PDA

View Full Version : Possible Virus: Help Appreciated



danib
2015-07-11, 18:19
Hi everyone,

Here I am again trying to help my dad with his problem PC.

Please find logs attached; any help would be appreciated.

Many thanks.

Daniel.

Juliet
2015-07-12, 14:27
Running from C:\Users\Alan\Downloads

It's best we move Farbar's to desktop.

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CloseProcesses:
SearchScopes: HKLM -> {31090377-0740-419E-BEFC-A56E50500D5B} URL = http://speedial.com/results.php?f=4&q={searchTerms}&a=spd_dsites02_14_23_ie&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FtAyD0AtBtByDzztDtN0D0Tzu0SzzzzzytN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0E0C0F0A0D0AtCtG0BtCyEtBtGyDtDyEzytGyCtDyDyBtGtDzz0Azy0C0BzyyB0AtBtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtB0EyE0F0C0EtGyC0BtDtAtGyDtD0FyDtGtByByD0AtGyD0D0AyDyE0ByBtAtC0Dzz0C2Q&cr=1833245417&ir=
C:\Users\Alan\AppData\Local\Temp\13-9-legacy_vista_win7_32_dd_ccc_whql.exe
C:\Users\Alan\AppData\Local\Temp\IrsoDLL.dll
C:\Users\Alan\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\Alan\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Alan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Alan\AppData\Local\Temp\jre-8u40-windows-au.exe
C:\Users\Alan\AppData\Local\Temp\nsg1BA8.tmp.exe
C:\Users\Alan\AppData\Local\Temp\optprosetup.exe
C:\Users\Alan\AppData\Local\Temp\Quarantine.exe
C:\Users\Alan\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Alan\AppData\Local\Temp\ReiSysUpdate.exe
lternateDataStreams: C:\ProgramData\TEMP:373E1720
EmptyTemp:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~

http://i.imgur.com/BY4dvz9.png AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


please post
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt

danib
2015-07-12, 18:02
Hello Juliet,

Thank you, for your help.

I had difficulty running Farbar at first; it just kept 'not responding'. I had noted that the computer was having difficulty running Windows file explorer; it takes a long time to find the files in a location, the green progress bar just sits at the top.

Farbar was moved to the desktop and the logs are attached.

Thanks again.

Daniel.

Juliet
2015-07-12, 18:44
Since running those tools are you seeing any improvements?

At times, Norton Internet Security can bog down a machine but, not sure in this case. How long have you had it on the machine and has it had problems running in the past?
If I read the virus definition log correct, it might also need updating.

~~~~~~~~~~~~~`
Please download Malwarebytes Anti-Malware (http://downloads.malwarebytes.org/file/mbam) and save it to your desktop.

Double-click on the setup file (mbam-setup.exe), then click on Run to install.
Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
Click on Update Now to download the current database definitions, then click the Scan Now >> button.
If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
You will be prompted to update Malwarebytes...click on the Update Now button.
The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
After rebooting the computer, copy and paste the mbam.log in your next reply.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

Open Malwarebytes Anti-Malware.
Click the History Tab at the top and select Application Logs.
Select (check) the box next to Scan Log. Choose the most current scan.
Click the View button.
Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)



When the scan is finished and the log pops up...select Copy to Clipboard

Please paste the log back into this thread for review

Exit Malwarebytes

Please post this log (copy and paste) in your next reply instead of attaching.

danib
2015-07-14, 19:05
Hi Juliet,

Thank you, for your support. I have to walk to my parents house to access the PC; that is why sometimes it takes a while before I get back to you.

Re your question: Since running those tools are you seeing any improvements?

Yes, I think so. Firefox was doing funny things, opening extra tabs and such like, but I tracked that down to some weird browser extension that's been added called 'extra tab' or something. 'Windows file explorer' is slow too; I can't figure out if that is the PC's spec though.

I noted that Malwarebytes found 8 threats on the system; the log is below.

I have updated Adobe Flash and Adobe Reader; but, Firefox still has Adobe Reader detailed as out of date for some reason.

Thanks for your help once again. I will await your instruction.

All the best,

Daniel.
_____________________________

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 14/07/2015
Scan Time: 16:29:24
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.14.04
Rootkit Database: v2015.07.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Alan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302439
Time Elapsed: 28 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [139926bbc6c462d4cf92236fd3311ae6],
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-19\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [affd6180fd8d033362fff39f33d1c937],
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-20\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [2c80954cee9c5dd928397b17d33129d7],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.AdPeak.A, C:\temp, Quarantined, [3676519002885cdac4ad1c19010239c7],

Files: 4
PUP.Optional.CouponDownloader.A, C:\temp\t_ie.exe, Quarantined, [d3d938a9cac0b77fb1d888af4cb4fa06],
PUP.Optional.InstallCore, C:\Users\Alan\Downloads\AcrobatReaderSetup(1).exe, Quarantined, [733919c8d0baad898f1b08f35ca8748c],
PUP.Optional.SuperCool, C:\Users\Alan\Downloads\AcrobatReaderSetup.exe, Quarantined, [37757e63b5d5c076be3bcf5ae41d649c],
PUP.Optional.AdPeak.A, C:\temp\lsp2.log, Quarantined, [3676519002885cdac4ad1c19010239c7],

Physical Sectors: 0
(No malicious items detected)


(end)
________________________________

Juliet
2015-07-14, 19:49
Let's see if Firefox update plugin tool will cure that issue.

https://www.mozilla.org/en-US/plugincheck/

This site will check which version of Flash is on the machine with directions how to update. Note - uncheck McAfee security scan.

http://www.adobe.com/software/flash/about/

~~~~~~~~~~~~~~~~~~~~~~~~
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.


Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:

Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology


Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.

danib
2015-07-15, 14:16
Hi Juliet,

Please find log contents below:

C:\AdwCleaner\Quarantine\C\Program Files\004\rqpbhevlkc32.exe.vir a variant of Win32/AdWare.Adpeak.F application
C:\FRST\Quarantine\C\Users\Alan\AppData\Local\Temp\IrsoDLL.dll.xBAD a variant of Win32/InstallCore.YX potentially unwanted application
C:\FRST\Quarantine\C\Users\Alan\AppData\Local\Temp\optprosetup.exe.xBAD multiple threats

Regarding Firefox and Adobe: I ran the plugin update tools again and got the same result on Adobe Reader. Research indicates that the Adobe Reader being listed as not updated when it is issue could be because Vista is not supported anymore. There are newer versions out there, but Firefox doesn't know that they don't apply. If that makes sense?

Awaiting instructons.

Thanks again,

Daniel.

Juliet
2015-07-15, 14:39
Heres a good article concerning Adobe and windows Vista
https://helpx.adobe.com/acrobat/kb/run-acrobat-windows-vista.html

Scan came back in good shape, all items already in quarantine folders, no more malware found.

What other issues remain?

danib
2015-07-15, 16:29
Hi Juliet,

Good, I can answer this one from my house!

I have increased the Windows Vista virtual memory limit and activated Ready Boost using a USB to give him some extra memory. Hopefully, that will speed up his PC too. In addition, I have tried to update everything for him.

If you are happy, I am happy. Everything seems much better at this end - thank you. I'll tell my dad to watch what he's clicking more closely (again); he's an author and political activist, so he goes on dodgy sites that I just wouldn't contemplate visiting.

One last thing please, could you direct me to the clean up tool that removes all these programs we have put on his PC?

Thanks again, for your kind help.

danib
2015-07-15, 17:33
Hi,

One more question please: If we 'unchecked' remove all threats at the start of the ESET Scan, are they still there or did the threats get removed at uninstall or are they OK because they are quarantined?

Thanks.

Juliet
2015-07-15, 18:09
Hi Juliet,

Good, I can answer this one from my house!

I have increased the Windows Vista virtual memory limit and activated Ready Boost using a USB to give him some extra memory. Hopefully, that will speed up his PC too. In addition, I have tried to update everything for him.

If you are happy, I am happy. Everything seems much better at this end - thank you. I'll tell my dad to watch what he's clicking more closely (again); he's an author and political activist, so he goes on dodgy sites that I just wouldn't contemplate visiting.

One last thing please, could you direct me to the clean up tool that removes all these programs we have put on his PC?

Thanks again, for your kind help.

One more question please: If we 'unchecked' remove all threats at the start of the ESET Scan, are they still there or did the threats get removed at uninstall or are they OK because they are quarantined?



This week Microsoft Updates released updates to vulnerabilities I think found in a couple of items (software) he has on his machine.
Be sure to run updates to get that covered.

What I'm expecting with the Eset scan is to find items already held in quarantine. Also, Eset is good to show us other items that might not have been found using the tools we already used.
Sometimes these are malicious and sometimes not. Thats why I ask to uncheck it to remove all threats so that I might be able to look at whats been found and then if it needs to be removed we can do that.

Yes, I have a tool that will remove things with their quarantine folders when we're done.

danib
2015-07-15, 20:00
Hi Juliet,

I was conscious about taking up too much of your time.

The whole situation:

Where malware is concerned, there doesn't seem to be any strange behaviour anymore and the PC is definitely faster at completing tasks - thank you.

I ran a Microsoft 'fixit' patch (I wouldn't run a similar tool from any other company) to repair Windows update. The tool repaired a long list of update related issues, except two.

I can't remember what the two issues were and I am not close to that PC to check. Windows Update does seem to work when I click 'check for updates'; I'm not sure if it works on a schedule though. I appreciate Vista is old now and I don't think that he has the installation discs, so he may have to live with those two issues.

He has also had a monitor issue for the past two years or so; but after checking the drivers and swapping monitors, I finally tracked the issue down to an old unplugged PC that he had close by. I moved the old PC and removed a kink in the monitor cable and the monitor is fine now.

Re: vulnerabilities - tomorrow morning I will run Windows Update again until there are no more updates available.

Apart from the malware issues, which I am awaiting your advice on, that's everything; I think.

Thank you,

Daniel.

Juliet
2015-07-16, 01:23
I was conscious about taking up too much of your time.

The whole situation:
Where malware is concerned, there doesn't seem to be any strange behaviour anymore and the PC is definitely faster at completing tasks - thank you.
I'm here to help so don't worry about my time, I'm here for you and others who don't know what to do. :)

What will be shown for Vista updates might not be much sorry, but with having the understanding theres not much out there any more is a help to me.

Let's remove tools and quarantine folders and let you be on your way.

DelFix

Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.

Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:

Activate UAC
Remove disinfection tools


Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


~~~~~~~~~~~~~~~


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


The following programmes come highly recommended in the security community.

http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

danib
2015-07-16, 19:22
Hi Juliet,

I ran DelFix; it cleaned up most of what we put on and I deleted the rest.

I'm just running the System Update Readiness Tool for Windows Vista, hopefully that will sort the update issue because some updates still won't install. Everythng else seems a lot better now.

Hey Juliet, you're the best. Thanks for all your help.

Daniel.

Juliet
2015-07-16, 20:18
Glad we could help :)

Juliet
2015-07-26, 03:47
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.