Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Little Old Lady PC, Need Help Helping

Trojans PUPS POWERLIKS ReDirects Multiple Chrome Instances Powerliks Rogues PUPs Bogus Chrome Instances

  • Please log in to reply

#31
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,498 posts
You should be seeing what is in the image below. What happens when you click on maximize in the upper right hand corner of the popup? The start button is at the lower right of the screen as shown in my image.

eset popup.JPG
  • 0

Advertisements


#32
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

OK That is exactly what I was worried about.  The window autosizes and I couldnt see the start button.  Ok manually fixed that.  Scanning

 

Step 3 of 4 about half way through from the looks of it.

 

Found 86 beasties so far and wonder of wonder 3 instances of Powerliks


  • 0

#33
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

looks like I misread the number when I peeked, it was only 67.

 

Here is the Log

 

C:\DirectControl.exe Win32/AdWare.Loadshop.H application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\MyOSProtect.dll.vir Win32/AdWare.Loadshop.C application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\MyOSProtect64.dll.vir Win64/Adware.Loadshop.C application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\PCProxyDLL.dll.vir a variant of Win32/AdWare.Loadshop.A application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\pcwtc64f.sys.vir Win64/Adware.Loadshop.D application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\pcwtc64r.sys.vir Win64/Adware.Loadshop.E application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\postcollect.exe.vir Win32/AdWare.Loadshop.G application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\precollect.exe.vir Win32/AdWare.Loadshop.G application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\uninstaller.exe.vir Win32/AdWare.Loadshop.H application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\uninstallhelper.exe.vir Win32/AdWare.Loadshop.H application
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\WDCertInstaller.dll.vir Win32/AdWare.Loadshop.F application
C:\AdwCleaner\Quarantine\C\Users\Chilson\AppData\Local\Search Extensions\Client.exe.vir a variant of MSIL/Adware.iBryte.I application
C:\AdwCleaner\Quarantine\C\Windows\system32\MyOSProtect.dll.vir Win32/AdWare.Loadshop.C application
C:\AdwCleaner\Quarantine\C\Windows\system32\roboot.exe.vir a variant of Win32/Systweak.A potentially unwanted application
C:\FRST\Quarantine\C\Program Files\Windows Optimizer\v7\optimizer.exe a variant of Win32/Agent.WMC trojan
C:\FRST\Quarantine\C\Program Files\Windows Optimizer\v7\powermgr.exe a variant of Win32/Agent.WMC trojan
C:\FRST\Quarantine\C\Program Files\Windows Optimizer\v7\vmnet.exe a variant of Win32/Agent.WMC trojan
C:\FRST\Quarantine\C\ProgramData\Optimizer\program\newver_95259_1.6.4.0.exe a variant of Win32/Agent.WMC trojan
C:\FRST\Quarantine\C\ProgramData\YaqapIhewa\YaqapIhewa.dat a variant of Win32/Kryptik.CPMR trojan
C:\FRST\Quarantine\C\Users\Chilson\AppData\Local\LogMeIn Rescue Applet\Yhkuaop(129).dll Win32/TrojanDownloader.Tracur.AM trojan
C:\FRST\Quarantine\C\Users\Chilson\AppData\Local\LogMeIn Rescue Applet\Yhkuaop.dll Win32/TrojanDownloader.Tracur.AM trojan
C:\FRST\Quarantine\C\Users\Chilson\Downloads\DownloadFileSetup_52HFn.exe.xBAD a variant of Win32/bmMedia.DY potentially unwanted application
C:\Program Files\Adware-Removal-Tool\ARTP3.exe MSIL/FakeTool.PS trojan
C:\Program Files\HP\HP Software Update\jucheck.exe a variant of Win32/Kelihos.G trojan
C:\Program Files\HP\HP Software Update\lucoms.exe a variant of Win32/Kelihos.G trojan
C:\Program Files\YouTube Downloader Services\avasts.exe a variant of Win32/Agent.WMC trojan
C:\Program Files\YouTube Downloader Services\powermgr.exe a variant of Win32/Agent.WMC trojan
C:\Program Files\YouTube Downloader Services\vmnet.exe a variant of Win32/Agent.WMC trojan
C:\Program Files\YouTube Downloader Services\youtubeserv.exe a variant of Win32/Agent.WMC trojan
C:\ProgramData\RogueKiller\Quarantine\306D986739755FB3.reg Win32/Poweliks.C trojan
C:\ProgramData\RogueKiller\Quarantine\38CFD41A325EEFAB.reg Win32/Poweliks.C trojan
C:\ProgramData\RogueKiller\Quarantine\763A068E9E255E7A.reg Win32/Poweliks.C trojan
C:\ProgramData\RogueKiller\Quarantine\879E5569F2B83875.vir a variant of Win32/Kryptik.CPAH trojan
C:\ProgramData\RyMMiLto\dat\rFBLfkuqsTj.dll a variant of MSIL/Adware.PullUpdate.C application
C:\ProgramData\RyMMiLto\dat\yOefCIVAJW.dll a variant of MSIL/Adware.PullUpdate.C application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\Main\bin\CltMngSvc.exe.vir a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\Qoobox\Quarantine\C\Users\Chilson\AppData\Local\nsi9EAA.tmp.vir Win32/AnyProtect.F potentially unwanted application
C:\Qoobox\Quarantine\C\Users\Chilson\AppData\Local\nsjFB89.tmp.vir Win32/AnyProtect.F potentially unwanted application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0000\svc0000\tsk0000.dta a variant of Win32/AdWare.Adpeak.J application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0001\svc0000\tsk0000.dta Win32/AdWare.Loadshop.D application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0002\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0004\file0000\tsk0000.dta Win32/AdWare.FUPM.A application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0005\file0000\tsk0000.dta Win32/AdWare.FUPM.A application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0006\svc0000\tsk0000.dta a variant of Win32/AdWare.Adpeak.J application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0007\svc0000\tsk0000.dta Win32/AdWare.Loadshop.D application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0008\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0010\file0000\tsk0000.dta Win32/AdWare.FUPM.A application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0011\file0000\tsk0000.dta Win32/AdWare.FUPM.A application
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\uds0000\file0000\tsk0000.dta Win32/Kovter.A trojan
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\uds0001\file0000\tsk0000.dta Win32/Kovter.A trojan
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0000\svc0000\tsk0000.dta a variant of Win32/AdWare.Adpeak.J application
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0002\svc0000\tsk0000.dta Win32/AdWare.Loadshop.D application
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0004\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0010\file0000\tsk0000.dta Win32/AdWare.FUPM.A application
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0011\file0000\tsk0000.dta Win32/AdWare.FUPM.A application
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0014\file0000\tsk0000.dta Win32/Kovter.A trojan
C:\TDSSKiller_Quarantine\07.11.2014_00.50.36\susp0002\svc0000\tsk0000.dta Win32/AdWare.Loadshop.D application
C:\TDSSKiller_Quarantine\07.11.2014_00.50.36\susp0003\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application
C:\TDSSKiller_Quarantine\07.11.2014_01.09.33\susp0002\svc0000\tsk0000.dta Win32/AdWare.Loadshop.D application
C:\TDSSKiller_Quarantine\07.11.2014_01.09.33\susp0003\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application
C:\Users\All Users\RogueKiller\Quarantine\306D986739755FB3.reg Win32/Poweliks.C trojan
C:\Users\All Users\RogueKiller\Quarantine\38CFD41A325EEFAB.reg Win32/Poweliks.C trojan
C:\Users\All Users\RogueKiller\Quarantine\763A068E9E255E7A.reg Win32/Poweliks.C trojan
C:\Users\All Users\RogueKiller\Quarantine\879E5569F2B83875.vir a variant of Win32/Kryptik.CPAH trojan
C:\Users\All Users\RyMMiLto\dat\rFBLfkuqsTj.dll a variant of MSIL/Adware.PullUpdate.C application
C:\Users\All Users\RyMMiLto\dat\yOefCIVAJW.dll a variant of MSIL/Adware.PullUpdate.C application
C:\Users\Chilson\AppData\Roaming\Opera Software\Opera Stable\Extensions\ljefoakgfhcoeobgicjgejglnpfpemgb\1.26.45_0\extensionData\plugins\91.js JS/Toolbar.Crossrider.B potentially unwanted application
 


  • 0

#34
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

looks like most of what it found was already quarantined


  • 0

#35
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,498 posts
Good morning John,

Yes. Most of what was found are in the quarantine folders of AdwCleaner, RogueKiller, ComboFix, and TDSSKiller.

You can go ahead and scan with ESET again and this time under the Hide Advanced Settings, check the box to the left of Remove Found Threats so ESET will remove them. Once we remove all the programs during cleanup, the quarantine folders and all logs should be deleted as well.

See if you can talk the owner into installing a different Antivirus such as Avast. If they can not afford the paid version, even the free version is better than McAfee as far as I am concerned,then they can pay for a subscription of Malwarebytes Pro to protect them from their bad surfing habits. I also have a program called Unchecky that I will have you install during cleanup which will detect and uncheck any prechecked software included in downloads.

Ask them if they use their Adobe Reader. From what I see, it is outdated. Even if they do use it, I would like to uninstall and install an alternative such as Foxit or Sumatra Reader.

Once you rescan with ESET to remove the threats found, create a clean System Restore Point, then please run the Security Check scan below so we can check for other outdated software that needs to be tended to.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.
In my absence, have a look near the bottom of the Security Check log. It should display an area that says the system needs a defrag, or not. If so, please defrag before continuing with Disk Cleanup below. I see that Puran Defrag is installed. I am not familiar with that program, so I'll leave it up to you if you would like to use it or the on board defrag that MS provides.

Also, if the system is behaving appropriately, please do the following:
  • Go to Start > All Programs > Accessories > System Tools
  • Right click on Disk Cleanup and choose Run as Administrator.
  • Select Local C: Drive.
  • Click OK.
  • Allow time for Disk Cleanup to calculate how much space will you will be able to free.
  • Click on the More Options tab.
  • Under System Restore and Shadow Copies click on Clean up... > Delete > Delete Files
  • The window should close once finished.
The above will clean out all but the Restore Point we created.

Keep me informed as to how the system is behaving. Must head off the work now. Should be back before 7pm this evening.

Have a nice day!
Donna :)
  • 0

#36
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

All but two items cleaned

 

