Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

maybe Kovter--has disabled MalwareBytes & Avast Scan


  • Please log in to reply
16 replies to this topic

#1 Hajduk

Hajduk

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 05 November 2017 - 01:37 PM

Windows Security Essentials has several times detected & deleted Kovter.  But it must still be there; something is downloading MindSpark, MyWebSearch, and other such junk.  ADW Cleaner and MalwareBytes gets some but not all of this, and a day or two later it's back again.  As of today MalWareBytes scan does not work (it pretends to scan for a second or two and reports scan finished, no problems found) and likewise Avast scan (just keeps running endlessly in circles while reporting 0% scannned).  BTW Avast is my antivirus.  SpyHunter 4 detects all, I think, of the garbage, but not what is putting them in the computer.  So there is a bastard bringing this stuff in.  I have gone through the Kovter removal steps (RKill, Symantec Kovter Remover; they have not found it, so I have not yet run Secunia).  

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 06 November 2017 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
DriverUpdate (HKLM\...\{53C9EBD2-F3F7-49BB-BDB4-147D3A4D5E6D}) (Version: 2.7.10 - Slimware Utilities Holdings, Inc.) Hidden
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [Reimage: Post-Reboot] => C:\ReimageUndo\PostReboot\PR.ln
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
CHR NewTab: Default ->  Not-active:"chrome-extension://mjkcdpcenfkkhlcbfeddiannpeenpilh/newtab/slimemail_tab.html", Not-active:"chrome-extension://gcoedhgmhjhdbgdefpohibamomnffgpe/newtab/newtab.html", Not-active:"chrome-extension://ehbildhleaocgnpfgbijnmabnofaiihe/html/newtab.html"
CHR Extension: (AtoZManuals ) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aafkepgikkbaggoicikkkdlknjmnocak [2017-11-01]
CHR Extension: (PDFConverterHQ) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnflpnhpbffehddplcdlohealbgbbamk [2017-11-05]
CHR Extension: (Avast SafePrice) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-17]
CHR Extension: (Avast Online Security) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-09]
CHR Extension: (Avira SafeSearch Plus) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2017-10-24]
CHR Extension: (WeatherBlink) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnnbmiailafajdkboegcjcdklooomfic [2017-11-04]
CHR Extension: (Chrome Media Router) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-18]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.14.102.0 [X]
U1 aswbdisk; no ImagePath
S3 MFE_RR; \??\C:\Users\Martin\AppData\Local\Temp\mfe_rr.sys [X]
S3 SWDUMon; system32\DRIVERS\SWDUMon.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-1607088336-3642115660-196555633-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Martin\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\FileCoAuthLib.dll => No File
Task: {CA4690AC-D5CC-4492-81E3-7C20F057E468} - \Simple Malware Protector_ipm -> No File <==== ATTENTION
Task: {EBD50B94-9AE1-405D-B334-2451CBA5EC02} - System32\Tasks\{B83A8BCC-305D-4E9B-BF1D-7B7133E128DE} => "c:\program files\google\chrome\application\chrome.exe" hxxps://ui.skype.com/ui/0/7.37.0.103/en/go/help.faq.installer?LastError=1603
C:\ReimageUndo

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#3 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 06 November 2017 - 06:42 PM

I have saved the file you sent as instructed,  However, DriverUpdate (HKLM\...\{53C9EBD2-F3F7-49BB-BDB4-147D3A4D5E6D}) (Version: 2.7.10 - Slimware Utilities Holdings, Inc.) is not to be found, so I have not been able to remove it.  Therefore I have not run FRST yet; I am awaiting further instructions.  



#4 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 07 November 2017 - 07:26 AM

Hi,

It may have been removed but the Add/Remove list has not been changed.

If you want to clear the listing follow these directives.

https://www.bleepingcomputer.com/tutorials/manually-remove-programs-from-add-remove-programs/

#5 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 07 November 2017 - 11:01 AM

It isn't there either.  Occurs to me that it may have been removed by ADW Cleaner.  Maybe I should rerun FRST?

 

This was removed by ADWCleaner, back on 24 Oct.: 

SlimCleanerPlus, C:\Users\Martin\AppData\Local\SlimWare Utilities Inc
 
Two entries like this on log.  Nothing more recent.

Edited by Hajduk, 07 November 2017 - 11:17 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 07 November 2017 - 01:52 PM

Just run the Farbar fix.

#7 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 09 November 2017 - 10:40 AM

Fix result of Farbar Recovery Scan Tool (x86) Version: 02-11-2017 02
Ran by Martin (09-11-2017 07:24:40) Run:1
Running from C:\Users\Martin\Desktop\Security
Loaded Profiles: Martin (Available Profiles: Martin)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\...\Run: [Reimage: Post-Reboot] => C:\ReimageUndo\PostReboot\PR.ln
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
CHR NewTab: Default ->  Not-active:"chrome-extension://mjkcdpcenfkkhlcbfeddiannpeenpilh/newtab/slimemail_tab.html", Not-active:"chrome-extension://gcoedhgmhjhdbgdefpohibamomnffgpe/newtab/newtab.html", Not-active:"chrome-extension://ehbildhleaocgnpfgbijnmabnofaiihe/html/newtab.html"
CHR Extension: (AtoZManuals ) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aafkepgikkbaggoicikkkdlknjmnocak [2017-11-01]
CHR Extension: (PDFConverterHQ) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnflpnhpbffehddplcdlohealbgbbamk [2017-11-05]
CHR Extension: (Avast SafePrice) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-17]
CHR Extension: (Avast Online Security) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-09]
CHR Extension: (Avira SafeSearch Plus) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2017-10-24]
CHR Extension: (WeatherBlink) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnnbmiailafajdkboegcjcdklooomfic [2017-11-04]
CHR Extension: (Chrome Media Router) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-18]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.14.102.0 [X]
U1 aswbdisk; no ImagePath
S3 MFE_RR; \??\C:\Users\Martin\AppData\Local\Temp\mfe_rr.sys [X]
S3 SWDUMon; system32\DRIVERS\SWDUMon.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-1607088336-3642115660-196555633-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Martin\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\FileCoAuthLib.dll => No File
Task: {CA4690AC-D5CC-4492-81E3-7C20F057E468} - \Simple Malware Protector_ipm -> No File <==== ATTENTION
Task: {EBD50B94-9AE1-405D-B334-2451CBA5EC02} - System32\Tasks\{B83A8BCC-305D-4E9B-BF1D-7B7133E128DE} => "c:\program files\google\chrome\application\chrome.exe" hxxps://ui.skype.com/ui/0/7.37.0.103/en/go/help.faq.installer?LastError=1603
C:\ReimageUndo
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Reimage: Post-Reboot => value removed successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully.
Chrome NewTab => removed successfully.
CHR Extension: (AtoZManuals ) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aafkepgikkbaggoicikkkdlknjmnocak [2017-11-01] => Error: No automatic fix found for this entry.
CHR Extension: (PDFConverterHQ) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnflpnhpbffehddplcdlohealbgbbamk [2017-11-05] => Error: No automatic fix found for this entry.
CHR Extension: (Avast SafePrice) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-17] => Error: No automatic fix found for this entry.
CHR Extension: (Avast Online Security) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-09] => Error: No automatic fix found for this entry.
CHR Extension: (Avira SafeSearch Plus) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2017-10-24] => Error: No automatic fix found for this entry.
CHR Extension: (WeatherBlink) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnnbmiailafajdkboegcjcdklooomfic [2017-11-04] => Error: No automatic fix found for this entry.
CHR Extension: (Chrome Media Router) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-18] => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => key removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully.
HKLM\System\CurrentControlSet\Services\InstallerService => key removed successfully.
InstallerService => service removed successfully.
HKLM\System\CurrentControlSet\Services\aswbdisk => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MFE_RR => key removed successfully.
MFE_RR => service removed successfully.
HKLM\System\CurrentControlSet\Services\SWDUMon => key removed successfully.
SWDUMon => service removed successfully.
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully.
VGPU => service removed successfully.
HKU\S-1-5-21-1607088336-3642115660-196555633-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CA4690AC-D5CC-4492-81E3-7C20F057E468} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4690AC-D5CC-4492-81E3-7C20F057E468} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Simple Malware Protector_ipm => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EBD50B94-9AE1-405D-B334-2451CBA5EC02} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EBD50B94-9AE1-405D-B334-2451CBA5EC02} => key removed successfully.
C:\Windows\System32\Tasks\{B83A8BCC-305D-4E9B-BF1D-7B7133E128DE} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B83A8BCC-305D-4E9B-BF1D-7B7133E128DE} => key removed successfully.
"C:\ReimageUndo" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13005126 B
Java, Flash, Steam htmlcache => 3399 B
Windows/system/drivers => 1491608 B
Edge => 0 B
Chrome => 537656828 B
Firefox => 0 B
Opera => 163840 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 29654939 B
LocalService => 66228 B
NetworkService => 171594 B
Martin => 558345615 B
 
RecycleBin => 30272 B
EmptyTemp: => 1.1 GB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 09-11-2017 07:30:50)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\aswbdisk => key could not remove, key could be protected
 
==== End of Fixlog 07:30:50 ====


#8 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 10 November 2017 - 07:42 AM

Any remaining issues?

#9 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 11 November 2017 - 10:55 AM

In both Internet Explorer and Chrome, I no longer have my search engine switched to some other by a hidden hand.  Firefox has a little check mark on the link and won't open.  I will try first to put up a new link, and if that doesn't work I will uninstall and download.  I haven't tried to run Malwarebytes or Avast scan yet; I will report back shortly about these.  



#10 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 11 November 2017 - 11:25 AM

Malwarebytes works.  I cannot get Avast to open.  I am now running MS Security Essentials full scan, which will take some hours.  I’ll fiddle around with Avast, and if nothing works I will uninstall and reinstall.  That seems to be the only problem.  The bugger is gone, as far as I can tell.  What was it ultimately that was so hard to get rid of?



#11 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 11 November 2017 - 01:27 PM

hI,

Run the Avast uninstaller to clean everything.

https://www.avast.com/uninstall-utility

When done, restart the computer normally.

Reinstall the application.

#12 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 12 November 2017 - 04:57 PM

OK, I unistalled and reinstalled Avast, and now it works properly.  However, there is *still* a problem in Chrome.  Once again, it shifts browsers on me.  My default browser is Google; I search in Google, and the answer is returned in Bing.  I don't even have Bing listed in settings, but some bugger is shifting me to Bing.  Internet Explorer and Firefox no longer have this problem, only Chrome.  



#13 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 13 November 2017 - 08:03 AM

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

If the problem persists run this program.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#14 Hajduk

Hajduk
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:10:32 PM

Posted 13 November 2017 - 10:46 AM

I  have reset the search engines.  No problem now, but this is something I had done previously, and the disruptor came back.  If it reappears, I will run Rogue Killer according to your instructions.  



#15 nasdaq

nasdaq

  • Malware Response Team
  • 37,715 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 13 November 2017 - 01:38 PM

Hi,
 

I have reset the search engines. No problem now, but this is something I had done previously, and the disruptor came back. If it reappears, I will run Rogue Killer according to your instructions.

If the problem persists then you will have to remove and reinstall Chrome. Follow these instructions.


:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data
https://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/


:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en


:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users