleaner and found 12 threats, here's a log:

 

# AdwCleaner v6.047 - Logfile created 01/06/2017 at 19:08:37
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-31.2 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : Marko - DESKTOP-269C23T
# Running from : C:\Users\Marko\Downloads\adwcleaner_6.047.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  WinSAPSvc
Service Found:  BIT


***** [ Folders ] *****

Folder Found:  C:\Users\Marko\AppData\Roaming\WinSAPSvc
Folder Found:  C:\ProgramData\BIT


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

Task Found:  Milimili


***** [ Registry ] *****

Key Found:  HKU\S-1-5-21-2692224483-198761024-553053318-1001\Software\Conduit
Key Found:  HKCU\Software\Conduit
Key Found:  HKLM\SOFTWARE\ScreenShot
Key Found:  [x64] HKCU\Software\Conduit
Key Found:  [x64] HKLM\SOFTWARE\InterSect Alliance
Value Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
Value Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [BIT]


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [7433 Bytes] - [18/05/2017 20:39:36]
C:\AdwCleaner\AdwCleaner[C2].txt - [6919 Bytes] - [27/05/2017 17:54:09]
C:\AdwCleaner\AdwCleaner[C3].txt - [1510 Bytes] - [27/05/2017 18:12:31]
C:\AdwCleaner\AdwCleaner[C4].txt - [1756 Bytes] - [27/05/2017 17:42:18]
C:\AdwCleaner\AdwCleaner[C5].txt - [2465 Bytes] - [31/05/2017 17:23:49]
C:\AdwCleaner\AdwCleaner[C6].txt - [2461 Bytes] - [31/05/2017 18:56:22]
C:\AdwCleaner\AdwCleaner[S0].txt - [7568 Bytes] - [18/05/2017 20:05:02]
C:\AdwCleaner\AdwCleaner[S10].txt - [2366 Bytes] - [31/05/2017 18:33:27]
C:\AdwCleaner\AdwCleaner[S11].txt - [2440 Bytes] - [31/05/2017 18:53:51]
C:\AdwCleaner\AdwCleaner[S12].txt - [2467 Bytes] - [31/05/2017 20:20:37]
C:\AdwCleaner\AdwCleaner[S13].txt - [2172 Bytes] - [01/06/2017 19:08:37]
C:\AdwCleaner\AdwCleaner[S1].txt - [1289 Bytes] - [18/05/2017 20:51:28]
C:\AdwCleaner\AdwCleaner[S2].txt - [6571 Bytes] - [27/05/2017 17:38:25]
C:\AdwCleaner\AdwCleaner[S3].txt - [1528 Bytes] - [27/05/2017 18:12:09]
C:\AdwCleaner\AdwCleaner[S4].txt - [1674 Bytes] - [27/05/2017 18:22:27]
C:\AdwCleaner\AdwCleaner[S5].txt - [1747 Bytes] - [27/05/2017 17:30:58]
C:\AdwCleaner\AdwCleaner[S6].txt - [1893 Bytes] - [28/05/2017 14:14:42]
C:\AdwCleaner\AdwCleaner[S7].txt - [2383 Bytes] - [31/05/2017 17:04:19]
C:\AdwCleaner\AdwCleaner[S8].txt - [2357 Bytes] - [31/05/2017 17:13:27]
C:\AdwCleaner\AdwCleaner[S9].txt - [2291 Bytes] - [31/05/2017 17:46:25]

########## EOF - C:\AdwCleaner\AdwCleaner[S13].txt - [2903 Bytes] ##########
 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 PM

Posted 02 June 2017 - 06:56 AM

Run the AdwCleaner tool and delete everything that was found.

Restart the computer normally.

Let me know if and when you get any issues with this computer.

#8 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 02 June 2017 - 07:02 PM

I ran AdwCleaner and deleted all the services, registry entries it found, i'll update you later if i it returns, which it probably will unfortunately.

Edit: I also have my Immunet AV and Bitdefender go off from time to time saying it quarantined some Trojan in Win/Temp folder, it keeps reappearing every day.

http://prntscr.com/ffa0jw


Edited by MrOkram, 02 June 2017 - 07:05 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 PM

Posted 03 June 2017 - 07:53 AM


Did you recently intsall this program?
If yes then please submit the file for an inspection.

Naviage to this page https://www.virustotal.com/ and submit the file in bold for a review.

C:\Program Files (x86)\GEMBIRD\SE61T-UserTools.exe
---


--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#10 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 03 June 2017 - 12:45 PM

"GEMBIRD" Is my mouse driver software, and Virustotal reported that it doesn't match anything in their database.

 

 

Attached Files


Edited by MrOkram, 03 June 2017 - 12:45 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 PM

Posted 04 June 2017 - 06:45 AM


Run the RogueKiller program and delete everything EXCEPT these entries.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ac8f9d2e-d252-4d92-93ef-d074e4c3b468} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b5e4e5a8-a265-42a0-a7c7-09c2cf8085ce} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e11e9cb4-cc59-4605-8bb1-1b3bc3200b9a} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][]) -> Found


Restart the computer normally.

Let me know if the problem persists.

#12 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 04 June 2017 - 03:45 PM

So far there are no virus popups.

I'll let you know if there's any, it may take some time.

In the meantime here's a report of what it deleted, WebTorrent i installed on my own accord.

 

Attached Files



#13 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 04 June 2017 - 03:56 PM

The quarantine warning is back, and this time i'm getting over 60 of report in under 5 seconds.

Here's a picture:

http://prntscr.com/ffvzoy

 

I hope you can find an answer soon, because these popups cause my PC to freeze for a min or two.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 PM

Posted 05 June 2017 - 07:06 AM


These Temp files are created because of a Conflict between Emmunet and Bitdefender.

Read about it.
http://support.immunet.com/index.php?/topic/3157-bitdefender-compatability/

Hope you find the right fix for your problem.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#15 MrOkram

MrOkram
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 05 June 2017 - 06:28 PM

Yes, looks like that was the problem, i made an exception in AV Program and now it's back to normal, thank you again for helping me out.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users