Posting log

C:\Users\All Users\RogueKiller\Quarantine\306D986739755FB3.reg Win32/Poweliks.C trojan 
C:\Users\All Users\RogueKiller\Quarantine\38CFD41A325EEFAB.reg Win32/Poweliks.C trojan 
C:\Users\All Users\RogueKiller\Quarantine\763A068E9E255E7A.reg Win32/Poweliks.C trojan 
C:\Users\All Users\RogueKiller\Quarantine\879E5569F2B83875.vir a variant of Win32/Kryptik.CPAH trojan 
C:\Users\All Users\RyMMiLto\dat\rFBLfkuqsTj.dll a variant of MSIL/Adware.PullUpdate.C application 
C:\Users\All Users\RyMMiLto\dat\yOefCIVAJW.dll a variant of MSIL/Adware.PullUpdate.C application 
C:\DirectControl.exe Win32/AdWare.Loadshop.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\MyOSProtect.dll.vir Win32/Adware.Loadshop.C application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\MyOSProtect64.dll.vir Win64/Adware.Loadshop.C application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\PCProxyDLL.dll.vir a variant of Win32/AdWare.Loadshop.A application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\pcwtc64f.sys.vir Win64/Adware.Loadshop.D application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\pcwtc64r.sys.vir Win64/Adware.Loadshop.E application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\postcollect.exe.vir Win32/AdWare.Loadshop.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\precollect.exe.vir Win32/AdWare.Loadshop.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\uninstaller.exe.vir Win32/AdWare.Loadshop.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\uninstallhelper.exe.vir Win32/AdWare.Loadshop.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Protect\WDCertInstaller.dll.vir Win32/Adware.Loadshop.F application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Chilson\AppData\Local\Search Extensions\Client.exe.vir a variant of MSIL/Adware.iBryte.I application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Windows\system32\MyOSProtect.dll.vir Win32/Adware.Loadshop.C application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Windows\system32\roboot.exe.vir a variant of Win32/Systweak.A potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\Program Files\Windows Optimizer\v7\optimizer.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files\Windows Optimizer\v7\powermgr.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files\Windows Optimizer\v7\vmnet.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\ProgramData\Optimizer\program\newver_95259_1.6.4.0.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\ProgramData\YaqapIhewa\YaqapIhewa.dat a variant of Win32/Kryptik.CPMR trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Chilson\AppData\Local\LogMeIn Rescue Applet\Yhkuaop(129).dll Win32/TrojanDownloader.Tracur.AM trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Chilson\AppData\Local\LogMeIn Rescue Applet\Yhkuaop.dll Win32/TrojanDownloader.Tracur.AM trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Chilson\Downloads\DownloadFileSetup_52HFn.exe.xBAD a variant of Win32/bmMedia.DY potentially unwanted application deleted - quarantined
C:\Program Files\Adware-Removal-Tool\ARTP3.exe MSIL/FakeTool.PS trojan cleaned by deleting - quarantined
C:\Program Files\HP\HP Software Update\jucheck.exe a variant of Win32/Kelihos.G trojan cleaned by deleting - quarantined
C:\Program Files\HP\HP Software Update\lucoms.exe a variant of Win32/Kelihos.G trojan cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Services\avasts.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Services\powermgr.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Services\vmnet.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Services\youtubeserv.exe a variant of Win32/Agent.WMC trojan cleaned by deleting - quarantined
C:\ProgramData\RogueKiller\Quarantine\306D986739755FB3.reg Win32/Poweliks.C trojan cleaned by deleting - quarantined
C:\ProgramData\RogueKiller\Quarantine\38CFD41A325EEFAB.reg Win32/Poweliks.C trojan cleaned by deleting - quarantined
C:\ProgramData\RogueKiller\Quarantine\763A068E9E255E7A.reg Win32/Poweliks.C trojan cleaned by deleting - quarantined
C:\ProgramData\RogueKiller\Quarantine\879E5569F2B83875.vir a variant of Win32/Kryptik.CPAH trojan cleaned by deleting - quarantined
C:\ProgramData\RyMMiLto\dat\rFBLfkuqsTj.dll a variant of MSIL/Adware.PullUpdate.C application cleaned by deleting - quarantined
C:\ProgramData\RyMMiLto\dat\yOefCIVAJW.dll a variant of MSIL/Adware.PullUpdate.C application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\Main\bin\CltMngSvc.exe.vir a variant of Win32/Conduit.SearchProtect.H potentially unwanted application deleted - quarantined
C:\Qoobox\Quarantine\C\Users\Chilson\AppData\Local\nsi9EAA.tmp.vir Win32/AnyProtect.F potentially unwanted application deleted - quarantined
C:\Qoobox\Quarantine\C\Users\Chilson\AppData\Local\nsjFB89.tmp.vir Win32/AnyProtect.F potentially unwanted application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0000\svc0000\tsk0000.dta a variant of Win32/AdWare.Adpeak.J application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0001\svc0000\tsk0000.dta Win32/Adware.Loadshop.D application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0002\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0004\file0000\tsk0000.dta Win32/AdWare.FUPM.A application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0005\file0000\tsk0000.dta Win32/AdWare.FUPM.A application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0006\svc0000\tsk0000.dta a variant of Win32/AdWare.Adpeak.J application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0007\svc0000\tsk0000.dta Win32/Adware.Loadshop.D application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0008\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0010\file0000\tsk0000.dta Win32/AdWare.FUPM.A application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\susp0011\file0000\tsk0000.dta Win32/AdWare.FUPM.A application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\uds0000\file0000\tsk0000.dta Win32/Kovter.A trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.44.19\uds0001\file0000\tsk0000.dta Win32/Kovter.A trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0000\svc0000\tsk0000.dta a variant of Win32/AdWare.Adpeak.J application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0002\svc0000\tsk0000.dta Win32/Adware.Loadshop.D application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0004\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0010\file0000\tsk0000.dta Win32/AdWare.FUPM.A application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0011\file0000\tsk0000.dta Win32/AdWare.FUPM.A application deleted - quarantined
C:\TDSSKiller_Quarantine\06.11.2014_03.59.01\susp0014\file0000\tsk0000.dta Win32/Kovter.A trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\07.11.2014_00.50.36\susp0002\svc0000\tsk0000.dta Win32/Adware.Loadshop.D application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\07.11.2014_00.50.36\susp0003\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\07.11.2014_01.09.33\susp0002\svc0000\tsk0000.dta Win32/Adware.Loadshop.D application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\07.11.2014_01.09.33\susp0003\svc0000\tsk0000.dta Win32/AdWare.Loadshop.E application cleaned by deleting - quarantined
C:\Users\Chilson\AppData\Roaming\Opera Software\Opera Stable\Extensions\ljefoakgfhcoeobgicjgejglnpfpemgb\1.26.45_0\extensionData\plugins\91.js JS/Toolbar.Crossrider.B potentially unwanted application deleted - quarantined
 


  • 0

#37
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Here are the two I show not cleaned

 

C:\Users\All Users\RyMMiLto\dat\rFBLfkuqsTj.dll a variant of MSIL/Adware.PullUpdate.C application
C:\Users\All Users\RyMMiLto\dat\yOefCIVAJW.dll a variant of MSIL/Adware.PullUpdate.C application

 

Hope you don't mind but I am going to try adwcleaner (updated this time) to see if I can get them before I make the restore point and do security check


  • 0

#38
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,498 posts
Hi John,

Hang on a moment. I can create an FRST fix to remove those, though I want to learn more about the RyMMiLto folder. I have no idea where that came from and have asked a fellow associate to have a look. I want to make sure it is safe to remove that folder in our next fix.
  • 0

#39
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Ok Security Check Log

 

 Results of screen317's Security Check version 0.99.89 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
avast! Antivirus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner    
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
 windows defender MpCmdRun.exe  
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast ng ngtool.exe
 AVAST Software Avast avastUi.exe 
 AVAST Software Avast ng vbox\AvastVBoxSVC.exe
 AVAST Software Avast ng ngtool.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 


  • 0

#40
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

The computer is defintely better but it appears we still have work to do.  Note the bottom of this log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Protection, 11/12/2014 12:01:43 AM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Starting,
Protection, 11/12/2014 12:01:43 AM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Started,
Protection, 11/12/2014 12:01:43 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Starting,
Update, 11/12/2014 12:01:45 AM, SYSTEM, CHILSON-PC, Manual, Rootkit Database, 2014.11.8.1, 2014.11.11.1,
Protection, 11/12/2014 12:01:46 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Started,
Update, 11/12/2014 12:01:48 AM, SYSTEM, CHILSON-PC, Manual, Malware Database, 2014.11.9.1, 2014.11.12.5,
Protection, 11/12/2014 12:01:48 AM, SYSTEM, CHILSON-PC, Protection, Refresh, Starting,
Protection, 11/12/2014 12:01:48 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Stopping,
Protection, 11/12/2014 12:01:49 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Stopped,
Protection, 11/12/2014 12:01:59 AM, SYSTEM, CHILSON-PC, Protection, Refresh, Success,
Protection, 11/12/2014 12:01:59 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Starting,
Protection, 11/12/2014 12:01:59 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Started,
Protection, 11/12/2014 11:36:30 AM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Starting,
Protection, 11/12/2014 11:36:30 AM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Started,
Protection, 11/12/2014 11:36:30 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Starting,
Protection, 11/12/2014 11:36:51 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Started,
Protection, 11/12/2014 11:44:19 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Stopping,
Protection, 11/12/2014 11:44:19 AM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Stopped,
Protection, 11/12/2014 11:44:19 AM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Stopping,
Protection, 11/12/2014 11:44:20 AM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Stopped,
Protection, 11/12/2014 12:08:07 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Starting,
Protection, 11/12/2014 12:08:08 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Started,
Protection, 11/12/2014 12:08:08 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Starting,
Protection, 11/12/2014 12:08:12 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Started,
Protection, 11/12/2014 12:31:55 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Stopping,
Protection, 11/12/2014 12:31:56 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Stopped,
Protection, 11/12/2014 12:31:56 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Stopping,
Protection, 11/12/2014 12:33:14 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Stopped,
Protection, 11/12/2014 5:53:11 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Starting,
Protection, 11/12/2014 5:53:11 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Started,
Protection, 11/12/2014 5:53:11 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Starting,
Protection, 11/12/2014 5:53:15 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Started,
Protection, 11/12/2014 5:59:54 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Starting,
Protection, 11/12/2014 5:59:54 PM, SYSTEM, CHILSON-PC, Protection, Malware Protection, Started,
Protection, 11/12/2014 5:59:55 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Starting,
Protection, 11/12/2014 6:00:10 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, Started,
Detection, 11/12/2014 6:26:43 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, IP, 68.71.58.34, kickass.to, 0, Outbound,
Detection, 11/12/2014 6:26:44 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, IP, 119.145.147.181, mama.cn, 0, Outbound,
Detection, 11/12/2014 6:26:44 PM, SYSTEM, CHILSON-PC, Protection, Malicious Website Protection, IP, 5.150.195.167, 0427d7.se, 0, Outbound,

(end)

 

I watched Malwarebytes protect against three outboud attemps, I was not doing anything particular at that time, only had IE open to geekstogo at the time.

 

I created the Restore Point, Loaded Avast, and ran the Security Check.

 

Awaiting further instructions on whether you want to do something before I run cleanup. 


  • 0

Advertisements


#41
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,498 posts
Yes. Hold on a minute please. :)
  • 0

#42
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,498 posts
John,

Open Malwarebytes and go to History tab > Application Logs and double click on the scan log. Please post that log, not the protection log.
  • 0

#43
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Holding


  • 0

#44
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Ok popped back over to the PC we are cleaning to see Malwarebytes being closed by windows.  Data Error Prevention


  • 0

#45
The_Omni

The_Omni

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

OK last scan log is from the 9th

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/9/2014
Scan Time: 9:24:36 PM
Logfile: Malwarebytes scan log 11-9.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.09.01
Rootkit Database: v2014.11.08.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Chilson

Scan Type: Threat Scan
Result: Cancelled
Objects Scanned: 45010
Time Elapsed: 8 min, 36 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


  • 0






Similar Topics


Also tagged with one or more of these keywords: Trojans, PUPS, POWERLIKS, ReDirects, Multiple Chrome Instances, Powerliks, Rogues, PUPs, Bogus Chrome Instances

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP