Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Detected Trojan, Unable to Remove it.


  • Please log in to reply
7 replies to this topic

#1 dave89

dave89

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 30 November 2017 - 11:20 PM

Just got a notification from Norton Security that there was a high amount of suspicious traffic and I needed to use their program "Norton Power Eraser" to clear the infection, but when I go to run it says it's unable to run since it's not compatible with WIMBoot. I am using Windows 10, the browser I was using at the time was the latest version of google chrome in incognito mode, which was a mistake. Here is a screenshot of the alert details: https://imgur.com/a/kQcME It recommends that no action needs to be taken, but I am not sure what to do.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:18 AM

Posted 01 December 2017 - 05:11 PM

You may have adware on your computer...or not. Best to confirm. Use the programs below to clean, remove adware and remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

If you are unable to run a scan using MBAM:

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

 

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 dave89

dave89
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 01 December 2017 - 10:16 PM

Thanks for the response buddy.

 

Malwarebytes
www.malwarebytes.com


-Log Details-
Scan Date: 12/1/17
Scan Time: 8:58 PM
Log File: 3e70d926-d704-11e7-bbaf-00ff05a30dde.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3393
License: Free

-System Information-
OS: Windows 10 (Build 16299.98)
CPU: x64
File System: NTFS
User: LAPTOP-OR2ARKFD\David

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 309465
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 4 min, 32 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

 

 

# AdwCleaner 7.0.5.0 - Logfile created on Sat Dec 02 01:56:46 2017
# Updated on 2017/29/11 by Malwarebytes
# Running on Windows 10 Home (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

Deleted: AdvancedSystemCareService10


***** [ Folders ] *****

Deleted: C:\ProgramData\IObit\Advanced SystemCare
Deleted: C:\ProgramData\Application Data\IObit\Advanced SystemCare
Deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
Deleted: C:\Program Files (x86)\IObit\Advanced SystemCare
Deleted: C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare
Deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
Deleted: C:\Users\All Users\IObit\Advanced SystemCare
Deleted: C:\Users\David\AppData\LocalLow\IObit\Advanced SystemCare
Deleted: C:\Users\David\AppData\Roaming\IObit\Advanced SystemCare
Deleted: C:\ProgramData\DriverSetupUtility
Deleted: C:\ProgramData\Application Data\DriverSetupUtility
Deleted: C:\Program Files\DriverSetupUtility
Deleted: C:\Users\All Users\DriverSetupUtility
Deleted: C:\ProgramData\IObit\ASCDownloader
Deleted: C:\ProgramData\Application Data\IObit\ASCDownloader
Deleted: C:\Users\All Users\IObit\ASCDownloader
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare


***** [ Files ] *****

Deleted: C:\END
Deleted: C:\Users\All Users\Desktop\Advanced SystemCare 10.lnk
Deleted: C:\Users\Public\Desktop\Advanced SystemCare 10.lnk


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

Deleted: Driver Booster Scheduler
Deleted: ASC10_SkipUac_David


***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\IOBIT\ASC
Deleted: [Key] - HKLM\SOFTWARE\IObit\Advanced SystemCare
Deleted: [Key] - HKLM\SOFTWARE\IObit\RealTimeProtector
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted: [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{215A42F8-F000-4ECF-BC8C-B0A0391BE678}
Deleted: [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A1E288ED-8CCF-472E-9E55-2BA0156C22A0}
Deleted: [Key] - HKLM\SOFTWARE\Hola
Deleted: [Key] - HKU\.DEFAULT\Software\Hola
Deleted: [Key] - HKU\S-1-5-18\Software\Hola
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B51C83A-465D-4EA9-9CDC-1ED95ED09AC6}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare_is1
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Deleted: [Value] - HKU\S-1-5-21-2329758479-3356289510-3631700060-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Advanced SystemCare 10
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: Hover Hound -
SearchProvider deleted: Norton Safe Search - nortonsafe.search.ask.com


*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [4719 B] - [2017/12/2 1:40:5]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########



#4 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:18 AM

Posted 02 December 2017 - 06:01 AM

One more scan....

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 dave89

dave89
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 02 December 2017 - 09:19 AM

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 02.12.2017 07:13:13
Path starting: C:\Users\David\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: David
VersionXML: 4.76is-18.11.2017
___________________________________________________________________________

Windows 10(6.3.16299) (x64) Core Release: 1709 Lang: English(0409)
Installation date OS: 04.11.2017 13:34:32
LicenseStatus: Office 16, Office16O365ProPlusR_Grace edition Windows is in Notification mode
LicenseStatus: Windows®, Core edition The machine is permanently activated.
LicenseStatus: Office 16, Office16O365HomePremR_Subscription4 edition Windows is in Notification mode
Boot Mode: Normal
Default Browser: Microsoft Edge (C:\WINDOWS\system32\LaunchWinApp.exe)
SystemDrive: C: FS: [NTFS] Capacity: [237.9 Gb] Used: [146 Gb] Free: [91.9 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.98.16299.0
User Account Control enabled (Level 2)
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Norton Security (enabled)
---------------------------- [ Firewall_WMI ] -----------------------------
Norton Security
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and up to date)
Norton Security (enabled)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Norton Security v.22.11.2.7
-------------------------- [ SecurityUtilities ] --------------------------
Sandboxie 5.22 (64-bit) v.5.22
Malwarebytes version 3.3.1.2183 v.3.3.1.2183
--------------------------- [ OtherUtilities ] ----------------------------
7-Zip 16.04 (x64) v.16.04
KeePass Password Safe 2.36 v.2.36
VeraCrypt v.1.21
Wireshark 2.4.2 64-bit v.2.4.2
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.40 v.7.40.151
---------------------------- [ ProxyAndVPNs ] -----------------------------
TunnelBear v.3.0.36.9 Warning! This app can show ads.
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 151 v.8.0.1510.12 Warning! Download Update
Uninstall old version and install new one (jre-8u152-windows-i586.exe).
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 57.0.1 (x64 en-US) v.57.0.1 [+]
Google Chrome v.62.0.3202.94
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe v.57.0.1.6541
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.3.0.0.1247
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.1.0.595
C:\Program Files\Windows Defender\MSASCuiL.exe v.4.12.16299.15
Windows Defender Antivirus Service (WinDefend) - The service has stopped
Windows Defender Antivirus Network Inspection Service (WdNisSvc) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Driver Booster 5 v.5.1.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------
 



#6 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:18 AM

Posted 02 December 2017 - 09:52 AM

AdwCleaner removed most of the IObit programs including Driver Booster. If it is still listed in your list of installed

programs I suggest you attempt to uninstall. Otherwise, most likely it is dead.

 

If you have not purchased Tunnel Bear you should be aware that it is a source of adware as mentioned above.

 

If you have no use for Java I suggest you uninstall it. Most users have no use for it. Otherwise, it is best to keep it

updated as it has so often been exploited.

 

After reading and taking actions mentioned above....I would say you are good to go....


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 dave89

dave89
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 02 December 2017 - 12:14 PM

Alright, many thanks for the help!



#8 buddy215

buddy215

  • Moderator
  • 13,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:18 AM

Posted 02 December 2017 - 02:40 PM

You're welcome...enjoyed working with you..


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users