Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I need help with an Alureon Virus


  • Please log in to reply

#31
Himynameiskyle

Himynameiskyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Yes, I did reboot. It does feel like it runs a lot better. However, their phone number is still displayed in the taskbar. So I think there is something still hiding. Its in the bottom right to the left of the clock and little menu down there.
  • 0

Advertisements


#32
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,070 posts
  • MVP

Do you know what these are for? 

 

Pulse Secure Setup Client (HKU\S-1-5-21-3592585487-3101742847-3297218791-1001\...\Juniper_Setup_Client) (Version: 8.1.6.61491 - Pulse Secure, LLC)
Pulse Secure Setup Client 64-bit Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Pulse Secure, LLC)

 

Appear to be remote control software.  If they are not something she uses then uninstall.

 

Also I see these pdfs on the desktop.

 

 

2017-11-28 12:37 - 2017-11-28 12:37 - 000352151 _____ C:\Users\Owner\Desktop\Computer Bill.pdf

2017-11-27 02:00 - 2017-11-27 02:00 - 000189114 _____ C:\Users\Owner\Desktop\soft experts.pdf

 

Are they from the malware?

 

Also see

 

2017-11-28 12:45 - 2017-11-28 12:45 - 000085272 _____ C:\Users\Owner\Downloads\ConnectWiseControl.Client.exe

 

which is another remote control software.  Delete it

 

Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

Wait a full minute then:

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.
 


  • 0

#33
Himynameiskyle

Himynameiskyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

I don't know what those programs are for, however, I do know they had remote access. She had a command prompt open they told her to open when she called to pay them. That is how I saw the name of the virus. I will remove them and yes the pdfs on the desktop are from the malware. Removing the programs now and will download Process Explorer.


  • 0

#34
Himynameiskyle

Himynameiskyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

Here's the text:

 

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name    Verified Signer
System Idle Process    58.11    0 K    4 K    0            
SyncService.exe    24.68    22,236 K    8,828 K    1560         Supra    (No signature was present in the subject) Supra
rundll32.exe    8.83    4,616 K    8,464 K    2872    Windows host process (Rundll32)    Microsoft Corporation    (Verified) Microsoft Windows
procexp64.exe    2.14    23,396 K    49,052 K    432    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com    (Verified) Microsoft Corporation
TeamViewer_Desktop.exe    1.59    346,440 K    315,812 K    4772    TeamViewer 13    TeamViewer GmbH    (Verified) TeamViewer GmbH
MsMpEng.exe    0.79    136,916 K    109,500 K    2012    Antimalware Service Executable    Microsoft Corporation    (Verified) Microsoft Corporation
Interrupts    0.74    0 K    0 K    n/a    Hardware Interrupts and DPCs        
firefox.exe    0.73    141,964 K    166,636 K    972    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
System    0.65    120 K    1,272 K    4            
TeamViewer_Service.exe    0.47    17,340 K    22,692 K    1892    TeamViewer 13    TeamViewer GmbH    (Verified) TeamViewer GmbH
TeamViewer.exe    0.44    26,548 K    41,312 K    2892    TeamViewer 13    TeamViewer GmbH    (Verified) TeamViewer GmbH
firefox.exe    0.20    88,240 K    106,340 K    3200    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
dwm.exe    0.19    19,396 K    32,308 K    6968    Desktop Window Manager    Microsoft Corporation    (Verified) Microsoft Windows
firefox.exe    0.17    217,444 K    275,480 K    6336    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
svchost.exe    0.09    77,384 K    81,864 K    308    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
csrss.exe    0.08    2,392 K    6,724 K    1520    Client Server Runtime Process    Microsoft Corporation    (Verified) Microsoft Windows Publisher
explorer.exe    0.01    88,596 K    137,760 K    5204    Windows Explorer    Microsoft Corporation    (Verified) Microsoft Windows
SearchIndexer.exe    0.01    31,504 K    24,836 K    1040    Microsoft Windows Search Indexer    Microsoft Corporation    (Verified) Microsoft Windows
ftnlsv.exe    0.01    1,216 K    1,028 K    1664    NetLink supervisor        (Verified) FabulaTech
AppleMobileDeviceService.exe    0.01    3,080 K    3,396 K    1512    MobileDeviceService    Apple Inc.    (Verified) Apple Inc.
svchost.exe    0.01    46,388 K    49,372 K    932    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe    0.01    5,108 K    9,672 K    712    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
iPodService.exe    0.01    1,952 K    3,268 K    3412    iPodService Module (64-bit)    Apple Inc.    (Verified) Apple Inc.
svchost.exe    0.01    15,428 K    17,164 K    1408    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
ftscanmgr.exe    < 0.01    5,188 K    3,016 K    1708    Scanner Redirection manager (Client)        (Verified) FabulaTech
vmwsprrdpwks.exe    < 0.01    2,216 K    1,964 K    1984    Serial Com Redirection Client service    VMware    (Verified) FabulaTech
svchost.exe    < 0.01    4,848 K    6,864 K    756    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
taskhostex.exe    < 0.01    5,192 K    12,160 K    6044    Host Process for Windows Tasks    Microsoft Corporation    (Verified) Microsoft Windows
conhost.exe    < 0.01    692 K    332 K    836    Console Window Host    Microsoft Corporation    (Verified) Microsoft Windows
stunnel-4.10.exe    < 0.01    1,496 K    984 K    1740            (No signature was present in the subject)
lsass.exe    < 0.01    6,200 K    9,336 K    628    Local Security Authority Process    Microsoft Corporation    (Verified) Microsoft Windows Publisher
tv_w32.exe    < 0.01    1,092 K    4,972 K    592    TeamViewer 13    TeamViewer GmbH    (Verified) TeamViewer GmbH
csrss.exe    < 0.01    1,868 K    1,952 K    444    Client Server Runtime Process    Microsoft Corporation    (Verified) Microsoft Windows Publisher
vmware-view-usbd.exe    < 0.01    2,564 K    3,052 K    2360    VMware Horizon View client USB service (32-bit)    VMware, Inc.    (Verified) VMware
vmware-usbarbitrator64.exe    < 0.01    2,084 K    2,020 K    2096    VMware USB Arbitration Service    VMware, Inc.    (Verified) VMware
tv_x64.exe    < 0.01    1,116 K    4,776 K    5140    TeamViewer 13    TeamViewer GmbH    (Verified) TeamViewer GmbH
firefox.exe    < 0.01    210,636 K    234,180 K    2120    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
stacsv64.exe    < 0.01    5,144 K    3,304 K    256    IDT PC Audio    IDT, Inc.    (No signature was present in the subject) IDT, Inc.
iTunesHelper.exe    < 0.01    3,848 K    13,188 K    6072    iTunesHelper    Apple Inc.    (Verified) Apple Inc.
wsnm.exe        2,856 K    4,764 K    1980    VMware Horizon View Framework Node Manager    VMware, Inc.    (Verified) VMware
WmiPrvSE.exe        2,120 K    6,288 K    680    WMI Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
winlogon.exe        1,240 K    5,396 K    6472    Windows Logon Application    Microsoft Corporation    (Verified) Microsoft Windows
wininit.exe        1,016 K    2,336 K    532    Windows Start-Up Application    Microsoft Corporation    (Verified) Microsoft Windows
taskhost.exe        11,116 K    8,992 K    1252    Host Process for Windows Tasks    Microsoft Corporation    (Verified) Microsoft Windows
taskhost.exe        1,692 K    5,552 K    5524    Host Process for Windows Tasks    Microsoft Corporation    (Verified) Microsoft Windows
taskeng.exe        1,124 K    4,624 K    5092    Task Scheduler Engine    Microsoft Corporation    (Verified) Microsoft Windows
SyncInfoApp.exe        24,132 K    29,452 K    7072         Supra    (No signature was present in the subject) Supra
svchost.exe        21,796 K    25,624 K    1116    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        24,024 K    22,660 K    888    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        592 K    2,748 K    2500    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        11,172 K    18,012 K    964    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        4,740 K    9,396 K    1688    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        2,376 K    3,948 K    1772    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        5,920 K    10,056 K    1532    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
sttray64.exe        3,092 K    9,652 K    5896    IDT PC Audio    IDT, Inc.    (No signature was present in the subject) IDT, Inc.
spoolsv.exe        4,276 K    3,496 K    1372    Spooler SubSystem App    Microsoft Corporation    (Verified) Microsoft Windows
smss.exe        280 K    564 K    328    Windows Session Manager    Microsoft Corporation    (Verified) Microsoft Windows Publisher
SkyDrive.exe        8,768 K    15,204 K    5996    OneDrive Sync Engine    Microsoft Corporation    (Verified) Microsoft Windows
SettingSyncHost.exe        8,944 K    3,724 K    6528    Host Process for Setting Synchronization    Microsoft Corporation    (Verified) Microsoft Windows
services.exe        3,432 K    4,668 K    620    Services and Controller app    Microsoft Corporation    (Verified) Microsoft Windows Publisher
ProxyDaemon.exe        18,992 K    6,940 K    2020         Supra    (No signature was present in the subject) Supra
procexp.exe        2,272 K    7,340 K    1836    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com    (Verified) Microsoft Corporation
NisSrv.exe        10,800 K    5,932 K    2820    Microsoft Network Realtime Inspection Service    Microsoft Corporation    (Verified) Microsoft Corporation
MpCmdRun.exe        2,824 K    8,764 K    3524    Microsoft Malware Protection Command Line Utility    Microsoft Corporation    (Verified) Microsoft Corporation
GoogleCrashHandler64.exe        1,300 K    220 K    2412    Google Crash Handler    Google Inc.    (Verified) Google Inc
GoogleCrashHandler.exe        1,360 K    852 K    2196    Google Crash Handler    Google Inc.    (Verified) Google Inc
firefox.exe        21,864 K    47,228 K    4720    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
dllhost.exe        1,640 K    6,384 K    6384    COM Surrogate    Microsoft Corporation    (Verified) Microsoft Windows
dllhost.exe        1,288 K    5,412 K    1028    COM Surrogate    Microsoft Corporation    (Verified) Microsoft Windows
dasHost.exe        4,136 K    8,392 K    4172    Device Association Framework Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
Beats64.exe        1,420 K    5,992 K    3068    HP Beats    Hewlett-Packard     (Certificate expired) Hewlett-Packard
audiodg.exe        9,092 K    13,032 K    5356    Windows Audio Device Graph Isolation     Microsoft Corporation    (Verified) Microsoft Windows
atiesrxx.exe        776 K    1,244 K    852    AMD External Events Service Module    AMD    (Verified) Microsoft Windows Hardware Compatibility Publisher
atieclxx.exe        2,224 K    8,068 K    7024    AMD External Events Client Module    AMD    (Verified) Microsoft Windows Hardware Compatibility Publisher

 


  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,070 posts
  • MVP
SyncService.exe    24.68    22,236 K    8,828 K    1560         Supra    (No signature was present in the subject) Supra

 

 

This is  part of dKEYUSBCradle:

 

Appears to be some sort of phone which is plugged into a USB slot.

 

http://www.ekeyprofe...USB_install.htm

 

But it is eating up too much CPU time.  Perhaps a new download and install will help here if this is something she uses.

 

I don't see anything active that would put the number on the desktop.  Can you right click on the number?  Sometimes you can just delete it or if not it may allow you to look at the properties which might show where it is.


  • 0

#36
Himynameiskyle

Himynameiskyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

I know what the Displaykey software is for. I just uninstalled it as I don't need to use it on her computer anymore. I can't right click on it, however, I did check the taskbar properties and saw something interesting. Looks like I don't have permission to post an image, but in the settings there is something I don't recognize. The last option listed with the my network settings and volume control says "procexp.64.exe". Then it says "CPU usage: 66%SyncService.exe: 24%." No idea what that is and I realize it could be not that important, but the number bugs the crap out of me. I don't want to give her the impression it's not completely gone.

 

*Edit*

 

Just found out the number is a toolbar. I can simply uncheck it. I wonder if there is a way to delete it?


Edited by Himynameiskyle, 17 December 2017 - 11:38 AM.

  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,070 posts
  • MVP

Reboot and see if you still see SyncService.exe.


  • 0

#38
Himynameiskyle

Himynameiskyle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

Okay will do. I also just found a blank folder with the phone number hidden in her one drive folders. Did they create a blank folder and then use it as a toolbar? I searched file explorer for the phone number. This is probably why nothing was showing up in the scans. Rebooting.

 

*Edit*

 

That was it. I rebooted and deleted the empty folder. I went to the bottom and looked how to create a new toolbar and it goes straight to file explorer to create a folder. So after I deleted it, it wasn't an option anymore. I can't thank you enough! Any recommendations on protection for her? I'm out of the loop on whether it's worth it to pay for virus protection these days or if the freeware is good enough.


Edited by Himynameiskyle, 17 December 2017 - 12:00 PM.

  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,070 posts
  • MVP

I use the free versions of Avast & MalwareBytesAntiMalware (MBAM).  Avast will expire after a year but you can reup without charge tho they will try and talk you in to the paid version.  Stick with the Basic version and avoid the trial.  MBAM is actually a trial but after it expires you still get some coverage.  If you want to pay for it then Kaspersky or BitDefender seem to be the best.

 

Some websites have been compromised and when you go to them you will get the warning that your PC is infected.  The warning is bogus since it's the website that has the problem.  Close the browser (If it won't close then right click on the clock and run Task Manager, select the browser then End Task.  When you restart the browser do not let it restore the previous pages.)

 

Since the problem seems to be solved it's time to cleanup:

 

Time to clean up:
IF we used a fixlist in FRST to clean your PC:
To delete the Quarantine Folder used by FRST create a fixlist.txt file with just the following line:

DeleteQuarantine:

Save the fixlist.txt to the same folder as FRST then run FRST and hit Fix.  You can easily delete any other folders and logs.
Otherewaise just delete any files and logs from FRST.
If we installed Speccy it needs to be uninstalled.  Process Explorer, VEW, AdwCleaner, JRT  and their logs and Speccy's log can just be deleted.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  Flash is now the most malware targeted program so it must be kept up to date.  Be careful with Adobe.  They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan.  Go slow and uncheck the optional stuff.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions.


If you use Chrome/Firefox/Edge then get the Ublock Origin extension.  For IE go to adblockplus.org  and get the program.
If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. Close Chrome/Firefox/Skpe. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow starting..

If you use Facebook you need FB Purity: http://www.fbpurity.com/
To prevent a relatively new phishing attack:  In Firefox, type:

about:config

in the URL box and hit Enter.  You should get a new page of options (if you get a notice about voiding the warranty just cancel the warning).  In the Search box put in

puny

You should only get 2 options:
"network.IDN_show_punycode"
We want it to say True but by default it is False so double click on it to toggle from False to True.
 "network.standard-url.punycode-host" Leave this one at default of Flase.
Close and restart firefox.

To test it you can go to:

https://www.xn--80ak6aa92e.com/

If the value is false you will see https://www.apple.cominstead of the correct value


If you are a Facebook user get the FB Purity extension for your browser:
http://www.fbpurity.com/
This will stop all of the suggested pages and ads so that Facebook loads much quicker.


Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combeforeyou open them.

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

CryptoPrevent

http://www.foolishIT.../cryptoprevent/

The free version does not update on its own so you should check for updated versions once in a while. When you install it the default is NONE which is kind of worthless so change it to Standard or default. If you have problems after installing CryptoPrevent you can just uninstall it.

If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

Recommended software:  
Compression:  7-zip.  Avoid WinRar and WinZip as the free versions have adware.
Video Player:  VLC  Unlike Windows Medi Player it never seems to need extra files to work.
Photo organizer and editor:  Google's Picasa.  While it has been discontinued by Google you can still get it at:
http://techfilehippo...-free-download/
Office like free program:  Open Office: https://www.openoffice.org/download/
or
LibreOffice: https://www.libreoffice.org/
Free Anti-Virus:  Avast
Free Malware prevention:  MBAM: Free version at https://www.malwareb...m/mwb-download/
Can run with your anti-virus.
Paid Anti-Virus:  Kaspersky or BitDefender
Utilities:
Root Kit Detector:  MBAR: https://www.malwareb...om/antirootkit/
Process Explorer:  Show you what is running on the PC.  Like Task manager but better:  http://live.sysinter...com/procexp.exe
WhoCrashed: Why did your system crash?
http://www.resplendence.com/downloads
Then click on Download free home edition
where it says:
WhoCrashed 5.51
Comprehensible crash dump analysis tool
for Windows 10/8.1/8/7/Vista/XP/2012/2008/2003 (x86 and x64)
System Health:
Speccy:  
http://www.filehippo.com/download_speccy (Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  Decline CCleaner if offered.  Pay attention to SMART info on your hard drives and to temps.  If in doubt about temps try:
SpeedFan:  Try speedfan
http://www.filehippo...nload_speedfan/
Download, save and Install it (Win 7 or Vista right click and Run As Admin.) then run it.
Download Flash and Video.  To save flash video.  Works with Firefox.  https://addons.mozil...lash-and-video/

Avoid:  
Advanced System Care
SuperAntiSpyware
HitmanPro
Spybot S&D
Any P2P software especially if it comes from Conduit.
Registry Cleaners
Driver updating software.
PC fixing or Speed up software.
Running more than one anti-virus.
Seagate hard drives.  If you have one it's going to fail on you so backup your data now!


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP