Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: can't remove 3 files hi jack hosts

  1. #11
    Junior Member
    Join Date
    Sep 2014
    Posts
    17

    Default

    I removed the Utorrent from my startup ...... For some reason Trendmicro was blocking and removing all of my log files and Farbar etc... I unblocked them all and restored them... I dont know what that is about.

    Here is the fixlog

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-09-2014
    Ran by Scottie at 2014-09-29 20:45:22 Run:1
    Running from C:\Users\Scottie\Desktop
    Loaded Profile: Scottie (Available profiles: Scottie)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    C:\Users\Scottie\AppData\Local\Temp\AcDeltree.exe
    AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939
    AlternateDataStreams: C:\ProgramData\TEMP:FD9CE1F3
    EmptyTemp:
    Hosts:
    End
    *****************

    Processes closed successfully.
    C:\Users\Scottie\AppData\Local\Temp\AcDeltree.exe => Moved successfully.
    C:\ProgramData\TEMP => ":A1EDB939" ADS removed successfully.
    C:\ProgramData\TEMP => ":FD9CE1F3" ADS removed successfully.

  2. #12
    Junior Member
    Join Date
    Sep 2014
    Posts
    17

    Default

    Also it appears that I am not getting redirected like I was when clicking a link inside a web page..... so may be fixed and the other problem I was having is that my audio service randomly wasnt running and I would have to click on the speaker to turn on the service and then it would randomly stop again but that also seems to be fixed and maybe once I uninstalled that codec pack that was on there??

  3. #13
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Trendmicro is doing it's job by blocking. Many internet security programs find our tools as invasive that's why we tell people to temporarily disable while running these scans.
    If I didn't mention to disable it then I blooped.

    Could be by uninstalling the codec pack was a good idea. Possible you didn't need it or, it's where it was downloaded from come in bundled with 3rd party malware.

    Not being redirected was our goal so good job!


    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.


    Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note:
      For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
    • Click the blue Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
    • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
    • Click on Advanced Settings
    • Make sure that the option Remove found threats is unticked.
    • Ensure these options are ticked
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

    • Click Start
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
    • Close the ESET online scan.
    Last edited by Juliet; 2014-09-30 at 15:29. Reason: typo
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  4. #14
    Junior Member
    Join Date
    Sep 2014
    Posts
    17

    Default

    I am running the Eset scan now. I ran another malwarebytes scan last night after our last post and it found no threats so the 3 host threats it couldn't remove are now gone!!
    Which is fantastic. I will post the Eset when finished. Thanks Juliet!!!! For all your help and being so quick to respond.

  5. #15
    Junior Member
    Join Date
    Sep 2014
    Posts
    17

    Default

    Here is the log of the eset scan

    C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll a variant of Win64/Sathurbot.A trojan
    C:\Users\All Users\Microsoft\Crypto\RSA64\rsa64.dll a variant of Win64/Sathurbot.A trojan
    C:\Users\Scottie\AppData\Local\USLmedia\smpUtilsvc.dll a variant of Win32/Sefnit.DC trojan
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\282a1d22-5b53e7ca Java/Exploit.Agent.RTL trojan
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2da637be-15096222 Java/Exploit.Agent.RTL trojan
    Operating memory multiple threats

  6. #16
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I ran another malwarebytes scan last night after our last post and it found no threats so the 3 host threats it couldn't remove are now gone!!
    Which is fantastic. I will post the Eset when finished. Thanks Juliet!!!! For all your help and being so quick to respond.
    Glad to hear their gone. We're glad to help

    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
    start
    CloseProcesses:
    C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll
    C:\Users\All Users\Microsoft\Crypto\RSA64\rsa64.dll
    C:\Users\Scottie\AppData\Local\USLmedia\smpUtilsvc.dll
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\282a1d22-5b53e7ca
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2da637be-15096222
    End
    Open FRST/FRST64 and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


    Please run this security check for my review.

    Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    Please post these 2 logs when done.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #17
    Junior Member
    Join Date
    Sep 2014
    Posts
    17

    Default

    For some reason FRST.exe is no longer on my desktop to run??? that doesnt make sense I will have to download it again and run it. I will do this when I get back from lunch.

  8. #18
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Thats odd.


    Below is the link.


    Please download Farbar's Recovery Scan Tool to your desktop:

    FRST 32bit or FRST 64bit (If not sure which version: Start --> Computer (right click) --> properties)
    (To use correct version for your system.....Which system am I using?)
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #19
    Junior Member
    Join Date
    Sep 2014
    Posts
    17

    Default

    I am pretty sure that Trend Micro deleted the FRST program. The logs are below, but I encountered a new problem after running FRST Fix after the reboot I got an error box RegSVR32 C:\users\scottie\Appdata\local\usl\smputilsvc.dll failed to load. Make sure binary is stored at the specified path or debug it to check for problems with the binary or dependent .dll files The specified module could not be found.


    LOGS

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-09-2014
    Ran by Scottie at 2014-09-30 14:14:51 Run:2
    Running from C:\Users\Scottie\Desktop
    Loaded Profile: Scottie (Available profiles: Scottie)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll
    C:\Users\All Users\Microsoft\Crypto\RSA64\rsa64.dll
    C:\Users\Scottie\AppData\Local\USLmedia\smpUtilsvc.dll
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\282a1d22-5b53e7ca
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2da637be-15096222
    End
    *****************

    Processes closed successfully.
    C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll => Moved successfully.
    "C:\Users\All Users\Microsoft\Crypto\RSA64\rsa64.dll" => File/Directory not found.
    C:\Users\Scottie\AppData\Local\USLmedia\smpUtilsvc.dll => Moved successfully.
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\282a1d22-5b53e7ca => Moved successfully.
    C:\Users\Scottie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2da637be-15096222 => Moved successfully.


    The system needed a reboot.

    ==== End of Fixlog ====

    Results of screen317's Security Check version 0.99.87
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Trend Micro Titanium Internet Security
    Antivirus up to date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Java 7 Update 67
    Java(TM) SE Runtime Environment 6 Update 1
    Adobe Reader XI
    Google Chrome 37.0.2062.120
    Google Chrome 37.0.2062.124
    Google Chrome Plugins...
    ````````Process Check: objlist.exe by Laurent````````
    Spybot Teatimer.exe is disabled!
    Trend Micro AMSP coreServiceShell.exe
    Trend Micro UniClient UiFrmWrk uiWatchDog.exe
    Trend Micro AMSP coreFrameworkHost.exe
    Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````

    Thanks Scottie

  10. #20
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    error box RegSVR32 C:\users\scottie\Appdata\local\usl\smputilsvc.dll failed to load
    From the Eset scan.
    C:\Users\Scottie\AppData\Local\USLmedia\smpUtilsvc.dll a variant of Win32/Sefnit.DC trojan
    Urban Spotlight UK ---> urban media/video website

    The dll of this program was found to be malicious.

    What we can do here is to completely remove/uninstall this program which is the safest or redownload it, or I can have FRST dequarantine the file.
    But, it's flagged as malicious so I'll have to leave this up to you. Since we don't know where the infection comes in specifically this can be a hard decision.


    Other then that, how's the computer?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •