Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help exterminating malware

malware

  • This topic is locked This topic is locked

#16
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

have a good night.  thank you!

here you go:

 

# AdwCleaner v4.101 - Report created 18/11/2014 at 02:09:39
# Updated 09/11/2014 by Xplode
# Database : 2014-11-16.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : dana - DANA-HP
# Running from : C:\Users\dana\Desktop\adwcleaner_4.101.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Program Files\Uninstaller
Folder Deleted : C:\Users\dana\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\dana\AppData\Roaming\Strongvault

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKCU\Software\5aed8dcb23fb913
Key Deleted : HKLM\SOFTWARE\5aed8dcb23fb913
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3294791
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\hdcode
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v33.1.1 (x86 en-US)


*************************

AdwCleaner[R0].txt - [2804 octets] - [18/11/2014 02:05:52]
AdwCleaner[S0].txt - [2537 octets] - [18/11/2014 02:09:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2597 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 7 Home Premium x64
Ran by dana on Tue 11/18/2014 at  2:17:07.97
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders

Failed to delete: [Folder] "C:\Users\dana\appdata\local\stronghold_llc"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
Successfully deleted: [Empty Folder] C:\Users\dana\appdata\local\{EC09D5B7-B128-4C08-A75D-BCA3606E1553}



~~~ FireFox

Emptied folder: C:\Users\dana\AppData\Roaming\mozilla\firefox\profiles\zyvja53k.default\minidumps [3 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/18/2014 at  2:23:29.52
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


 


  • 0

Advertisements


#17
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Hello,

1 item to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
 
start
Toolbar: HKU\S-1-5-21-828731352-3248154003-1989366028-1005 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File

Emptytemp:
reboot:
end

Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

You don't need to post the Fixlog.txt or a new FRST log

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.


Next

**This scan may take an hour or more so be prepared for that. Start the scan an go do something else. This scan will list files that are already quarantined so don't be alarmed if the scan seems to find a lot of bad items, this scan may list things that are not bad too.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go >>HERE<< then click on: ESET1st.jpg

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the ESETexe.jpg icon to install.

    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: ESETsave.jpg
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt).
  • Copy and paste that log as a reply to this topic.
  • Now click on: EOLS4.gif
    (Selecting Uninstall application on close if you so wish)
In your next reply post:

The ESET Scan results.
  • 0

#18
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

Can not get update. Is proxy configured?

 

I'm not running a proxy, please advise.  thank you!


  • 0

#19
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Hello,

I have no clue. What browser are you using for ESET ?

Joe
  • 0

#20
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

at first firefox, and i downloaded the tool, then when i got the error, I switched to IE, but i still got the error.  Should I try chrome?


  • 0

#21
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

Hi Joe,

I've also looked in browser settings to see if there was something I could change, but i'm lost here too.  :(


  • 0

#22
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
It's a Firefox issue that I can see.

Found info to change Firefox proxy setting from Use System Proxy to No Proxy.


Is there anyway you just use Interne explore to do ESET ?
  • 0

#23
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Try running this,

Please download MiniToolBox http://download.blee...MiniToolBox.exe and run it.

Checkmark following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings

    Click Go and post the result.

    After you do that run ESET Again




  • 0

#24
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

ok, will do now.


  • 0

#25
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

it's downloading, i discovered some other things running in system tray, like VNC, i closed out a few things, and bingo, it's downloading... stay tuned.


  • 0

Advertisements


#26
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
That scan may take a very long time :(

Joe
  • 0

#27
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

Yes, took some time.

 

[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=12
esets_scanner_update returned -1 esets_gle=41217
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=41217
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=12
esets_scanner_update returned -1 esets_gle=12
[email protected] as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=0df5e1f632919e46b2714dcbe7e623fb
# engine=21173
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-11-20 06:23:30
# local_time=2014-11-20 01:23:30 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Trend Micro Security Agent'
# compatibility_mode=519 16777213 100 94 6268942 121483740 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 0 168008060 0 0
# scanned=239716
# found=4
# cleaned=0
# scan_time=10904
sh=CD2AFA2CF6487913DD376823B58974241A5B5A97 ft=0 fh=0000000000000000 vn="Win32/Reveton.J trojan" ac=I fn="C:\FRST\Quarantine\C\Users\dana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk.xBAD"
sh=3C873503186E55BD9F7254858387B8DB9ACDF950 ft=1 fh=1959fefaa92f8a21 vn="a variant of Win32/SecurityXploded.A potentially unsafe application" ac=I fn="C:\Users\dana\Desktop\BrowserHistorySpy\BrowserHistorySpy\Setup_BrowserHistorySpy.exe"
sh=BB5F7FFC19F94FC8B7DBC0CD7DE10FF80122A8CF ft=1 fh=5ff1b51ef44b40c1 vn="Win32/Systweak.K potentially unwanted application" ac=I fn="C:\Users\dana\Downloads\setup.exe"
sh=866172901EE08DB16F56B079BC81F6618C6A6850 ft=1 fh=3052f419833e2815 vn="Win32/DownloadAdmin.G potentially unwanted application" ac=I fn="C:\Users\dana\Downloads\tightvnc-setup.exe"
 


  • 0

#28
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Hello,

That below is from ESET scan, as you can see we or FRST Quarantined it, so it's gone.

Win32/Reveton.J trojan" ac=I fn="C:\FRST\Quarantine\C\Users\dana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk.xBAD"


Here's what it was:
Trojan:W32/Reveton is a ransomware application. It fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access.

That's why I asked you if you were ever infected before. When that Trojan W32Reventon gets on the machine it usually locks the machine and demands $300.00 to get your machine unlocked. Sometimes we call it the FBI Virus. Kind of strange the Trojan was there, but you did not have the symptoms. Glad it's gone.

Lets get rid of the other 3 files ESET found like this:

delete files
  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    rd /s /q "C:\Users\dana\Downloads\tightvnc-setup.exe"
    rd /s /q "C:\Users\dana\Downloads\setup.exe"
    rd /s /q "C:\Users\dana\Desktop\BrowserHistorySpy\BrowserHistorySpy\Setup_BrowserHistorySpy.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: batfileicon.gif<--XPvista_bat_icon.png<--vista, Win 7
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.
Let me know when that is done. If there are no more symptoms we are done and we will clean up, I'll show you how.

Thanks
Joe :)
  • 0

#29
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

ok, done.  that was cool.

 

I did look up Trojan:W32/Reveton last night and saw the ransom issue.  what's strange, i do recall having some files locked, was never contacted by the FBI.  I went through a mini battle with permissions, (CREATED USER had them) and not really sure what I did but I was determined and at the time I felt like I won. Afterwards, I began noticing other symptoms and sought assistance.

 

Is tightVNC bad?  I think we use it at the office.  Is there a safe VNC to use?

 

Let me know what's next, I appreciate everything!

Best, Dana


  • 0

#30
danaS

danaS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

There actually are 3 folder that are locked... My music, My pictures, My videos... however, I doubt there was anything in there.  But it's irritating that I don't have control.


  • 0






Similar Topics


Also tagged with one or more of these keywords: malware

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP