Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware removal [Solved]

Started by lukianro , Nov 28 2016 12:07 PM

This topic is locked

#16
Jr0x

Posted 19 December 2016 - 08:18 AM

Malware removal team

Malware Removal
1,830 posts

Hi lukianro,

Let's try with ESET Online scanner and see how it goes.

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click Scan Now.

If using Internet Explorer:

Accept the Terms of Use and click Start.
Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

Download esetsmartinstaller_enu.exe that you'll be given link to.
Double click esetsmartinstaller_enu.exe.
Accept the Terms of Use and click Start.

To perform the scan:

Make sure that Enable detection of potentially unwanted applications is checked.
In the Advanced Settings dropdown menu:
- Enable detection of potentially unsafe applications are checked.
- Enable detection of suspicious applications are checked.
- Enable Anti-Stealth technology are checked.
- Scan archives is checked.
- Make sure that Clean threats automatically is unchecked.
- Use custom proxy settings is unchecked.
Click Scan
The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
When completed, the program will begin to scan. This may take several hours. Please, be patient.
Do not do anything on your machine as it may interrupt the scan.
When the scan is done, click Finish.
A logfile will be created at C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt. Open it using Notepad.

Please include this logfile in your next reply.
Don't forget to re-enable previously switched-off protection software!

#17
lukianro

Posted 19 December 2016 - 05:29 PM

Member

Topic Starter
Member
10 posts

20:41:13 # product=EOS

# version=8

# flags=0

# esetonlinescanner_enu.exe=2.0.13.0

# EOSSerial=

# end=init

# utc_time=2016-12-19 19:41:13

# local_time=2016-12-19 20:41:13 (+0100, W. Europe Standard Time)

# country="United Kingdom"

# osver=6.2.9200 NT

20:41:19 # product=EOS

# version=8

# flags=0

# esetonlinescanner_enu.exe=2.0.13.0

# EOSSerial=44833ceeed93444bb6b1e19ae47dfd2e

# end=init

# utc_time=2016-12-19 19:41:19

# local_time=2016-12-19 20:41:19 (+0100, W. Europe Standard Time)

# country="United Kingdom"

# osver=6.2.9200 NT

20:41:45 Updating

20:41:45 Update Init

20:41:49 Update Download

20:48:14 esets_scanner_reload returned 0

20:48:14 g_uiModuleBuild: 31788

20:48:14 Update Finalize

20:48:14 Call m_esets_charon_send

20:48:14 Call m_esets_charon_destroy

20:48:14 Updated modules version: 31788

20:48:48 Call m_esets_charon_setup_create

20:48:48 Call m_esets_charon_create

20:48:48 m_esets_charon_create OK

20:48:48 Call m_esets_charon_start_send_thread

20:48:48 Call m_esets_charon_setup_set

20:48:48 m_esets_charon_setup_set OK

20:48:48 Scanner engine: 31788

00:06:45 # product=EOS

# version=8

# flags=0

# esetonlinescanner_enu.exe=2.0.13.0

# EOSSerial=44833ceeed93444bb6b1e19ae47dfd2e

# engine=31788

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# sfx_checked=true

# utc_time=2016-12-19 23:06:44

# local_time=2016-12-20 00:06:44 (+0100, W. Europe Standard Time)

# country="United Kingdom"

# lang=1033

# osver=6.2.9200 NT

# compatibility_mode_1='Avast Antivirus'

# compatibility_mode=798 16777213 100 100 834052 4701196 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 4425650 13519420 0 0

# scanned=2

# found=16

# cleaned=0

# scan_time=11909

sh=58FFD79F5C55EA5CC0DCB1A2356A14798D09F9C1 ft=0 fh=0000000000000000 vn="multiple threats,a variant of Win32/Packed.Themida suspicious application,a variant of Win32/OpenCandy.A potentially unsafe application" ac=I fn="C:\Downloads\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin)\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin).rar"

sh=ABF030A9AF88850E697B2FEF9D9BAA78266494E8 ft=1 fh=0000000000000000 vn="a variant of Win32/OpenCandy.A potentially unsafe application" ac=I fn="C:\Downloads\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin)\DTPro610-0483.exe"

sh=60F3B729AFFF0BD2E449D7BC67E6047E722480E2 ft=1 fh=0000000000000000 vn="a variant of Win32/Packed.Themida suspicious application" ac=I fn="C:\Downloads\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin)\Crack\Activator.exe"

sh=9C097D212703028C13F9DF53873E550B93FA7965 ft=1 fh=0000000000000000 vn="a variant of Win32/Systweak.U potentially unwanted application" ac=I fn="C:\Downloads\DLL-FiLes Fixer v2.9.72.2521 Incl Crack-FiLELiST\dffsetup.exe"

sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/HackTool.Crack.CS potentially unsafe application,a variant of Win64/HackTool.Crack.F potentially unsafe application" ac=I fn="C:\Downloads\Sniper.Elite.3-RELOADED\rld-snel3.iso"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\Downloads_\local64spl.dll"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\inetpub\local64spl.dll"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\inetpub_\local64spl.dll"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\Intel\local64spl.dll"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\Intel_\local64spl.dll"

sh=DA3A3B806C9F1ECE20E576160B9DF730808256D9 ft=1 fh=0000000000000000 vn="a variant of Win32/Obfuscated.NKY trojan" ac=I fn="C:\ProgramData\Microsoft\Blend\14.0\1033\ResourceCacher.dll"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\swsetup\local64spl.dll"

sh=FC283C19C808EFEF5D26E262535900DD9C10D843 ft=1 fh=0000000000000000 vn="a variant of Win64/TrojanDownloader.Agent.AA trojan" ac=I fn="C:\swsetup_\local64spl.dll"

sh=DA3A3B806C9F1ECE20E576160B9DF730808256D9 ft=1 fh=0000000000000000 vn="a variant of Win32/Obfuscated.NKY trojan" ac=I fn="C:\Users\All Users\Microsoft\Blend\14.0\1033\ResourceCacher.dll"

sh=A720AD0C3BEABE1174B38D23F5CB9830D452BEE8 ft=1 fh=0000000000000000 vn="a variant of Win32/FusionCore.K potentially unwanted application" ac=I fn="C:\Users\anca_\Downloads\BitComet_1.43_setup.exe"

sh=A63F1C3A45F42B1D2C762454B4F3DBCBB64DE157 ft=0 fh=0000000000000000 vn="a variant of Win32/Adware.ELEX.AX application" ac=I fn="C:\Windows\Installer\51f8632.msi"

00:21:04 Call m_esets_charon_send

00:21:04 Call m_esets_charon_destroy

00:21:05 RecursiveRemoveDirectoryAndAllFiles: C:\Users\anca_\AppData\Local\ESET\ESETOnlineScanner\Quarantine\

#18
Jr0x

Posted 20 December 2016 - 10:29 AM

Malware removal team

Malware Removal
1,830 posts

Hi lukianro,

Fix with FRST

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. To do this highlight the contents of the box, right click on it and select copy.
Right-click in the open notepad and select Paste.
Save it on the desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
CloseProcesses:

C:\Downloads_\local64spl.dll
C:\inetpub\local64spl.dll
C:\inetpub_\local64spl.dll
C:\Intel\local64spl.dll
C:\Intel_\local64spl.dll
C:\ProgramData\Microsoft\Blend\14.0\1033\ResourceCacher.dll
C:\swsetup\local64spl.dll
C:\swsetup_\local64spl.dll
C:\Users\All Users\Microsoft\Blend\14.0\1033\ResourceCacher.dll
C:\Users\anca_\Downloads\BitComet_1.43_setup.exe
C:\Windows\Installer\51f8632.msi

C:\Downloads\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin)
C:\Downloads\DLL-FiLes Fixer v2.9.72.2521 Incl Crack-FiLELiST
C:\Downloads\Sniper.Elite.3-RELOADED

Emptytemp:
Hosts:
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.

Note: Your machine will reboot after the fix.

In your next reply, please include the following:

FRST fixlog
Any other issue you're facing?

#19
lukianro

Posted 20 December 2016 - 02:22 PM

Member

Topic Starter
Member
10 posts

Hi Jr0x.

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016

Ran by anca_ (20-12-2016 21:14:24) Run:5

Running from C:\Users\anca_\Desktop

Loaded Profiles: anca_ (Available Profiles: anca_)

Boot Mode: Normal

==============================================

fixlist content:

*****************

Start

CreateRestorePoint:

CloseProcesses:

C:\Downloads_\local64spl.dll

C:\inetpub\local64spl.dll

C:\inetpub_\local64spl.dll

C:\Intel\local64spl.dll

C:\Intel_\local64spl.dll

C:\ProgramData\Microsoft\Blend\14.0\1033\ResourceCacher.dll

C:\swsetup\local64spl.dll

C:\swsetup_\local64spl.dll

C:\Users\All Users\Microsoft\Blend\14.0\1033\ResourceCacher.dll

C:\Users\anca_\Downloads\BitComet_1.43_setup.exe

C:\Windows\Installer\51f8632.msi

C:\Downloads\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin)

C:\Downloads\DLL-FiLes Fixer v2.9.72.2521 Incl Crack-FiLELiST

C:\Downloads\Sniper.Elite.3-RELOADED

Emptytemp:

Hosts:

End

*****************

Restore point was successfully created.

Processes closed successfully.

C:\Downloads_\local64spl.dll => moved successfully

C:\inetpub\local64spl.dll => moved successfully

C:\inetpub_\local64spl.dll => moved successfully

C:\Intel\local64spl.dll => moved successfully

C:\Intel_\local64spl.dll => moved successfully

C:\ProgramData\Microsoft\Blend\14.0\1033\ResourceCacher.dll => moved successfully

C:\swsetup\local64spl.dll => moved successfully

C:\swsetup_\local64spl.dll => moved successfully

"C:\Users\All Users\Microsoft\Blend\14.0\1033\ResourceCacher.dll" => not found.

C:\Users\anca_\Downloads\BitComet_1.43_setup.exe => moved successfully

C:\Windows\Installer\51f8632.msi => moved successfully

C:\Downloads\DAEMON Tools PRO Advanced v6.1.0.0483 crack (menin) => moved successfully

C:\Downloads\DLL-FiLes Fixer v2.9.72.2521 Incl Crack-FiLELiST => moved successfully

C:\Downloads\Sniper.Elite.3-RELOADED => moved successfully

C:\Windows\System32\Drivers\etc\hosts => moved successfully

Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 4439808 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13761306 B

Java, Flash, Steam htmlcache => 0 B

Windows/system/drivers => 1125442 B

Edge => 8192 B

Chrome => 368964166 B

Firefox => 0 B

Opera => 0 B

Temp, IE cache, history, cookies, recent:

Default => 0 B

Users => 0 B

ProgramData => 0 B

Public => 0 B

systemprofile => 0 B

systemprofile32 => 0 B

LocalService => 12302 B

NetworkService => 0 B

anca_ => 20920531 B

RecycleBin => 0 B

EmptyTemp: => 390.3 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 21:17:38 ====

For the moment everything looks good. thank you!

#20
Jr0x

Posted 21 December 2016 - 08:08 AM

Malware removal team

Malware Removal
1,830 posts

OK! Well done. :thumbsup:

Here is the best part of the process! The mullygrubs are gone! That's a technical term for your log(s) appear to be clean! If you have no further issues with your computer, please complete the housekeeping procedures outlined below.
The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions.

If you didn't uninstall ESET after running the program we will do it now.

Uninstall ESET

Press Windows Key + S
Enter control panel in the search box, then tap or click Control Panel.
Under View by:, select Large Icons, then tap or click Programs and features.
In the list of programs installed, locate the following program(s):

ESET
Click on each program to highlight it and right click the program and click Uninstall.
After the programs have been uninstalled, close the Installed Programs window and the Control Panel
Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "File Explorer"), please delete the following folders(s) (if present):

C:\Program Files\ESET
C:\Program Files (86)\ESET

2. Close Windows Explorer.

Tools CleanUp with DelFix

Download Delfix and save it to the Desktop.

Right click the and click Run as Administrator.
Ensure ALL boxes are checked.
Click the Run button.
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

Delete the following Files and Folders (If Present):

Delete any other .bat, .log, .reg, .txt, and any other files created or downloaded during this process, and left on the desktop and empty the Recycle Bin.

Keeping your software updated

Windows Updates

Please go to Start Menu -> Control Panel
Under View by: select Large Icons, then tap or click Windows Update.
Click on Change Settings

[/b]
Select "Install updates automatically (recommended)" from the Important updates drop-down.
Choose a day and a time when you know the computer will be on and connected to the internet. The default is 3:00AM every day.
Ensure that all of the other check boxes are checked.
Click OK.

Malwarebytes Anti-Malware

I recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week. If it finds things such as PUP's (Potentially Unwanted Programs) you can delete those with no worries. However, if it finds something like a trojan, come see us.

Keep Java Updated

Java has become the #1 program exploited by thieves and hackers as of today. It's gotten so bad, the Department of Homeland Security recently recommended that users disable Java on their machines.

For more information regarding this, see the two articles below:

Forbes: US Department of Homeland Security Calls on user do disable Java

US warns on Java software

Unless you have software on your machine that absolutely requires Java, I highly recommend you completely remove it from your system.
If you do have software that requires it, then disable it until such time as it's needed by those programs.
Please click the link below for instructions to disable and uninstall Java.

How to Disable Java in your Web Browser

How to Completely Remove and Uninstall Java From Windows PC

Filehippo Updatechecker

Another weapon against malicious programs and viruses is to keeping other programs updated. There are several programs out there that can check for out of date programs on your computer. One is Filehippo. You can run this on a weekly or monthly basis to check your programs for updates and then it will provide a link for you to download them.

Download Filehippo Updatechecker

Tips, Information, and Optional Installation

Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.

Be careful of the websites you visit.

When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take you time and read each screen as you go.

To help protect yourself while on the web, I recommend you read Answers to common security questions - Best Practices

Installation of Unchecky (Optional)

This is a very good little program that will automatically uncheck any boxes during a software installation. This helps prevent the software from installing any malware that is by default checked while the program is being installed.

Click here to be taken to Unchecky.com

Click the very large Download button.

Click Save

Once downloaded, double click the program (Vista, Win 7, and 8, right click and Run as Administrator)

Once open, click the Install button.

Then click Finish

Unchecky is now installed and will help you keep unwanted check boxes unchecked.

Installation of CryptoPrevent (Optional)

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You may read more about this here.

To download and install:

Click CryptoPrevent
Under the Free Edition column, enter your name and email and click on Request Download Link button to request for a download link
Once received a link in your email (may need to check your Junk mail), download the tool to your Desktop
Open the program by clicking Run when prompted from your browser or by going to the Desktop where the file was saved and right-click and select Run as Administrator
Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
You will be prompted to click OK to continue and select your protection level. Go ahead and click OK.
Click the Apply button to set Default protection.
You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.

If you have any other questions, please feel free to ask me.

#21
lukianro

Posted 21 December 2016 - 08:50 AM

Member

Topic Starter
Member
10 posts

Thank you so much! For the moment evrything looks great. I have installed also CryptoPrevent.

# DelFix v1.013 - Logfile created 21/12/2016 at 15:29:21

# Updated 17/04/2016 by Xplode

# Username : anca_ - DESKTOP-PIATST9

# Operating System : Windows 10 Home (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST

Deleted : C:\AdwCleaner

Deleted : C:\Users\anca_\Desktop\FRST-OlderVersion

Deleted : C:\Users\anca_\Desktop\Fixlog.txt

Deleted : C:\Users\anca_\Desktop\FRST64.exe

Deleted : C:\Users\anca_\Desktop\JRT.exe

Deleted : C:\Users\anca_\Desktop\JRT.txt

Deleted : C:\Users\anca_\Downloads\adwcleaner_6.041.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #29 [Installed Microsoft Visual C++ 2005 Redistributable | 12/17/2016 09:46:14]

Deleted : RP #30 [JRT Pre-Junkware Removal | 12/17/2016 10:55:54]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

Again, thank you!

#22
Jr0x

Posted 21 December 2016 - 09:48 AM

Malware removal team

Malware Removal
1,830 posts

Glad that I could assist you.

Stay safe online.

#23
azarl

Posted 22 December 2016 - 07:01 AM

GeekU Admin

Community Leader
25,310 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.