[prousse1]

posting things as I run them. interested in your thoughts.

 

Super AntiSpyware log. Threats detected including mostly adware cookies but also one classified as a Trojan. I did not set the HOST file as excluded from the scan per the suggestions from that HOW did I get Infected in the First Place Article so some of the cookies might be stemming off of it. but the PUP and Trojan shouldn't be. Any thoughts on it or thing SAS cleaned it up well enough?

 

I am attaching the SAS log instead of copy and pasting it. I tried to copy and paste but get a message when trying to submit the post saying post is too long.

 

Attached Files

•  SUPERAntiSpyware Scan Log - 10-23-2015 - 16-21-05.log   394.79KB   847 downloads

[Advertisements]

Wasn't active anyway.  Probably leftover from a previous infection if it is really malware.  You can submit C:\USERS\PROUSSELLE\APPDATA\ROAMING\FACEBOOK\UNINSTALL.EXE to virustotal.com and see what they say about it.

[RKinner]

Wasn't active anyway.  Probably leftover from a previous infection if it is really malware.  You can submit C:\USERS\PROUSSELLE\APPDATA\ROAMING\FACEBOOK\UNINSTALL.EXE to virustotal.com and see what they say about it.

[RKinner]

Since you are still working on it let's do some non-malware checks:

 

Get the free version of Speccy:

 

http://www.filehippo...download_speccy (Look in the upper right for the Download

Latest Version button  - Do NOT press the large Start Download button on the upper left!)  Download, Save and Install it.  

 

Close all browsers and open progrms before running Speccy.  Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  (It will be near the top about 10 lines down.)  Save the file and close notepad  Attach the file to your next post as it is usually too large for the forum (Click on More Reply Options then Choose file, select the file, Open, Attach this File) Uninstall Speccy.

 

 

I use this to check to make sure it is not overheating and that the hard drive is not about to fail.

 

 

Then let's check for errors:

 

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

 

Reboot. 

 

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

sfc  /scannow

 

(This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:

 

Copy the next two lines:

 

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 

notepad \windows\logs\cbs\junk.txt 

 

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)  (Vista always seem to have a few errors here so don't panic)

 

 

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application.

 

 (Second time you run vew it will overwrite the first log so copy it to a reply or rename it first.)

 

[prousse1]

Quote

 

  You can submit C:\USERS\PROUSSELLE\APPDATA\ROAMING\FACEBOOK\UNINSTALL.EXE to virustotal.com and see what they say about it.

 

Curious... why would Facebook have its own file folder on the computer anyways? isn't everything on Facebook stored on the Facebook servers? What does it need from local resources?

The file is no longer there to submit. I imagine SuperAntiSpyware probably removed it. MBAM also found several items for a shopAtHome toolbar, which were noted in the SAS scan as well. Reading another article gave suggestions for removing it. I am not certain that there is anything left for me to remove but will follow these if I continue to see signs of it on the computer.

 

Downloading and working on the items you requested now. will post those results as soon as possible.

 

 

MBAM Log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/23/2015
Scan Time: 4:44:26 PM
Logfile: MBAMLog.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.10.23.06
Rootkit Database: v2015.10.23.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: prousse1

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 699699
Time Elapsed: 1 hr, 13 min, 15 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 18
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\LocalLow\ShopAtHome\Temp\{311B58DC-A4DC-4B04-B1B5-60299AD3D803}\ClearHist.exe, , [80e2b5a5d8b31323419ca6ae4bb958a8],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\LocalLow\ShopAtHome\Temp\{311B58DC-A4DC-4B04-B1B5-60299AD3D803}\IE8GuardWorkaround.exe, , [1151aeac018a1b1b88550b49cf3530d0],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\LocalLow\ShopAtHome\Temp\{311B58DC-A4DC-4B04-B1B5-60299AD3D803}\TbHelper2.exe, , [125099c1b5d6ca6c64794014798bdc24],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\LocalLow\ShopAtHome\Temp\{311B58DC-A4DC-4B04-B1B5-60299AD3D803}\uninstall.exe, , [d58d61f97a11e6506e6f7cd89c686799],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\LocalLow\ShopAtHome\Temp\{311B58DC-A4DC-4B04-B1B5-60299AD3D803}\update.exe, , [0d55fc5e5d2e8caabe1f69ebb2520ff1],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\Exec.exe, , [4d150f4ba6e586b06f6e3f15da2a3dc3],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\HttpHandle302.dll, , [6002540645460135954889cb818335cb],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelperPS.dll, , [b1b10258ee9ddb5b538aec68fa0a49b7],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe, , [cb97fc5e7f0c2214409d0153986cd927],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\ClearHist.exe, , [adb563f7fd8e41f59647b99b4cb80df3],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\IE8GuardWorkaround.exe, , [76ec47131378d660f3eacc88996b1ae6],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\SAHPlugin.dll, , [83df15451c6fd264b12ccb890400dd23],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\TbCommonUtils.dll, , [540e401a98f3f1459b420450dc28758b],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll, , [580a5109305bf4426a73aba916ee629e],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbhelper.dll, , [cb97c595dcaf61d5fde02b29ec1820e0],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\TbHelper2.exe, , [e1811644b1da2016b32a292b2fd5926e],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\uninstall.exe, , [105287d335566ccaa439b3a17292b44c],
PUP.Optional.ShopAtHome, C:\Users\prousselle\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\update.exe, , [164c8ad0a8e3b58194495cf8b054659b],

