Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: Downloaded an exe: Firefox starts with non-home pages

  1. #11
    Member
    Join Date
    Jul 2009
    Posts
    95

    Default

    Correction: JRT did finish eventually, with Notepad opening. The log in my previous post is what it produced.

  2. #12
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Sometimes JRT can be a stinker to run.

    Please download the Malwarebytes Anti-Malware setup file to your Desktop.

    OR from this location Malwarebytes' Anti-Malware

    • Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Detections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan
    • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
    • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
    • Upon completion of the scan (or after the reboot), click the History tab.
    • Click Application Logs, followed by the first Scan Log.
    • Click Export,followed by Copy to Clipboard. Paste the log in your next reply.

    ~~~~~~~

    For this next tool it's probably going to need you to temporarily disable the same protection software.

    What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
    The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.

    Ensure your external and/or USB drives are inserted during the scan.

    Please disable your Antivirus as shown in the following topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


    • Close all opened programs, open your browser and go to the following link: ESET Online Scanner.
    • Click on the SCAN NOW button under ESET Online Scanner.
      • Depending on which browser you are using, you might be prompted to download an executable file.
      • Please save it to your desktop.
      • Right-click on esetonlinescanner_enu.exe and select Run as administrator.
      • If you agree to the Terms of use, select Accept to continue.

    • Please check the following option:

      • Enable detection of potentially unwanted applications
    • Select Advanced settings and ensure that the following options are checked:

      • Enable detection of potentially unsafe applications
      • Enable detection of suspicious applications
      • Scan archives
      • Enable Anti-Stealth technology
    • Make sure that the following option is NOT checked: => Very important!

      • Clean threats automatically
    • Click Scan and the process will now begin. Please do not use your computer while the scan is running.
    • Once the scan is completed, click Copy to clipboard.
    • Open the Start menu and type notepad.exe in the search programs and files box.
    • Press Enter. A blank Notepad page should open, paste the contents inside the window.
    • Save the file as ESETScan.txt.
    • Please copy/paste the contents of ESETScan.txt in your next reply.
    • You can now safely close the program.
      Do not forget to re-activate your Antivirus at this point.


    Please post these 2 logs when finished.

    How is your computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #13
    Member
    Join Date
    Jul 2009
    Posts
    95

    Default

    Results of Malwarebytes' Anti-Malware:

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 2016-09-01
    Scan Time: 15:22
    Logfile:
    Administrator: Yes

    Version: 2.2.1.1043
    Malware Database: v2016.09.01.10
    Rootkit Database: v2016.08.15.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x86
    File System: NTFS
    User: Chris

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 266681
    Time Elapsed: 2 min, 41 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)

    -------

    Eset results will be in my next post.

  4. #14
    Member
    Join Date
    Jul 2009
    Posts
    95

    Default

    Here is ESETScan.txt:

    H:\DL\Cute PDF free printer driver\CuteWriter.zip a variant of

    Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of

    Win32/Bundled.Toolbar.Ask potentially unsafe application
    H:\DL\Cute PDF free printer driver\c\CuteWriter.exe a variant of

    Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of

    Win32/Bundled.Toolbar.Ask potentially unsafe application
    H:\DL\CutePDF Writer 3.0\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially

    unsafe application
    H:\DL\PDFforge Images2PDF 0_9_2\pdfforge_Images2PDF-0_9_2-setup.exe Win32/OpenCandy

    potentially unsafe application
    H:\DL\ResHacker\cnet_ResHack_zip.exe a variant of Win32/InstallCore.D potentially

    unwanted application
    H:\DL\ZoneAlarm Cleanup Utility\clean.exe Win32/Toolbar.Conduit potentially unwanted

    application
    H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetupWeb_110_780_000.exe

    Win32/Toolbar.Conduit potentially unwanted application
    H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetup_110_000_054.exe

    Win32/Toolbar.Conduit potentially unwanted application,Win32/Toolbar.Montiera.I potentially

    unwanted application,a variant of Win32/Toolbar.Escort.A potentially unwanted application,a

    variant of Win32/Toolbar.Montiera.A potentially unwanted

    application,Win32/Toolbar.Montiera.J potentially unwanted application,a variant of

    Win32/Toolbar.Montiera.F potentially unwanted application
    H:\DL\ZoneAlarm Firewall Free 110_000_057 Stub\zafwSetupWeb_110_000_057.exe

    Win32/Toolbar.Conduit potentially unwanted application
    H:\DL\ZoneAlarm Free 110_000_20\zafwSetup_110_000_020.exe Win32/Toolbar.Conduit

    potentially unwanted application,Win32/Toolbar.Montiera.I potentially unwanted application,a

    variant of Win32/Toolbar.Escort.A potentially unwanted application,a variant of

    Win32/Toolbar.Montiera.A potentially unwanted application,Win32/Toolbar.Montiera.J

    potentially unwanted application,a variant of Win32/Toolbar.Montiera.F potentially unwanted

    application

    ---------

    None of these problems were detected by SS&D 2.4 Pro running once a week, but perhaps the last weekly run was before I downloaded that .exe!

