Can A Malware that Keeps coming back be removed for good?

Status
Not open for further replies.
I completed the Threat Scan and there is no option to "Remove Selected". My options are: Quarantine, Add Exclusion and Ignore Once.
Which do I choose please?
 
Sorry to be difficult, just trying to follow the steps.....after I Quarantined the results, I had to reboot. I did and then what do I do? I re-opened Malwarebytes and tried to find the Show Results, but there isn't any. I went to History, to try and get the log and save it somewhere convenient but didn't find a "save log" feature. But I did see where I can check mark the 4 items that showed up and can be selected and deleted. Should I do that? But then how do I get the log to post here and show you?
 
Hi gigglepot,

  • Open Malwarebytes' click the History tab
  • Select Application Logs from the menu to the left
  • Locate the most recent scan log and double click to open
  • At the bottom of the GUI locate the Export drop-down menu
  • Export the file as a .txt file, name the file and save it to your desktop.
  • Include the MBAM log in your next reply.
 
Here is the MBAM.txt file:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/06/2014
Scan Time: 12:19:16 PM
Logfile: MBAM.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.12.09
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312993
Time Elapsed: 36 min, 29 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.TopArcadeHits.A, HKU\S-1-5-21-179166284-1700762968-3849658672-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{CF190686-9E72-403C-B99D-682ABDB63C5B}, Quarantined, [7029492e0e6d280e0444a0d4f9095ea2],
PUP.Optional.TopArcadeHits.A, HKU\S-1-5-21-179166284-1700762968-3849658672-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{CF190686-9E72-403C-B99D-682ABDB63C5B}, Quarantined, [7029492e0e6d280e0444a0d4f9095ea2],
PUP.Optional.CouponCompanion.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\pbkdpahkifcigckmhiafindmaflfifgm, Quarantined, [c1d83c3b6d0e9d9909bfa00afd05c13f],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.MultiPlug.A, C:\Windows\SysWOW64\setup.exe, Quarantined, [8712a1d6cab1a096c8b42f16a25e0ff1],

Physical Sectors: 0
(No malicious items detected)


(end)
 
I ran the ESETScan and am just wondering, how could there be so many threats still? I thought the other scans took care of so many things. And I see YouTubeAdBlocker is on this list......but I thought I got rid of it in a previous scan? So confusing to me, hope I'm doing it all correctly.

Here is the ESETScan.txt file:

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\CT3298581\plugins\TBVerifier.dll.vir Win32/Toolbar.Conduit.AC potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ConduitEngine\ConduitEngine.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SW-Booster\Assistant_x64.dll.vir a variant of Win64/SProtector.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\uTorrentBar\tbuTor.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\ProgramData\ExsttraSSaevinags\1qC.dll.vir a variant of Win32/AdWare.MultiPlug.N application
C:\AdwCleaner\Quarantine\C\ProgramData\saave net\wnLAlG5.exe.vir a variant of Win32/AdWare.MultiPlug.Y application
C:\AdwCleaner\Quarantine\C\ProgramData\saavee onett\77CMT.exe.vir a variant of Win32/AdWare.MultiPlug.Y application
C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\AdwCleaner\Quarantine\C\ProgramData\YoutubeAdblocker\lHBgJ.exe.vir a variant of Win32/AdWare.MultiPlug.Y application
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\iehjklkgijkjfcfmmjmjlmcccholamaf\10.26.0.540_0\APISupport\APISupport.dll.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\iehjklkgijkjfcfmmjmjlmcccholamaf\10.26.0.540_0\nativeMessaging\TBMessagingHost.exe.vir Win32/Toolbar.Conduit.AH potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Local\NativeMessaging\CT3298581\1_0_0_4\TBMessagingHost.exe.vir Win32/Toolbar.Conduit.AH potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Local\SwvUpdater\Updater.exe.vir a variant of Win32/Amonetize.AM potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Local\TBHostSupport\TBHostSupport.dll.vir a variant of Win32/Toolbar.Conduit.AA potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\LocalLow\Vuze_Remote\tbVuze.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\Program Files (x86)\WinMX Music\Shared\winmx_music_free.exe Win32/Adware.Webhancer.A application
C:\ProgramData\InstallMate\{2FCEB00C-C231-49DE-AB35-8A13F42D92FA}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{476D7EBB-9585-421F-A0F4-DDA79C8E5C4D}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{6C53E029-E377-4E34-ACDF-AB55B7B0C2DF}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{A287A284-7356-4DAA-AF41-3B7479648072}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{C32FAE51-580F-46C7-A42C-102D18CC8CA7}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\Spybot - Search & Destroy\Recovery\myPCBackup.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\Wajam33.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\Wajam65.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO16.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO7.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\InstallMate\{2FCEB00C-C231-49DE-AB35-8A13F42D92FA}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{476D7EBB-9585-421F-A0F4-DDA79C8E5C4D}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{6C53E029-E377-4E34-ACDF-AB55B7B0C2DF}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{A287A284-7356-4DAA-AF41-3B7479648072}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{C32FAE51-580F-46C7-A42C-102D18CC8CA7}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\Spybot - Search & Destroy\Recovery\myPCBackup.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\Wajam33.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\Wajam65.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO16.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO7.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm
C:\Users\Owner\Documents\Vuze Downloads\Sinister {2012} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar_Internet Explorer.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
 
Oh, and forgot to answer your question, computer is running perfectly fine, no issues, no weird pop-ups, no unintentional software installed in Programs and Features. That's why I was confused about having so many threats on the ESETScan.
 
Hi gigglepot,

Don't be alarmed you are doing just fine. Many of the items listed in the ESET scan are in a quarantine folder and pose no threat to your system. We will clean those out at the end when we get ready to wrap things up.

=========================

Run OTL.exe

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :Files
C:\Program Files (x86)\WinMX Music
C:\Users\Owner\Documents\Vuze Downloads\Sinister {2012} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar_Internet Explorer.exe

:Commands
[purity]
[createrestorepoint]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
=========================

In your next post please provide the following:
  • OTL fix log
  • Any remaining issues not addressed?
 
Here is the OTL fix log file:


All processes killed
========== FILES ==========
C:\Program Files (x86)\WinMX Music\Shared folder moved successfully.
C:\Program Files (x86)\WinMX Music folder moved successfully.
C:\Users\Owner\Documents\Vuze Downloads\Sinister {2012} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar_Internet Explorer.exe moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest

User: HomeGroupUser$

User: Owner
->Temp folder emptied: 1025507 bytes
->Temporary Internet Files folder emptied: 24981843 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 190359898 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1134 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 116718759 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33255 bytes
RecycleBin emptied: 13584579 bytes

Total Files Cleaned = 331.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 06162014_102209

Files\Folders moved on Reboot...
C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF08BA292E8FDDF90A.TMP not found!
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


So far so good, no issues with the computer.
 
Hi gigglepot,

Congratulations, your log appears to be clean. :bigthumb:
We have a few items to take care of before we get to the All Clean Speech.

=========================

Clean up with OTL:
  • Right-click OTL.exe select "Run as Administrator" to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
=========================

Removing/Uninstalling AdwCleaner:
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.
=========================

You can now delete any tools and/or logs remaining on your desktop.

=========================

Uninstall via Programs and Features

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:
  • Adobe Reader 10.1.10
  • Java 10 Update 55
=========================

Adobe Reader:

Go to http://get.adobe.com/reader/otherversions/
  • Use the drop down menu's to select your operating system
  • Select your language > Select The current version of Adobe Reader for your language
  • Remove the check mark from the box "Free! McAfee Security Scan Plus"
  • Click the Download button, and follow the onscreen directions to complete the installation.
Please note, depending on your settings, you may have to temporarily disable your antivirus software for the Adobe Reader update.

=========================

Update Java
  • Get the current version of Java (Version 7 Update 60) by going to http://java.com/en/download/installed.jsp
  • Select the Verify Java Version button and follow the onscreen instructions to update if necessary.
=========================

Delete All But the Most Recent Restore Point
  1. Open Disk Cleanup by clicking the Start button
    start.jpg
    . In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
  2. If prompted, select the drive that you want to clean up, and then click OK.
  3. In the Disk Cleanup for (drive letter) dialog box, click Clean up system files.
    adminshield.jpg
    Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. If prompted, select the drive that you want to clean up, and then click OK.
  5. Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
  6. In the Disk Cleanup dialog box, click Delete.
  7. Click Delete Files, and then click OK.
=========================

With the above items taken care of let's move on to the All Clean part of the process.

The following procedures are recommendations for helping to keep your system running smoothly. If you are currently satisfied with how your system is running some or all of these may not pertain to you. Implement what you need.

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Make your Mozilla Firefox more secure - This can be done by adding these add-ons:
Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

Free Anti-Virus
Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.
Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
 
Oh, and do I just delete the icons on the desk top for the other tools or should I uninstall them in Programs and Features?
 
Hi gigglepot,

We generally remove all tools as a rule of thumb, but you can skip the AdwCleaner step if you would like to keep it.

As far as the remainder of the tools are concerned, they generally won't show in the Program & Features menu but if they do remove them that way. Otherwise, just delete them from the desktop.
 
I went to go see if things can be deleted on the Programs and Features and the only one there was MalwareBytes, BUT......a whole bunch of other things were re-installed with yesterday's date.......Picasa, Photoscape, VLC, so many, nothing new, just programs I've already had, but somehow installed with yesterday's date. Was that something I did with OTL?
 
I don't have Java 10 Update 55........I have Java 7 Update 55. Get rid of it?

Also, I uninstalled Adobe but not everyhting "Adobe" disappeared.......I still have:
Adobe AIR
Adobe Flash Player 13 Active X
Adobe Flash Player 13 Plugin.

Do I get rid of them too?
 
Wow, I guess I already have Windows Firewall running. Goes to show how much I know about my computer. Lol, disregard my last post.
 
Hi gigglepot,

gigglepot said:
I went to go see if things can be deleted on the Programs and Features and the only one there was MalwareBytes, BUT......a whole bunch of other things were re-installed with yesterday's date.......Picasa, Photoscape, VLC, so many, nothing new, just programs I've already had, but somehow installed with yesterday's date. Was that something I did with OTL?
Click to expand...
I honestly don't know why the dates have changed, maybe the programs we recently updated.

gigglepot said:
I don't have Java 10 Update 55........I have Java 7 Update 55. Get rid of it?

Also, I uninstalled Adobe but not everyhting "Adobe" disappeared.......I still have:
Adobe AIR
Adobe Flash Player 13 Active X
Adobe Flash Player 13 Plugin.

Do I get rid of them too?
Click to expand...
That was my mistake. Java 7 Update 55 is to be removed and will be replaced with Java 7 Update 60.
Do not remove the other Adobe products, they are separate programs and are probably in use by other software you are currently using

gigglepot said:
If I install a Firewall, will I not be able to use Vuze and uTorrent?
Click to expand...
No, a firewall won't stop you from using those programs.
 
I just read that Windows Firewall isn't good enough.....so back to my original question, will I still be able to use Vuze and uTorrent if I install Online Armor?
 
Status
Not open for further replies.
Back
Top