Physical Sectors: 0
(No malicious items detected)

(end)

[RKinner]

PUP.Optional.ShopAtHome

 

 

This is the same PUP that SAS was complaining about.  Are you not allowed to remove it?

[prousse1]

I noticed that as well. I thought SAS had removed it. Perhaps it only removed the exe and left the other files? MBAM seemed to remove it as well. Neither gave any errors saying they could not remove them. They did both require a reboot to finish removing files.

 

I noticed that, for the trojan file it found in a facebook directory, it removed the .exe but the directory was still there.

 

There is not an entry for ShopAtHome in Revo or in the regular Add/Remove Programs in the Control Panel. I ran the uninstall.exe that was in the ShopAtHome directory and it appeared to uninstall it. All files in the directory disappeared after running the uninstall except for an install.log. I deleted the directory as well as another directory from the LocalLow folders then emptied recycling bin. It is odd that they didn't show up in the add/remove programs.

[prousse1]

Alrighty. I have some goodies for you. Well... by goodies I mean logs...

 

 

Speccy Log is attached. I removed the serial number.

SFCLog attached.

 

Next, the two VEW logs:

 

System:

 

Vino's Event Viewer v01c run on Windows 7 in English
Report run at 23/10/2015 10:37:53 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/10/2015 3:36:16 AM
Type: Error Category: 1012
Event: 1012 Source: Microsoft-Windows-DNS-Client
There was an error while attempting to read the local hosts file.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Application:

 

Vino's Event Viewer v01c run on Windows 7 in English
Report run at 23/10/2015 10:38:55 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attached Files

•  SpeccyLog.txt   387.41KB   366 downloads

[prousse1]

Apparently I forgot to actually attach the SFC Log. here it is.

Attached Files

•  SFCLog.txt   52.23KB   216 downloads

[RKinner]

Looking good.  Temps are low.  Drive seems to be OK.  SFCLog just shows the usual Vista errors.  I don't like the event log entry:

 

Log: 'System' Date/Time: 24/10/2015 3:36:16 AM
Type: Error Category: 1012
Event: 1012 Source: Microsoft-Windows-DNS-Client
There was an error while attempting to read the local hosts file.

 

 

But it's easy to fix:

 

Download HostsXpert from http://www.majorgeek...hostsxpert.htmlSave the file then right click and Extract All.  It will create a new folder in the same place.  In the folder find HostsXpert.exe and right click on it and Run As Administrator.

 

It will take a few seconds to appear.  If the top line in the left column says Make Writeable, click on it and it should change to Make Read Only?  If it already says Make Read Only? that's OK just go on to the next step.

Now click on the left column entry that says: Restore MSHosts file.  Click on the Make Read Only? entry then close HostXpert.

[prousse1]

That was caused by me. One of the pages I went to while trying to check on different things suggested using the HOSTS file as another layer of protection. I ran a script that was supposed to update the HOSTS file but instead deleted it.

 

Instructions were mentioned in a previous post earlier in this thread but can be found HERE.

[prousse1]

It is fixed now. I used HostsXpert to make the file read only.

[RKinner]

I don't like filling the hosts file with entries.  Was OK in XP but slows things down in Vista & later.

 

After you update to 8.1 (and get all of the patches) You might try CryptoPrevent:

 

CryptoPrevent

 

http://www.foolishIT.../cryptoprevent/

 

The free version does not update itself on its own but there shouldn't be a lot of changes so it should be fine.  Last time I installed it it asked me if the system was clean, if yes it would try not to impact existing programs.  If it causes problems you can just uninstall it the usual way.

 

Unchecky is another good program for careless users.  It claims to uncheck the optional software offers.  It was mentioned on the same page as delfix.  

 

I also like FileHippo's update checker.

 

To help keep your programs up-to-date you should download and run the UpdateChecker: 

http://www.filehippo.../updatechecker/

(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it.  Exception is MSN messenger which appears to be part of Windows.)

If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

 Seems to work best if Firefox is the default browser.  Windows always hides its icon so you need to unhide it.  Click on the up arrow to the left of the clock.  Then click on Customize.  Maximize the window so you can see all of the options.  Scroll Down and find the File Hippo UpdateChecker and change its Behaviors to Show Icon and Notifications.  OK.  When you reboot you should see the icon.  It will take it a minute to finish checking then it will put up a bubble if you need to update something. Click on the bubble and it should open in your browser.  (Seems to work best if it uses Firefox.  If you do not use Firefox as your default browser then right click on the icon and click on Settings. Then on Results.  Change the Open Results in Default Browser to Custom Browser and then select the line that has Firefox.exe in it.  While there, also check Hide Beta Versions.  OK. )  You will see a list of programs that have updates with green down arrows next to them.  You do not need to download any Beta Versions.  There is an option Settings to Hide Beta Versions.  I do not advise updating Windows Messenger unless you really use it so I right click on the Icon and Customize Results then find Microsoft Messenger and change Show All Releases to Hide All Releases.  OK. 

 

 

 

Make sure that Windows Updates is working.  Last time I worked on an ESET protected system their firewall blocked Windows Update.  It will probably block HP Support Assistant too.

 

I've done some more research on the SFCLog errors.  Supposedly SFC was updated to fix them but that is probably in 8.1  

 

http://www.sysnative...ws-8-8-1-a.html

 

Since this is 8 the following command should work:

 

DISM /Online /Cleanup-Image /RestoreHealth

 

You can copy it and then:

 

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter.  

 

That's the instructions for an elevated Command Prompt in 7.  In 8 see:  http://www.eightforu...indows-8-a.html

[prousse1]

Thank you!

 

I have updated to 8.1 and run windows update a half dozen times. it is no longer finding any new updates.

 

The link for CryptoPrevent didn't work. Internet explorer gave me a message saying to turn on some settings in the advanced settings. they were already turned on, however. I searched for the program and found a download link at MajorGeeks website. will check that program out.

 

DISM is running currently.

 

For elevated command prompt, I just hit winkey and type cmd (similar to using the run box in older windows) then right click on the prompt and open as admin.

 

looking into the update checker. If there is a way to have it update applications automatically, that might be best. Otherwise they wont get updated often. However, you mentioned the remote desktop software the other day. I may use it and just remote in once a month or so to do maintenance. Would be a good reminder to do maintenance on my own machine.

 

Thanks for all of the feedback. Was wanting to get this computer running as well as possible before I left. I think we are making very good progress.

[RKinner]

Cryptoprevent link:

https://www.foolishit.com/cryptoprevent-malware-prevention/

Works fine on Chrome and Firefox & IE for me.  IE on Win 8 might have decided it is evil based on the last four letters before the .com and blocked it.

 

I see you have to put in your email address and let them send you a link now.  

[prousse1]

i was able to get it downloaded and working.

 

Question. You may not be able to help with this per the TOU and I understand if you cannot. But something I did wiped out my Dad's saved passwords and now he cannot get back into his Hotmail account. It was saved in IE before I started playing with the computer and I seem to have deleted it. He did not have it written down anywhere. We have exhausted the recovery options as he did not have another email address or phone number or any billing info associated with the account. I tried finding the passwords in the registry but they are not there either.

 

Something we did looked like it made a backup of the registry. Do you know what that was or where it would have been saved. Also, if there is a backup somewhere, do you know of a way to search it without restoring it fully? I don't recall what we were doing or why but if it possibly had something corrupt in it then I would hate to restore it.

 

any other suggestions on ways to recover it? I have checked the credentials manager in control panel - nothing in there. I think we are down to guessing passwords until we get it. Unfortunately, all of his bills and everything are tied to that email account....