[mmic279]

Sorry. Forgot about that. I just needed to get the Anti-virus app on here. My fault.

It took a bit, but I was able to get the last step done.

MalwareBytes ran and zero threats were detected.

 

Now that I already set up and scanned with Kaspersky anti-virus, do you still think I need ESET or Security Check? Seems like I should be good now, right?

 

See last MBAM scan log below. 

 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 7/13/2016

Scan Time: 7:49 PM

Logfile: MbamScanLog.txt

Administrator: Yes

 

Version: 2.2.1.1043

Malware Database: v2016.07.13.13

Rootkit Database: v2016.05.27.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 10

CPU: x64

File System: NTFS

User: Mark

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 491197

Time Elapsed: 35 min, 17 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[Advertisements]

Sorry. Forgot about that. I just needed to get the Anti-virus app on here. My fault.

It took a bit, but I was able to get the last step done.

MalwareBytes ran and zero threats were detected.



Now that I already set up and scanned with Kaspersky anti-virus, do you still think I need ESET or Security Check? Seems like I should be good now, right?

Hello

No worries, and glad to see the MBAM scan is clean. Please run the ESET scan as it's a very deep and thorough scan. Also, SecurityCheck is needed as well. It's designed to scan to make sure that some programs are up to date.

Please post the logs for those 2 programs upon completion and we'll proceed.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

ESET Scan Log

SecurityCheck Log

[pystryker]

Sorry. Forgot about that. I just needed to get the Anti-virus app on here. My fault.

It took a bit, but I was able to get the last step done.

MalwareBytes ran and zero threats were detected.



Now that I already set up and scanned with Kaspersky anti-virus, do you still think I need ESET or Security Check? Seems like I should be good now, right?

Hello

No worries, and glad to see the MBAM scan is clean. Please run the ESET scan as it's a very deep and thorough scan. Also, SecurityCheck is needed as well. It's designed to scan to make sure that some programs are up to date.

Please post the logs for those 2 programs upon completion and we'll proceed.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

ESET Scan Log

SecurityCheck Log

[mmic279]

I opened Internet Explorer to do the next step with ESET, but I saw it opened with "SafeSearch" in the the search bar (http://www.safesear.ch/?type=szs),

I don't have Firefox and would rather not add another search engine. 

Should I just use the IE 11 I have now?

 

Thanks, 

Mark

[pystryker]

I opened Internet Explorer to do the next step with ESET, but I saw it opened with "SafeSearch" in the the search bar (http://www.safesear.ch/?type=szs),
I don't have Firefox and would rather not add another search engine. 
Should I just use the IE 11 I have now?
 
Thanks, 
Mark

Hello

Yes, proceed with that I.E 11. : thumbsup:

[mmic279]

I clicked the link you sent, it opened in chrome. I copied the URL to IE11, but there was no button or bar that looked like that below, and nothing started when I clicked the "SCAN NOW" button or when I clicked the "FREE DOWNLOAD" button. In Chome it did download when I clicked "SCAN NOW", but I did not install it. When you scroll down another button says "FREE 30 VIRUS PROTECTION", but nothing happened when I clicked that either. Not sure why. Pop-up blocker maybe? None of the button though look like the one below.

 

Please click on this link and then click the ESET Online Scanner bar ---->

• Select the option YES, I accept the Terms of Use then click on Start (it never started)

[pystryker]

Hello

Ok, it looks like my instructions need revising, as they've changed the layout. Please make sure any pop up blockers are turned off. I'm using FF and these instructions worked. However, if they do not work in IE, please skip this step and move to the SecurityCheck scan.


When you click Scan Now you should get a download for the file esetonlinescanner_enu.exe started.

When it completes downloading, double click on it to start it, and you'll get the Terms of Use box on your screen. Click on Download the latest version of ESET Online Scanner.

Click Accept and the latest version will begin downloading.

When completed, the Computer Scan Settings box will appear. Click on Enable detection of potentially unwanted applications. Then click Advanced Settings

Place checkmarks in Enable detection of suspicious applications, Scan Archives, and Enable Anti-Stealth Technology.

Do not place a checkmark in the Clean Threats Automatically box.

Click Scan and it will begin downloading the latest virus database.

Please post the log when completed.

[mmic279]

Tried ESET Scanner. It showed 4 threats but finally froze. So, I killed it. I looked for ESET folder to see if I could get the log file, but there is no ESET folder.

I was watching it. So, I believe I deleted the threats in Local App Data folders. They looked to be old gaming folders. I will try to run it again later. 

 

I opened IE 11 again. It was waiting for "safesearch.ch", but nothing happened. I changed the home page to "google.com" and closed and reopened. When it reopened it opened to an empty page and nothing came up. It just keeps trying to update, but nothing displays. I clicked on the HomePage button, but nothing happened. It tried debugging but I don't have visual studio. Anyway, IE isn't working at all any more. Also, I saw "RootFiddle" kit certificates in IE that had DO_NOT_TRUST google. Never seen those before. I can't even open IE Options to see the certificates anymore. 

 

I will run the Security Check by screen317.

 

Thanks for the help.

Mark

[mmic279]

Security Check log.

 

 

 

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  

   x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Kaspersky Total Security   

Windows Defender           

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:````````` 

 Java 8 Update 31  

 Java version 32-bit out of Date! 

 Google Chrome (51.0.2704.106) 

 Google Chrome (SetupMetrics.pma..) 

````````Process Check: objlist.exe by Laurent````````  

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbam.exe  

 Malwarebytes Anti-Malware mbamscheduler.exe   

 Kaspersky Lab Kaspersky Total Security 16.0.1 avp.exe  

 Kaspersky Lab Kaspersky Total Security 16.0.1 avpui.exe  

 Kaspersky Lab Kaspersky Password Manager 8.0.4 kpm.exe  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  % 

````````````````````End of Log`````````````````````` 

[mmic279]

I rebooted. I opened IE 11 again. It open up to "http://www.safesear.ch/?type=szs"again. So, it is still there.

 

And, under Tools, Internet Options, Content Tab, Certificates button, under "Personal" tab it shows 4 certificates issued by "DO_NOT_TRUST_FiddleRoot".

 

Should I go back and re-run Malware Bytes?

 

Mark

[mmic279]

Tried ESET Scanner again after uninstalling more programs and deleting all my large files in the downloads folder.

It showed 4 threats again, but it froze again. It scanned for over 90 minutes, 178,000 files, but I had to killed it again.

I looked for anything ESET to see if I could get the log file. I found the folders but didn't see the log file. 

It was so close to being done. Not sure what to do now.

[pystryker]

I rebooted. I opened IE 11 again. It open up to "http://www.safesear....type=szs"again.So, it is still there.



And, under Tools, Internet Options, Content Tab, Certificates button, under "Personal" tab it shows 4 certificates issued by "DO_NOT_TRUST_FiddleRoot".



Should I go back and re-run Malware Bytes?

Hello

The SecurityCheck log only shows one thing that needs attention, but we can hold off on that for a moment. Let's reset IE back to it's default settings and then check and see if that straightens it out.

We'll also hold up on ESET.

Please follow the instructions below to reset IE 11 back to it's defaults.

Reset Internet Explorer settings

Close all Internet Explorer windows. ...
Select the Advanced tab, and then select Reset.
In the Reset Internet Explorer Settings dialog box, select Reset.
When Internet Explorer finishes applying default settings, select Close, and then select OK.

If this does not fix it, please re-run MBAM and post the scan log.

[mmic279]

IE looks good now. 

 

I did run ESET a third time yesterday and just let it go after it looked frozen. When I looked at it hours later it was no longer on the screen. Where would the log be if it did finish?

 

Next steps? 

[pystryker]

Hello

IE looks good now.

I did run ESET a third time yesterday and just let it go after it looked frozen. When I looked at it hours later it was no longer on the screen. Where would the log be if it did finish?

According to ESET, they've changed the location of the log. The instructions below will provide the location.


The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. To view the log file, Show hidden files and folders must be enabled. New logs are appended to the existing log files when multiple scans are run.

The path to the log file is the following: C:\users\%userprofile%\appdata\local\temp\log.txt

[mmic279]

I found it. It lists the 4 infections found twice. How should I remove them?

And, since it never completed, should we try something else?

 

 

 

 

 

10:09:02 Updating

10:09:02 Update Init

10:09:04 Update Download

10:10:57 esets_scanner_reload returned 0

10:10:57 g_uiModuleBuild: 30107

10:10:57 Update Finalize

10:10:57 Call m_esets_charon_send

10:10:57 Call m_esets_charon_destroy

10:10:57 Updated modules version: 30107

10:11:07 Call m_esets_charon_setup_create

10:11:07 Call m_esets_charon_create

10:11:07 m_esets_charon_create OK

10:11:07 Call m_esets_charon_start_send_thread

10:11:08 Call m_esets_charon_setup_set

10:11:08 m_esets_charon_setup_set OK

10:11:08 Scanner engine: 30107

12:10:56 # product=EOS

# version=8

# flags=0

# esetonlinescanner_enu.exe=2.0.8.0

# EOSSerial=

# engine=30107

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# sfx_checked=true

# utc_time=2016-07-14 16:10:54

# local_time=2016-07-14 12:10:54 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.2.9200 NT 

# compatibility_mode_1='Kaspersky Total Security'

# compatibility_mode=1308 16777213 100 100 0 31791706 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 0 21401597 0 0

