Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning up old computer, Possible PUP/Malware Remnants?


  • Please log in to reply
8 replies to this topic

#1 Cleaningmompc

Cleaningmompc

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:27 AM

Posted 13 August 2017 - 04:36 PM

Hi BleepingComputer, My name is Deejay and I'm actually cleaning up my own computer this time regardless of the name. 

 

The computer in question is

Toshiba, Windows 7, 64bit

Graphics: Intel

 

I've had this computer since around 2011-2012 roughly and it was bought used so I do not have the full history. It has however met its unfortunate times of being infected before with some Java CVE exploits from 2013 and other general malware which were removed with various malware removal tools and did not show signs of reappearing. However during the times of its infection it did have BSODs and system instability. (If more details on this is desired please ask, I document all logs for future reference)

 

However, I like to be thorough and scan my whole computer every so often to make sure nothing is hiding as my computer is still a bit slow at times, especially during antivirus scans and has high memory load once in a while. (although this might be from a low RAM, I'm not entirely sure) Today I used Roguekiller and it popped up with mostly things that were set by the computer manufacturers (Such as IE's webpage being Toshiba's webpage... no big deal, I left these alone as they're harmless). But there was two curious filepaths in the registry that came up as PUP.gen0s. I researched and found little to no helpful information regarding the specific filename or detection, so I decided to come here before making any decisions. 

 

The two registry keys that were detected are:

[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{1791C1B5-FFD0-4d4b-ABCD-7A7DF6EAA89C} -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{26249267-15F4-4DA3-8247-C5A78E4FA918} -> Found
 
The values are empty and I can't really find any information on them in the registry editor. Just the default / registry value not set spiel. 
 
Are these safe to delete? Are they malware/malware remnants? I know better than to delete registry values without heavy research and consulting technicians. 
 
The scan log is below. I allowed roguekiller to delete/quarantine any other file that I was sure meant no harm to delete/isolate. 
 
Thank you for your time. 

 

 

RogueKiller V12.11.9.0 (x64) [Aug  3 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Deejay [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 08/13/2017 15:24:12 (Duration : 00:32:53)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{1791C1B5-FFD0-4d4b-ABCD-7A7DF6EAA89C} -> Not selected
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{26249267-15F4-4DA3-8247-C5A78E4FA918} -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1148774451-3867332700-2556772270-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1148774451-3867332700-2556772270-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1148774451-3867332700-2556772270-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1148774451-3867332700-2556772270-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com  -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {51C99A5B-562E-431A-8651-F4EE2543F5B1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Kodak\Installer\Setup.exe|Name=Kodak.AiO.Installer| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C2DF3FE2-2AA3-4128-8AFD-360A1B2BDC0C} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Kodak\Installer\Setup.exe|Name=Kodak.AiO.Installer| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {51C99A5B-562E-431A-8651-F4EE2543F5B1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Kodak\Installer\Setup.exe|Name=Kodak.AiO.Installer| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C2DF3FE2-2AA3-4128-8AFD-360A1B2BDC0C} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Kodak\Installer\Setup.exe|Name=Kodak.AiO.Installer| [x] -> Deleted
 
¤¤¤ Tasks : 1 ¤¤¤
[Hj.Shortcut] \{02CCDC99-C9A5-4CAC-8C96-79040A46DFA4} -- "c:\program files (x86)\opera\opera.exe" (http://ui.skype.com/ui/0/6.1.0.129.272/en/abandoninstall?page=tsProgressBar) -> Deleted
 
¤¤¤ Files : 1 ¤¤¤
[PUP.Tific][Folder] C:\Users\Deejay\AppData\Roaming\Tific -> Deleted
[PUP.Tific][File] C:\Users\Deejay\AppData\Roaming\Tific\Environment.tfc -> Deleted
[PUP.Tific][File] C:\Users\Deejay\AppData\Roaming\Tific\tificps.symantec.com.tfc -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
--- User ---
[MBR] 0ee09916cc3e3e1c3acb1a97000ec0ab
[BSP] 6b5451ddbd3e55dae3dc092ed3999788 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 596411 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1224523776 | Size: 12568 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:27 AM

Posted 13 August 2017 - 05:31 PM

See what the programs below find. Allow them to delete/ quarantine what they find clean the computer.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Cleaningmompc

Cleaningmompc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:27 AM

Posted 14 August 2017 - 07:38 AM

Hi there. I have completed all of the tasks. 