    The only difference in my PC that I notice is that Firefax opens to a blank page, which I expect.

  5. #15
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    The only difference in my PC that I notice is that Firefox opens to a blank page, which I expect.
    OK

    but perhaps the last weekly run was before I downloaded that .exe!
    What was the name?

    ~~~~
    Let's go over what it found

    H:\DL\Cute PDF free printer driver\c\CuteWriter.exe <=a variant of Win32/Bundled.Toolbar.Ask.G
    Are the below related to this entry?. If so, I would advise you to uninstall/delete.
    CuteFTP (HKLM\...\CuteFTP) (Version: - )
    CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
    ~~~~~~~~~~~~~~~~~~~~~

    https://www.virustotal.com/en/file/6...664d/analysis/
    H:\DL\PDFforge Images2PDF 0_9_2\pdfforge_Images2PDF-0_9_2-setup.exe
    The above shows signs of infection. I'll leave this up to you to uninstall and delete.

    ResHacker
    No suspicious behavior reported so far.


    The files found by ESET appear to be parts of CheckPoint's ZoneAlarm. You may delete those if you no longer need them.
    H:\DL\ZoneAlarm Cleanup Utility\clean.exe
    H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetupWeb_110_780_000.exe
    H:\DL\ZoneAlarm Firewall Free 110_000_057 Stub\zafwSetupWeb_110_000_057.exe

    If you need help with deleting anything let me know.

    Are we ready to delete tools and quarantine folders?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #16
    Member
    Join Date
    Jul 2009
    Posts
    95

    Default

    I have been reading through this thread, and have a few questions:

    • In FRST.txt i notice that there are application errors involving wpwin16.exe (Corel WordPrefect X6) and ntdll.dll. Do you have an idea why? I do know that, in recent months, if I leave an instance of WordPerfect open minimized for 1/2 an hour or so, restoring it to full screen doesn't work. I have to use Task Manager to switch to it, then it shows Not Responding.
    • In the System errors section, I see "The driver detected a controller error on \Device\Harddisk1\DR2". This PC is 3 years old. The only hard drive is an Intel SSD. Is the SSD failing?


    You ask "what is the name" of the offending .exe file. Sorry, I don't know.I shift-deleted the file. It got me because I wasn't being as cautious as I usually am; I was concentrating on finding a manual for a heat pump!

    On my PC, the subdirectories of the H:\DL directory contain stuff I have downloaded, as downloaded. I have removed all the files that are listed in ESETScan.txt.

    Yes, we are ready to delete tools and quarantine folders.

  7. #17
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Quote Originally Posted by Chris Haslam View Post
    I have been reading through this thread, and have a few questions:

    • In FRST.txt i notice that there are application errors involving wpwin16.exe (Corel WordPrefect X6) and ntdll.dll. Do you have an idea why? I do know that, in recent months, if I leave an instance of WordPerfect open minimized for 1/2 an hour or so, restoring it to full screen doesn't work. I have to use Task Manager to switch to it, then it shows Not Responding.
    • In the System errors section, I see "The driver detected a controller error on \Device\Harddisk1\DR2". This PC is 3 years old. The only hard drive is an Intel SSD. Is the SSD failing?


    Yes, we are ready to delete tools and quarantine folders.
    For these errors reported through FRST, don't be alarmed because we see them on most all of the reports that come through.

    I did try to do a little research to see what others posted and if any answers were available.
    I think the best course of action would be to update drivers.

    The chances that ntdll.dll is damaged isn't likely. As it is core Windows files, I'd expect many more problems if it were damaged.
    Additionally, Windows has many methods to protect and repair these files - so again, it's unlikely.

    Finally, you can "repair" them in several ways (replacing it directly, using sfc.exe, or doing a repair install) - but as this isn't causing you problems - leave it alone.
    if it's not causing you problems then I wouldn't worry about it now.
    Windows 7: SFC /SCANNOW Command - System File Checker
    http://www.sevenforums.com/tutorials...e-checker.html

    You'll need to go to the manufacturer web page for the make and model of your computer. Search for driver updates, if any, then download and install those.
    I'd create a restore point first in case it kinda borks your machine.
    ~~~~
    controller error on \Device\Harddisk1\DR2
    https://community.spiceworks.com/top...-harddisk2-dr2
    From this link they kinda point to USB drive, just read over the link, again, if nothing serious is wrong sometimes it's best to just leave things alone.

