gotcha!
We'll be here if needed.
gotcha!
We'll be here if needed.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Originally Posted by Juliet
So far today, everything looked good. I'm going leave Firefox active for a bit tonight, to see if any rogue processes come up. I'm fairly confident that I won't see any, but, once bit, twice cautious.
Just out of curiosity, if that was the problem, will the offending DLL's be added to the definition files at some point? I still have them in the recycle bin, and am going to try to get them onto a memory stick or something.
I have the 2 DLL files isolated in secure storage. Here are the VirusTotal links:
colers.dll
https://www.virustotal.com/en/file/c...is/1426108563/
tivesen.dll
https://www.virustotal.com/en/file/6...is/1426108659/
wooohooo!So far today, everything looked good. I'm going leave Firefox active for a bit tonight, to see if any rogue processes come up. I'm fairly confident that I won't see any, but, once bit, twice cautious.
I'm checking into the other to see if the R&D team needs those.
It's possible you may want to contact your antivirus vendor with these.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
The status report for today is... still no rogue processes.
It looks like we have the problem under control. Quick question... what program was calling the DLL's? Do I need to remove that program and associated registry entries?
To give you an exact program name..., don't know if I can but from what we did find and removeThe status report for today is... still no rogue processes.
It looks like we have the problem under control. Quick question... what program was calling the DLL's? Do I need to remove that program and associated registry entries?
C:\ProgramData\Optimizer ---> 3 / 68 (PUP)
Publisher: MicroTools
Both of those are capable of adding entries into the C:\Users\Henry\AppData\Roaming folder where malware so often does.
I honestly think if there was anything residual left behind it would had reared it's ugly head by now.
We need to remove tools and quarantine folders.
DelFix
- Please download DelFix
or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.- Double-click DelFix.exe to run the programme.
- Place a checkmark next to the following items:
- Activate UAC
- Remove disinfection tools
- Purge system restore
- Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
~~~~~~~~~~~~~~~~~~~
- Answers to common security questions - Best Practices by quietman7, MVP
- How Malware Spreads - How did I get infected? by quietman7, MVP
- Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
- How to Prevent Malware by miekiemoes, MVP
- How to backup and restore your data using Cobian Backup by YourHighness
- Slow Computer/browser? It May Not Be Malwareby quietman7, MVP
The following programmes come highly recommended in the security community.
AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
CryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
Secuina PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
Want to help others? Join the ClassRoom and learn how.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
OK, I think I'm ready to say that the problem is gone.
I'm still curious as to which program was running that called the DLL's that were deleted. I know that's not an easy thing to do. Is it possible to find out with some type of registry scan?
I did a quick search of the registry, and came up with the colers.dll file in 4 locations. I didn't find the other one that was in the deleted directory, tivesen.dll.
I've attached a file with the registry keys listed. Don't know if it will help or not, but, I figured it couldn't hurt.
It was a battle!OK, I think I'm ready to say that the problem is gone.
CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090} which I think can mean task bar, tool bar or BHO
56FDF344-FD6D-11d0-958A-006097C9A090 is a windows system Taskbar Communication component.
AdwCleaner in different logs took it out
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
When searching it was also located when asking someone to do a Search for "ask"
Now, if this applies to you, heaven only knows.
Have you done a search to see if this folder is still on the computer?
C:\\Users\\Henry\\AppData\\Roaming\\xaeojhej
We can take out those reg entries
Next, launch Notepad, (Start > Run, type in: notepad) copy and paste next present in the quotebox below in it:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
[-HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
[-HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
[-HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
[-HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000\Software\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
[-HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000\Software\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
[-HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000_Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
[-HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000_Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards
Last edited by Juliet; 2015-03-14 at 02:40.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Yes, it was a battle! But, we managed to track it down, and win the fight.
Yes I did, no it's not. I had removed it per your instructions in a prior message. That's when the problem went away. I managed to recover it, and the contents, from the recycle bin, and have the folder and the files isolated in a secure storage area.
The second DLL file, that was in the folder with the colers.dll file, wasn't in the registry. Makes me curious...
Posting Permissions
