Request for Help with Virus

September 10, 2015 at 14:19:00
Specs: Windows Vista
Hello
I have a virus which I cannot get the better of - have spent ages trying and would be really grateful for some help.

See More: Request for Help with Virus

Report •


#1
September 10, 2015 at 14:50:07
These three widely used and safe little freebies often unearth a lot:
(run them in the order given)

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/downlo...
Download the free version.
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here. Even if the symptoms go away further checks will be necessary to ensure your computer is properly clean.

Always pop back and let us know the outcome - thanks


Report •

#2
September 10, 2015 at 15:47:26
Ok I shall run those and post logs thanks

Report •

#3
September 10, 2015 at 16:03:10
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/09/2015
Scan Time: 23:50:49
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.09.10.07
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 1
CPU: x86
File System: NTFS
User: kelly

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295674
Time Elapsed: 11 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

Related Solutions

#4
September 10, 2015 at 16:05:16
Thanks. Let's see what the others find.

Always pop back and let us know the outcome - thanks


Report •

#5
September 10, 2015 at 16:11:50
# AdwCleaner v5.007 - Logfile created 11/09/2015 at 00:08:45
# Updated 08/09/2015 by Xplode
# Database : 2015-09-08.2 [Local]
# Operating system : Windows Vista (TM) Home Premium Service Pack 1 (x86)
# Username : kelly - KELLY-PC
# Running from : C:\Users\kelly\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}

***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}

***** [ Web browsers ] *****


*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [793 bytes] ##########


Report •

#6
September 10, 2015 at 16:15:34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.1 (09.08.2015:1)
OS: Windows Vista (TM) Home Premium x86
Ran by kelly on 11/09/2015 at 0:12:02.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Tasks

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-79309877-1372909346-2182394676-1000\Software\Microsoft\Internet Explorer\Main\\Start Page

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/09/2015 at 0:14:47.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#7
September 10, 2015 at 16:17:05
Thanks for helping Derek

Report •

#8
September 10, 2015 at 16:20:49
Next step.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#9
Report •

#10
September 10, 2015 at 16:33:38
Thanks kelaren, whilst I'm going through those logs, run this please.

Run Hitman Pro,then Copy and Paste the contents of the log please, into your reply.
http://www.softpedia.com/get/Intern...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
How to scan and obtain a log
http://forums.majorgeeks.com/showth...
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (32-bit)
http://dl.surfright.nl/HitmanPro35.exe


Report •

#11
September 10, 2015 at 16:42:53
[code]
HitmanPro 3.7.9.245
www.hitmanpro.com

Computer name . . . . : KELLY-PC
Windows . . . . . . . : 6.0.1.6001.X86/2
User name . . . . . . : kelly-PC\kelly
UAC . . . . . . . . . : Disabled
License . . . . . . . : Free

Scan date . . . . . . : 2015-09-11 00:39:20
Scan mode . . . . . . : Normal
Scan duration . . . . : 2m 33s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 2

Objects scanned . . . : 1,048,760
Files scanned . . . . : 8,109
Remnants scanned . . : 155,422 files / 885,229 keys

Suspicious files ____________________________________________________________

C:\Users\kelly\Downloads\FRST.exe
Size . . . . . . . : 1,692,672 bytes
Age . . . . . . . : 0.0 days (2015-09-11 00:25:41)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 9992A5565C04B8325D8CE63A4B459ACA4CC3419833D296FE90C4B79F85FCA36B
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
References
HKU\S-1-5-21-79309877-1372909346-2182394676-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\kelly\Downloads\FRST.exe

[/code]


Report •

#12
September 10, 2015 at 16:44:00
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
SearchScopes: HKLM -> DefaultScope {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
SearchScopes: HKLM -> {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-79309877-1372909346-2182394676-1000 -> DefaultScope {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
SearchScopes: HKU\S-1-5-21-79309877-1372909346-2182394676-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
SearchScopes: HKU\S-1-5-21-79309877-1372909346-2182394676-1000 -> {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#13
September 10, 2015 at 16:55:17
Fix result of Farbar Recovery Scan Tool (x86) Version:10-09-2015 01
Ran by kelly (2015-09-11 00:49:02) Run:1
Running from C:\Users\kelly\Downloads
Loaded Profiles: kelly (Available Profiles: kelly)
Boot Mode: Normal

==============================================

fixlist content:
*****************
closeprocesses:
emptytemp:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
SearchScopes: HKLM -> DefaultScope {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
SearchScopes: HKLM -> {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-79309877-1372909346-2182394676-1000 -> DefaultScope {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
SearchScopes: HKU\S-1-5-21-79309877-1372909346-2182394676-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
SearchScopes: HKU\S-1-5-21-79309877-1372909346-2182394676-1000 -> {F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
*****************

Processes closed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F}" => key removed successfully.
HKCR\CLSID\{F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} => key not found.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKU\S-1-5-21-79309877-1372909346-2182394676-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-79309877-1372909346-2182394676-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-79309877-1372909346-2182394676-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F}" => key removed successfully.
HKCR\CLSID\{F2AAE1D6-1CD2-48DB-BFA5-868093D5AD8F} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
"HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}" => key removed successfully.
"HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" => key removed successfully.
"HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" => key removed successfully.
blbdrive => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
EmptyTemp: => 56.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 00:49:11 ====


Report •

#14
September 10, 2015 at 16:56:11
Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)

Report •

#15
September 10, 2015 at 16:58:55
# DelFix v1.011 - Logfile created 11/09/2015 at 00:57:54
# Updated 18/08/2015 by Xplode
# Username : kelly - KELLY-PC
# Operating System : Windows Vista (TM) Home Premium Service Pack 1 (32 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\kelly\Desktop\mbar
Deleted : C:\TDSSKiller.3.0.0.44_07.09.2015_05.31.31_log.txt
Deleted : C:\Users\kelly\Downloads\Addition.txt
Deleted : C:\Users\kelly\Downloads\AdwCleaner.exe
Deleted : C:\Users\kelly\Downloads\Fixlog.txt
Deleted : C:\Users\kelly\Downloads\FRST.exe
Deleted : C:\Users\kelly\Downloads\FRST.txt
Deleted : C:\Users\kelly\Downloads\JRT.exe
Deleted : C:\Users\kelly\Downloads\RogueKiller.exe
Deleted : C:\Users\kelly\Downloads\RogueKiller.exe.opdownload
Deleted : C:\Users\kelly\Downloads\tdsskiller.exe
Deleted : C:\Users\kelly\Downloads\tdsskiller.zip
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #102 [Windows Vista Service Pack 1 | 09/10/2015 18:12:53]
Deleted : RP #103 [Windows Vista Service Pack 1 | 09/10/2015 19:30:49]
Deleted : RP #105 [RegRun Virus Scan | 09/10/2015 20:24:57]
Deleted : RP #106 [JRT Pre-Junkware Removal | 09/10/2015 23:12:03]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Report •

#16
September 10, 2015 at 17:00:17
Do you have any issues now?

Here is how USERS normally get these problams, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
http://i.imgur.com/rqSpp1e.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#17
September 10, 2015 at 17:00:41
kelaren

I'll leave you in Johnw's capable hands now. I just thought I'd get the ball rolling until he noticed this thread.

Always pop back and let us know the outcome - thanks


Report •

#18
September 10, 2015 at 17:05:12
Thanks Derek and Johnw! I've been trying to remove this for ages to no avail. I will check and get back to you. Sometimes it seemed clean but then I would notice hidden things etc.

Report •

#19
September 10, 2015 at 17:09:14
Thanks Derek.

Nice work kelaren.
I would now run CCleaner Registry clean.
http://i.imgur.com/UUecMp3.gif


Report •

#20
September 10, 2015 at 17:21:49
" Sometimes it seemed clean but then I would notice hidden things etc."
For a second opinion, run this.

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
Make sure these options are checked/ticked in Advanced settings.
Remove found threats, Scan archives, Scan for potentially unsafe applications, Enable Anti-Stealth technology.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
If your comp is unbootable, or won't let you download, you will have to download ESET from a good computer, put it on a flash/thumb/pen/usb drive & run it from there.
Create a ESET SysRescue CD or USB drive
http://support.eset.com/kb2103/
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://support.eset.com/kb2612/
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
3: Which web browsers are compatible with ESET Online Scanner?
http://support.eset.com/kb405/?loca...
Online Scanner not working
http://support.eset.com/kb403/?loca...
My ESET product detected a threat—what should I do?
http://support.eset.com/kb117/
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
http://support.eset.com/kb405/?view...
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://support.eset.com/kb405/?view...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\ESET\EsetOnlineScanner\log.txt" (on 64-bit systems this directory will be "C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt"). You can view this file by navigating to the directory and double-clicking it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start > Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#21
September 10, 2015 at 19:11:54
Hey JohnW
Since my last post I notice on event viewer that there are other logons with priviledges being created - it is like my computer is hacked on remote access?? I'll try ESET thanks

Report •

#22
September 10, 2015 at 20:02:44
"Since my last post I notice on event viewer that there are other logons with priviledges being created"
Doesn't sound good kelaren, after posting the ESET results, run this please.

I'm here.
http://www.timeanddate.com/worldclo...

Really make sure you put Combofix on the Desktop, most of these special programs are designed to run from there.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

message edited by Johnw


Report •

#23
September 10, 2015 at 20:27:47
ESET =
C:\MGTools\Process.exe Win32/PrcView potentially unsafe application cleaned by deleting - quarantined

Report •

#24
September 10, 2015 at 20:30:14
I'm here - http://www.timeanddate.com/worldclo...
This virus making me nocturnal :)
Ill run Combofix

Report •

#25
September 10, 2015 at 20:36:12
A lot of special programs like MGTools\Process.exe Win32/PrcView get seen by other programs as a threat, when they are not.

Report •

#26
September 10, 2015 at 20:40:57
"This virus making me nocturnal :)"
Derek is a UK neighbor, I suspect he is now asleep, he recently took the pledge to try & keep normal hours.

Report •

#27
September 10, 2015 at 20:53:09
http://www4.zippyshare.com/v/1EYuQ7...
I think youse are wee angels

Report •

#28
September 10, 2015 at 21:06:25
Download Security Check by screen317 from one of the following links and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
Please restart the computer before running this security check..
* Double click SecurityCheck.exe. If you run Windows Vista or 7/8, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Report •

#29
September 10, 2015 at 21:14:57
ok Johnw am on it

Report •

#30
September 10, 2015 at 21:16:02
Results of screen317's Security Check version 1.008
Windows Vista Service Pack 1 x86 (UAC is enabled)
[url=http://support.microsoft.com/kb/935791][color=red][b]Out of date service pack!![/color][/url][/b]
Internet Explorer 7 [color=red][b]Out of date![/b][/color]
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
CCleaner
Java(TM) SE Runtime Environment 6
[color=red][b]Java version 32-bit out of Date![/b][/color]
Adobe Reader 8 [color=red][b]Adobe Reader out of Date![/b][/color]
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 7 % [color=red][b]Defragment your hard drive soon! (Do NOT defrag if SSD!)[/b][/color]
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#31
September 10, 2015 at 21:23:27
What I would do, is run this uninstaller, to get the remnants of Norton out of your system.
How can I fully remove Norton Antivirus from my system?
https://support.norton.com/sp/en/us...
http://www.askdavetaylor.com/how_to...
http://www.askdavetaylor.com/how_ca...
http://www.pchell.com/virus/uninsta...
http://www.softpedia.com/get/Tweak/...

Quite a bit to do from the security check, I use the MS AV myself.
After cleaning the remnants of Norton, you will be a lot better off, security wise, with SP2.
http://windows.microsoft.com/en-us/...

Extract from your Addition log.
"Error: (09/10/2015 09:24:56 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process."

If this is a deliberate action, ignore.

If it is an unresolved problem, here is what to do.
https://www.terabyteunlimited.com/k...

Windows Forensics: Have I been Hacked?
http://www.bleepingcomputer.com/tut...
Tracing a hacker
http://www.bleepingcomputer.com/tut...


Report •

#32
September 11, 2015 at 04:09:53
Sorry Johnw I fell asleep!

Report •

#33
September 11, 2015 at 04:36:33
"Sorry Johnw I fell asleep!"
No problem kelaren, I figured it was either sleep or the work load I gave you.

Report •

#34
September 11, 2015 at 07:28:38
I think I've gave you a heavy workload.
I'm pure grateful for the help.
Hey JohnW, I am not sure if I have even used the right terminology, I'm not sure this is even called a virus.
Here is a little description..
I've had this "issue" in my laptop for a few months now. I've tried system restores, every scan under the sun, nothing has helped.
It is a hidden process, which seems to be related to my remote access (even though i have switched it off)
It tends to go through svchost on process manager
It keeps on writing logons and giving itself admin privledges.

Report •

#35
September 11, 2015 at 13:40:11
Could you explain exactly what happens on your computer which leads you to believe you have this hidden process? Give us all the info.

Always pop back and let us know the outcome - thanks


Report •

#36
September 11, 2015 at 15:02:26
Cutting on John's excellent tutorials and advice - he is one of our principal gurus when it comes to pest removals...

Have you tried a scan of the system - from outside of Windows itself?

This is done with a Linux based disk which has a built-in virus/pest scanner util. There are several around; Kaspersky, Sophos, Avast to mention but three (oh and I think Bitdefender have one as well).

I tend to Kaspersky. One boots the system with the disk. It will load itself into RAM only and then will go online to update itself.After that it will scan the system "fully' and deal with anything it finds...

It's a freebie... and these are the links to download the ISO - which you then burn to a DVD and/or a usb/flash drive. One of the links describes how to do the latter. Use a DVD as it's too large a package for CD. Boot with that DVD...

http://support.kaspersky.co.uk/viru...

http://support.kaspersky.co.uk/4162

http://support.kaspersky.co.uk/8092

http://www.majorgeeks.com/files/det...

This link describes in some detail the whole "how to use" (as does at least one of the Kaspersky links).I think the link below is perhaps a little clearer for some pholks?

http://tinyurl.com/373ojxb

The reason I suggest a scan from outside windows - .ie. when windows is not booted up - is because there are more than a few pests that hide within windows system files and avoid detection from many pest/virus removal utils... Scanning from outside the booted OS means they can't so easily hide; and thus are often found/dealt with.

Another freebie - an online scan - which occasionally finds things "others miss from within windows" is the free Trend Housecall routine. You simply go the site (link below) click on the Housecall free scan; let it instal la wee package (it's quite safe); then let it scan the system "fully". It may take a while (tyme for tea 'n cookies, or hot choccy and cake). It will deal with anything it finds. It may delete them entirely; or at least quarantine them; and you can delete items quarantined.

http://housecall.trendmicro.com

I use it on occasion just to double check; and I'm running windows and Mac systems... They now provide it for Mac systems as some pests are about aimed at Mac OS too...


Report •

#37
September 11, 2015 at 15:47:33
kelaren
Re your post #21
Understood.
Re your post #34.
Understood.
Re my post #31.
I am now waiting for you to respond to every point.

Once we have everything in shape, we will be in a position to deal with other problems.


Report •

#38
September 11, 2015 at 19:53:36
Ok back to work...

Report •

#39
September 12, 2015 at 06:39:48
I carried out the task on terabyteunlimited
I have updated my windows to sp2
I tried to install antivirus, Avira, which clogged my system to death , so after scanning I uninstalled.
There was an extra application with Avira called Steganos which scanned my connection to the internet I think. It left a large log which I am going to upload on zippy - for your perusal.
http://www98.zippyshare.com/v/Ik8Yi...
Just about to install the MS AV.

Hope all is good with you Johnw


Report •

#40
September 12, 2015 at 09:23:56
It looks like Steganos (German program) is something you pay for, so presumably it is a trial. Never heard of it but it doesn't appear to be a scam. Whether or not it is of value depends how limited it is without payment.

It will be interesting to see what Johnw makes of it, and the log which appeared to be mainly information.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#41
September 12, 2015 at 17:01:35
"Steganos log which appeared to be mainly information"
Derek is right, may come in handy.

Run screen317's Security Check again please & post the new log.

All good here kelaren, you are probably in bed now.


Report •

#42
September 12, 2015 at 19:28:50
No I am here!! Ready to combat the evildoers in Aussie time :)

Results of screen317's Security Check version 1.008
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 7 [color=red][b]Out of date![/b][/color]
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Java(TM) SE Runtime Environment 6
[color=red][b]Java version 32-bit out of Date![/b][/color]
Adobe Reader 8 [color=red][b]Adobe Reader out of Date![/b][/color]
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 10 % [color=red][b]Defragment your hard drive soon! (Do NOT defrag if SSD!)[/b][/color]
[b][u]````````````````````End of Log``````````````````````[/b][/u]


Report •

#43
September 12, 2015 at 19:53:53
Hard to know where to start, lets tackle this first, small steps.

"Just about to install the MS AV'
You can only have one AV installed, otherwise they fight each other.
AV's have to be uninstalled using their own special uninstaller.

Lets make sure Avira is completely uninstalled.
Download Avira AntiVir Removal Tool
http://www.avira.com/en/support-dow...
http://www.avira.com/en/support-for...

MS AV doesn't appear to be installed.
Microsoft Security Essentials ( MSE )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://windows.microsoft.com/en-us/...
http://www.techsupportalert.com/9be...
http://windows.microsoft.com/en-us/...
System requirements
http://www.microsoft.com/en-us/secu...
Check list for installing Microsoft Security Essentials
http://experts.windows.com/w/expert...
Can Microsoft Security Essentials ( MSE ) protect me from online banking and shopping.
http://answers.microsoft.com/en-us/...
If you choose to use Security Essentials, please follow the steps in this thread first, especially the part about removing all existing realtime antimalware:
http://kb.eset.com/esetkb/index?pag...

message edited by Johnw


Report •

Ask Question