 

For some reason JRT keeps finding SearchScopes within my registry under Internet explorer even though I've removed this back in June/July, also Adwcleaner found some things that weren't there before.

 

Also, MBAR found AppInit_Dlls to be of Rootkit activity.. I heard this is very common for it. I didn't delete it as I wasn't sure if that was safe. Should I allow MBAR to delete it?

 

Here are the logs.

 

---

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.08.14.04
  rootkit: v2017.08.02.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18762
Deejay :: DEEJAY-PC [administrator]
 
8/14/2017 5:44:07 AM
mbar-log-2017-08-14 (05-44-07).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 290554
Time elapsed: 1 hour(s), 33 minute(s), 44 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
----
 
# AdwCleaner 7.0.1.0 - Logfile created on Mon Aug 14 12:23:10 2017
# Updated on 2017/05/08 by Malwarebytes 
# Running on Windows 7 Home Premium (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
No malicious folders deleted.
 
***** [ Files ] *****
 
Deleted: C:\Users\Default\AppData\gacutil.exe
Deleted: C:\Users\Default\AppData\gacutil
Deleted: C:\Users\Default User\AppData\gacutil.exe
Deleted: C:\Users\Default User\AppData\gacutil
 
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
Deleted: gacutil
Deleted: gacutil
 
 
***** [ Registry ] *****
 
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{1791C1B5-FFD0-4D4B-ABCD-7A7DF6EAA89C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{26249267-15F4-4DA3-8247-C5A78E4FA918}
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [12845 B] - [2017/6/24 18:8:30]
C:/AdwCleaner/AdwCleaner[C2].txt - [1375 B] - [2017/6/25 2:6:5]
C:/AdwCleaner/AdwCleaner[S0].txt - [11810 B] - [2017/6/24 18:6:12]
C:/AdwCleaner/AdwCleaner[S1].txt - [1703 B] - [2017/6/25 2:5:31]
C:/AdwCleaner/AdwCleaner[S2].txt - [1461 B] - [2017/6/25 2:26:24]
C:/AdwCleaner/AdwCleaner[S3].txt - [1534 B] - [2017/6/25 2:40:22]
C:/AdwCleaner/AdwCleaner[S4].txt - [1607 B] - [2017/6/25 3:30:45]
C:/AdwCleaner/AdwCleaner[S5].txt - [1680 B] - [2017/6/25 3:50:43]
C:/AdwCleaner/AdwCleaner[S6].txt - [1753 B] - [2017/6/25 3:55:19]
C:/AdwCleaner/AdwCleaner[S7].txt - [1826 B] - [2017/6/25 23:40:20]
C:/AdwCleaner/AdwCleaner[S8].txt - [1899 B] - [2017/6/26 13:55:41]
C:/AdwCleaner/AdwCleaner[S9].txt - [2102 B] - [2017/8/14 12:22:16]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########
 
---
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Home Premium x64 
Ran by Deejay (Administrator) on Mon 08/14/2017 at  7:29:24.16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 14 
 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\99643X0V (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BLX3NEDS (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BTM1U5TG (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MUPYQCWN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OS4NAD7I (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQZFH61H (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Deejay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PR4IIPD1 (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\99643X0V (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BLX3NEDS (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BTM1U5TG (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MUPYQCWN (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OS4NAD7I (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQZFH61H (Temporary Internet Files Folder) 
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PR4IIPD1 (Temporary Internet Files Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/14/2017 at  7:32:51.10
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by Cleaningmompc, 14 August 2017 - 07:41 AM.


#4 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:27 AM

Posted 14 August 2017 - 09:22 AM

You can look through the add-ons in IE to see if some toolbar such as Bingbar is listed. If so, disable or delete as that seems to

be what keeps reappearing. Since you are likely using another browser...those are not a problem..

 

FROM THE MBAR Forum: MBAR detects and offers to remove any valuedata in AppInit_DLLs. If unsure, always click No. If it's malware that might have prevented MBAR from continuing or caused it to crash, that may happen after clicking No.

 

Note that AdwCleaner removed these keys:

Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{1791C1B5-FFD0-4D4B-ABCD-7A7DF6EAA89C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{26249267-15F4-4DA3-8247-C5A78E4FA918}

 

  • download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Cleaningmompc

Cleaningmompc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:27 AM

Posted 14 August 2017 - 09:45 AM

There are no visible add ons on IE or Google Chrome other than adblocker. My mother's PC also had Searchscopes on her computer which I also removed in the other thread I had posted but I don't think a worm would infect computers with this?  
 
 
What would be the cause for gacutil.exe files? They never showed up until now.
I haven't downloading anything that would seem to bring something dodgy. 
 
Here is the log:
 
 
 
SecurityCheck by glax24 & Severnyj v.1.4.0.52 [25.07.17]
WebSite: www.safezone.cc
DateLog: 14.08.2017 09:35:16
Path starting: C:\Users\Deejay\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Deejay
VersionXML: 4.55is-08.08.2017
___________________________________________________________________________
 
Windows 7(6.1.7601) Service Pack 1 (x64) HomePremium Lang: English(0409)
Installation date OS: 24.08.2012 07:35:15
LicenseStatus: Windows® 7, HomePremium edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [582.4 Gb] Used: [102.6 Gb] Free: [479.8 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18762 [+]
User Account Control enabled
Automatically download and schedule installation
Date install updates: 2017-08-10 11:20:05
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2010 x86 v.14.0.7015.1000
---------------------------- [ Antivirus_WMI ] ----------------------------
Microsoft Security Essentials (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Microsoft Security Essentials (enabled and up to date)
Windows Defender (disabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Microsoft Security Essentials v.4.10.209.0
-------------------------- [ SecurityUtilities ] --------------------------
Sandboxie 4.06 (64-bit) v.4.06
Malwarebytes version 3.1.2.1733 v.3.1.2.1733
--------------------------- [ OtherUtilities ] ----------------------------
WinRAR 4.20 (64-bit) v.4.20.0 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.0 v.7.0.102 Warning! Download Update
Skype Launcher v.2.01 Warning! Download Update
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 26 ActiveX v.26.0.0.151
Adobe Flash Player 26 NPAPI v.26.0.0.151
------------------------------- [ Browser ] -------------------------------
Google Chrome v.60.0.3112.90
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.60.0.3112.90
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.3.0.0.1068
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.1.0.479
Microsoft Antimalware Service (MsMpSvc) - The service is running
C:\Program Files\Microsoft Security Client\MsMpEng.exe v.4.10.209.0
C:\Program Files\Microsoft Security Client\msseces.exe v.4.10.209.0
Microsoft Network Inspection (NisSrv) - The service is running
C:\Program Files\Microsoft Security Client\NisSrv.exe v.4.10.209.0
Windows Defender (WinDefend) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Skype Click to Call v.8.5.0.9167 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.
----------------------------- [ End of Log ] ------------------------------


#6 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:27 AM

Posted 14 August 2017 - 10:14 AM

Unless you actually click on phone numbers in ads....I suggest you uninstall the Skype Click to Call.

 

You asked...What would be the cause for gacutil.exe files?

I've tried to find an answer to that through searches and haven't been successful. If they show up again please let me know.

 

You can see the recommendations in RED. Up to you whether to update those programs or not.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Cleaningmompc

Cleaningmompc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:27 AM

Posted 14 August 2017 - 10:29 AM

I backed up my history on skype and just uninstalled it. I prefer discord now as it's less buggy than skype and utilizes the memory more efficiently. 

 

Yeah I found it really bizarre to find the Gacutil.exe files. I don't know where they came from or why the're in the C:\Users\Default\AppData\ path. Perhaps it's because I deleted the Kodak Firewall settings? (We got a new printer brand so I felt it was fine to delete Kodak). I dug around the default user folders and deleted any kodak folders within the app data. I found Gacutil.exe, DPinst.exe, PnPutil.exe and gacutil.exe.config (As well as several other folders that seem to be from microsoft filled with various shortcuts) within appdata roaming and they seem to be from 2013. I submitted all of the applications/configuration files to VirusTotal and all came back clean. It just strikes me odd that adwcleaner would detect those but not the others? I'll run it again just to be sure. 

 

 

I've uninstalled all of the out of date programs and will reinstall winRar. 

 

Update: 

 

It found it again. Apparently Adwcleaner isn't able to remove it even though it says it has? It has never detected this before so I have no idea where it came from. It says by it's hueristics it's adware.

 

Log: 

 

# AdwCleaner 7.0.1.0 - Logfile created on Mon Aug 14 15:32:02 2017
# Updated on 2017/05/08 by Malwarebytes 
# Database: 08-11-2017.1
# Running on Windows 7 Home Premium (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
PUP.Adware.Heuristic, C:\Users\Default\AppData\gacutil.exe
PUP.Adware.Heuristic, C:\Users\Default\AppData\gacutil
PUP.Adware.Heuristic, C:\Users\Default User\AppData\gacutil.exe
PUP.Adware.Heuristic, C:\Users\Default User\AppData\gacutil
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
PUP.Adware.Heuristic, gacutil
PUP.Adware.Heuristic, gacutil
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [12845 B] - [2017/6/24 18:8:30]
C:/AdwCleaner/AdwCleaner[C2].txt - [2181 B] - [2017/6/25 2:6:5]
C:/AdwCleaner/AdwCleaner[S0].txt - [11810 B] - [2017/6/24 18:6:12]
C:/AdwCleaner/AdwCleaner[S1].txt - [1703 B] - [2017/6/25 2:5:31]
C:/AdwCleaner/AdwCleaner[S2].txt - [1461 B] - [2017/6/25 2:26:24]
C:/AdwCleaner/AdwCleaner[S3].txt - [1534 B] - [2017/6/25 2:40:22]
C:/AdwCleaner/AdwCleaner[S4].txt - [1607 B] - [2017/6/25 3:30:45]
C:/AdwCleaner/AdwCleaner[S5].txt - [1680 B] - [2017/6/25 3:50:43]
C:/AdwCleaner/AdwCleaner[S6].txt - [1753 B] - [2017/6/25 3:55:19]
C:/AdwCleaner/AdwCleaner[S7].txt - [1826 B] - [2017/6/25 23:40:20]
C:/AdwCleaner/AdwCleaner[S8].txt - [1899 B] - [2017/6/26 13:55:41]
C:/AdwCleaner/AdwCleaner[S9].txt - [2102 B] - [2017/8/14 12:22:16]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S10].txt ##########

Edited by Cleaningmompc, 14 August 2017 - 10:40 AM.


#8 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:27 AM

Posted 14 August 2017 - 11:16 AM

You can start a new topic in the malware removal forum. They are much more capable of solving the mystery than I.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 Cleaningmompc

Cleaningmompc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:27 AM

Posted 14 August 2017 - 11:19 AM

Alright, Thank you for your time and I appreciate all of your help. 

Have a wonderful rest of your day! :)

 

Although,

I manually deleted Gacutil.exe, DPinst.exe, PnPutil.exe and gacutil.exe.config and they're sitting in the recycling bin with no issue. Did a test reboot and rescanned with adwcleaner and it came up vanilla.  I'm still going to forward this to Malware removal and see what they think. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users