# scanned=0

# found=4

# cleaned=0

# scan_time=7195

sh=36F20DFF4EBAF611639ACB1E5D75795A3AA7354B ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\d3dcompiler_46.dll"

sh=8BD4563655379CB271263D405C0C9F8970114FE8 ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\ffmpegsumo.dll"

sh=A5EAB09059BC195196DFCDFBB269CD9DDC1CDAF3 ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\libEGL.dll"

sh=11C3C55F6422523564C16AE7A0561FF172DF6EC3 ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\NPSWF32_15_0_0_189.dll"

16:24:23 Call m_esets_charon_setup_create

16:24:23 Call m_esets_charon_create

16:24:23 m_esets_charon_create OK

16:24:23 Call m_esets_charon_start_send_thread

16:24:23 Call m_esets_charon_setup_set

16:24:23 m_esets_charon_setup_set OK

16:24:28 Updating

16:24:28 Update Init

16:24:39 Call m_esets_charon_setup_create

16:24:39 Call m_esets_charon_create

16:24:39 m_esets_charon_setup_set ERROR

16:24:39 Update Download

16:25:05 esets_scanner_reload returned 0

16:25:05 g_uiModuleBuild: 30111

16:25:05 Update Finalize

16:25:05 Call m_esets_charon_send

16:25:05 Call m_esets_charon_destroy

16:25:05 Updated modules version: 30111

16:25:15 Call m_esets_charon_setup_create

16:25:15 Call m_esets_charon_create

16:25:15 m_esets_charon_setup_set ERROR

16:25:15 Scanner engine: 30111

17:54:59 # product=EOS

# version=8

# flags=0

# esetonlinescanner_enu.exe=2.0.8.0

# EOSSerial=

# engine=30111

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# sfx_checked=true

# utc_time=2016-07-14 21:54:58

# local_time=2016-07-14 17:54:58 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.2.9200 NT 

# compatibility_mode_1='Kaspersky Total Security'

# compatibility_mode=1308 16777213 100 100 0 31812350 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 0 21422241 0 0

# scanned=0

# found=4

# cleaned=0

# scan_time=5391

sh=36F20DFF4EBAF611639ACB1E5D75795A3AA7354B ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\d3dcompiler_46.dll"

sh=8BD4563655379CB271263D405C0C9F8970114FE8 ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\ffmpegsumo.dll"

sh=A5EAB09059BC195196DFCDFBB269CD9DDC1CDAF3 ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\libEGL.dll"

sh=11C3C55F6422523564C16AE7A0561FF172DF6EC3 ft=1 fh=0000000000000000 vn="a variant of Win32/AdSuproot trojan" ac=I fn="C:\Users\Default\AppData\Roaming\Compatibility Verifier\NPSWF32_15_0_0_189.dll"

18:51:15 Call m_esets_charon_setup_create

18:51:15 Call m_esets_charon_create

18:51:15 m_esets_charon_create OK

18:51:15 Call m_esets_charon_start_send_thread

18:51:15 Call m_esets_charon_setup_set

18:51:15 m_esets_charon_setup_set OK

18:51:17 Updating

18:51:17 Update Init

18:51:27 Call m_esets_charon_setup_create

18:51:27 Call m_esets_charon_create

18:51:27 m_esets_charon_setup_set ERROR

18:51:27 Update Download

18:51:52 esets_scanner_reload returned 0

18:51:53 g_uiModuleBuild: 30113

18:51:53 Update Finalize

18:51:53 Call m_esets_charon_send

18:51:53 Call m_esets_charon_destroy

18:51:53 Updated modules version: 30113

18:52:03 Call m_esets_charon_setup_create

18:52:03 Call m_esets_charon_create

18:52:03 m_esets_charon_setup_set ERROR

18:52:03 Scanner engine: 30113

[pystryker]

I found it. It lists the 4 infections found twice. How should I remove them?

And, since it never completed, should we try something else?

Hello

I'm sure we'll be ok not running it again, since you said it was gone when you came back. It didn't show anymore threats than the ones it's located. Let's remove the threats it found. Also, I have some information regarding Java. We'll run JavaRa to clear any outdated versions as well.


Step 1: Fix with FRST

• Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it on the desktop as fixlist.txt
  
  NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
C:\Users\Default\AppData\Roaming\Compatibility Verifier\d3dcompiler_46.dll
C:\Users\Default\AppData\Roaming\Compatibility Verifier\ffmpegsumo.dll
C:\Users\Default\AppData\Roaming\Compatibility Verifier\libEGL.dl
C:\Users\Default\AppData\Roaming\Compatibility Verifier\NPSWF32_15_0_0_189.dll
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 2: Information and JavaRa

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java

Please read this article about Java.

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version.




Things I need to see in your next post:

Fixlog.txt Log