    ~~~~~~~~~~~~~~~~~~

    DelFix

    • Please download DelFix or from Here and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Click the Run button.
    • -- This will remove the specialized tools we used to disinfect your system.
      Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete
      ).

    ************************************

    • AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
    • CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
    • Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
    • Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
    • NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
    • Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
    • Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
    • SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
    • Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
    • Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

    ~~~

    Want to help others? Join the ClassRoom and learn how.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #18
    Member
    Join Date
    Jul 2009
    Posts
    95

    Default

    Thank you for your advice re application errors and the controller error. I will let sleeping dogs lie!

    I have downloaded and run DelFix. I have deleted the leftover logs, files and tools.

    Do you recommend that I install all of the software you list? I already run AdBlock. I have just installed WOT.

    I did notice in Control Panel > Programs and Features that FileFinder is still on this PC, although its icon is gone from the Desktop. The Publisher shows as Webitar Production Inc. I tried to uninstall it but it is still there. When I tried again, Windows told me to wait until uninstall finished.

    I notice that the following files/directories on the C: drive have the name FileFinder:

    FileFinder 0 2016-08-30 12:12 d C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\
    FileFinder.lnk 1,027 2016-08-30 12:12 a C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\FileFinder\
    FileFinder 0 2016-08-30 12:12 d C:\ProgramData\yes\products\
    FileFinder 0 2016-08-30 12:12 d C:\Users\All Users\yes\products\

    C:\ProgramData\yes\products\ contains uninstall.arc, uninstall.cfg and uninstall.exe. The icon beside uninstall.exe is VPN in white on a green background.

    What should I do?

    BTW, by looking at the Firefox Download list, I am fairly sure that the file I downloaded is Waterfurnace_Envision_Installation_Manual_downloader.exe. For sure, I was looking for such a manual.

  9. #19
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Those tips and tricks in preventions, are posted for users to see whats available to help secure their machines.
    I think it would be overkill to download all of them and probably bog down the computer.

    Ones you might want to think about is
    Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
    Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.

    **
    I did notice in Control Panel > Programs and Features that FileFinder is still on this PC, although its icon is gone from the Desktop. The Publisher shows as Webitar Production Inc. I tried to uninstall it but it is still there. When I tried again, Windows told me to wait until uninstall finished.
    Wonder if it would tell you that if you attempted to remove it in Safe mode?

    **
    I notice that the following files/directories on the C: drive have the name FileFinder:
    Thats odd because our first run with FRST shows it had been removed.

    Couple of things we can do here

    Please download and install Revo Uninstaller Free
    • Double click Revo Uninstaller to run it.
    • From the list of programs double click on FileFinder
    • When prompted if you want to uninstall click Yes.
    • Be sure the Moderate option is selected then click Next.
    • The program will run, If prompted again click Yes
    • when the built-in uninstaller is finished click on Next.
    • Once the program has searched for leftovers click Next.
    • Check/tick the bolded items only on the list then click Delete
    • when prompted click on Yes and then on next.
    • put a check on any folders that are found and select delete
    • when prompted select yes then on next
    • Once done click Finish.


    ~~~~

    Emsisoft Emergency Kit

    Please download Emsisoft Emergency Kit and save it to your desktop.
    Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.
    • Leave all settings as they are and click the Extract button at the bottom.
    • A folder named EEK will be created in the root of the drive (usually c:\).
    • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
    • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
    • Please click Yes so that it downloads the latest database updates.
    • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
    • Click on Scan to be taken to the scan options.
    • If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
    • Click on the Malware Scan button to start the scan.
    • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
    • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
    • Please save the log in Notepad on your desktop, and copy it to your next reply.
    • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.


    ~~~

    Hate to ask you to download FRST again but we'll check to see if it came out.

    Farbar Recovery Scan Tool (FRST) Scan
    • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) andsave the file to your Desktop.
    • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
    • Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  10. #20
    Member
    Join Date
    Jul 2009
    Posts
    95

    Default

    Log from EEK:

    Emsisoft Emergency Kit - Version 11.9
    Last update: 2016-09-05 10:15:27
    User account: Molly\Chris
    Computer name: MOLLY
    OS version: Windows 7x86 Service Pack 1

    Scan settings:

    Scan type: Malware Scan
    Objects: Rootkits, Memory, Traces, Files

    Detect PUPs: On
    Scan archives: Off
    ADS Scan: On
    File extension filter: Off
    Advanced caching: On
    Direct disk access: Off

    Scan start: 2016-09-05 10:19:02

    Scanned 71247
    Found 0

    Scan end: 2016-09-05 10:19:23
    Scan time: 0:00:21

    FRST logs to follow

    Instructions for RUF and EEK need updating for the current versions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •