Need Help removing DOSEARCHES

[JD the DJ]

SystemLook log

SystemLook 30.07.11 by jpshortstuff
Log created at 15:42 on 27/11/2013 by Dana
Administrator - Elevation successful

========== filefind ==========

Searching for "Update.exe"
C:\Program Files (x86)\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe --a---- 28672 bytes [03:17 19/07/2012] [21:16 11/12/2001] A2A2294F180FD188CDA9404D28A99B1A
C:\Program Files (x86)\Spybot - Search & Destroy\Update.exe --a---- 464728 bytes [03:34 26/10/2012] [21:31 26/01/2009] 00071AF6D95C1002E5F9B63EA00A37A3

-= EOF =-

 

[ken545]

That file is fine :bigthumb:

 

[JD the DJ]

It was actually the lower-case 'u' ( update.exe )
Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe

The desktop seems to be running great. I have not noticed anything else that is of concern.
Is there anything more that needs to be done?

 

[ken545]

Lets run a free online Virus scanner to be sure your all clean


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
    
12. Push
    
    , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the
    
    button.
14. Push
    

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

 

[JD the DJ]

ESET Scan

ran ESET
aborted run, when it got to files in C:\ProgramData\WildTangent\GameInstalls\
(it took over 1 hour for ESET to scan 2 files)
deleted 28 files (~5 GB)
While navigating to the folder I saw a suspicious file: C:\Program Files\Uninstaller\Uninstall.exe
(Description: DomaUninstaller ; Created: Saturday, ‎November ‎09, ‎2013, ‏‎7:28:55 PM ; Signature: tuguu sl )

ran ESET

ESETScan.txt

C:\ProgramData\Spybot - Search & Destroy\Recovery\myPCBackup.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\PCUtilitiesOptimizerPro1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\myPCBackup.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\PCUtilitiesOptimizerPro1.zip Win32/Bagle.gen.zip worm

 

[ken545]

Good Morning

Those files that ESET found are in Spybots Recovery Folder, open Spybot Search and Destroy and go to the recovery folder and remove them all


Lets check this file


You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.

C:\Program Files\Uninstaller\Uninstall.exe <----

If the site is busy you can try this one
http://virusscan.jotti.org/en

 

[JD the DJ]

VirusTotal scan

Happy Thanksgiving!

purged the files in Spybot's Recovery

ran a scan on VirusTotal for:
C:\Program Files\Uninstaller\Uninstall.exe

https://www.virustotal.com/en/file/...3a04870dc1c3db461098da05/analysis/1385638410/

 

[ken545]

Its iffy

Download and run SystemLook, you need the 64 Bit version


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64 Bit Version

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  Uninstall.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[JD the DJ]

SystemLook on Uninstall.exe

Ya, I think it's iffy (at best)
November 9th was when the desktop was obviously infected.
There does not appear to be a program on desktop for this program to uninstall.
The Digital Signature looks unprofessional (if not fake).

SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 05:13 on 28/11/2013 by Dana
Administrator - Elevation successful

========== filefind ==========

Searching for "Uninstall.exe"
C:\hp_CLJ_2600n_Full_Solution\Uninstall.exe --a---- 241664 bytes [16:29 24/08/2013] [11:26 17/02/2011] B3DCA154746EF77F627FE8B320478522
C:\Program Files\hp\HP Color LaserJet 2600n\Uninstall.exe --a---- 241664 bytes [16:31 24/08/2013] [11:26 17/02/2011] B3DCA154746EF77F627FE8B320478522
C:\Program Files\SUPERAntiSpyware\Uninstall.exe --a---- 537368 bytes [22:55 10/10/2013] [22:55 10/10/2013] FDCE433D3EF21FCD1C3706588EF26D09
C:\Program Files\Uninstaller\Uninstall.exe --a---- 47408 bytes [02:28 10/11/2013] [02:28 10/11/2013] 718EB2D20ECEEC974A975C641D0D36A7
C:\Program Files (x86)\Adobe\Adobe Digital Editions\uninstall.exe --a---- 59905 bytes [23:56 17/07/2012] [23:56 17/07/2012] F068D7A12B1188F2E218BAA0F3841DC8
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.5.24.4\uninstall.exe --a---- 200965 bytes [02:50 17/07/2012] [02:50 17/07/2012] 0A2564CEB1E99C698B162CC310365AA9
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe --a---- 199534 bytes [16:10 15/08/2013] [16:19 09/11/2013] 563626B1F6545BF9644D7E11A6C562A9
C:\Program Files (x86)\Kobo\Uninstall.exe --a---- 55084 bytes [04:24 17/05/2012] [04:24 17/05/2012] 466AD28EE77EA9DC67F0C68F63674CAC
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe --a---- 106212 bytes [15:47 14/07/2012] [21:49 27/11/2013] A2C775636F142114378DC9403C28E190
C:\Program Files (x86)\PDF Complete\uninstall.exe --a---- 1734120 bytes [04:26 17/05/2012] [16:54 12/08/2011] 49328B10E1945AC0A7DA78CDC74AA0CD
C:\Program Files (x86)\Steganos Password Manager 2012\uninstall.exe --a---- 121552 bytes [03:48 17/07/2012] [03:48 17/07/2012] 7FD2AD9425A666CF29F6CF40C4137D31

-= EOF =-

 

[ken545]

If you go to Control Panel > Programs and Features do you see it in the list of programs you can uninstall ?
C:\Program Files\Uninstaller

If it was not installed by you then try uninstalling it

 

[JD the DJ]

Removed Uninstall.exe

It was in the list in 'Programs and Features'
clicked 'Uninstall/Change' and it disappeared from list.

While in 'Programs and Features' , i saw another suspicious program. 'Zip Extractor Packages'
Installed on: Nov. 9, 2013 ; No Publisher info
Found the file at:
C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe

Tried to uninstall it (using 'Programs and Features' ) a popup appeared, mostly a blank page, with only 3 options to click
lower right: a highlighted blue link saying to remove program from list
lower right: a button 'CLOSE'
upper right corner: a small square button with 'x'

I clicked the 'x'

 

[ken545]

Look back in Programs and Features and see if its gone

 

[JD the DJ]

'C:\Program Files\Uninstaller\Uninstall.exe' , the file and its folder, are gone.
And is not in list of programs to Remove in 'Programs and Features'.

'Zip Extractor Packages' is still in list of programs to Remove in 'Programs and Features'.

 

[ken545]

Lets run this thru SystemLook

:filefind
Zip Extractor Packages

 

[JD the DJ]

SystemLook.txt
SystemLook 30.07.11 by jpshortstuff
Log created at 16:59 on 28/11/2013 by Dana
Administrator - Elevation successful

========== filefind ==========

Searching for "Zip Extractor Packages"
No files found.

-= EOF =-

 

[ken545]

Hi,

I am getting mixed results on this one. Just trying to determine who owns it

Run this through SystemLook

:folderfind
Zip Extractor Packages
:regfind
Zip Extractor Packages


Also this program is responsible for adds so I would uninstall it
c:\program files (x86)\iminent

 

[JD the DJ]

SystemLook of 'Zip Extractor Packages'

Below is the log file for SystemLook for: Zip Extractor Packages

I could not find a file on the desktop called 'iminent'
Although, I know Iminent was one of the many unwanted items on desktop after the infection was noticed.
(I used SystemLook :filefind , after MS search came up with no results, and SystemLook did not find any file called 'iminent'.
I then ran SystemLook :regfind, and numerous results were found.)

SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 05:19 on 29/11/2013 by Dana
Administrator - Elevation successful

========== folderfind ==========

Searching for "Zip Extractor Packages"
C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages d------ [02:02 10/11/2013]

========== regfind ==========

Searching for "Zip Extractor Packages"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"DisplayIcon"="C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"UninstallString"="C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe /Uninstall /NM="Zip Extractor Packages" /AN="0D0S1L2Z1P1B" /MBN="Zip Extractor Packages""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"DisplayName"="Zip Extractor Packages"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"UninstallerPath"="C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages"
[HKEY_USERS\S-1-5-21-899990179-4107465522-2500062467-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
[HKEY_USERS\S-1-5-21-899990179-4107465522-2500062467-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"DisplayIcon"="C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe"
[HKEY_USERS\S-1-5-21-899990179-4107465522-2500062467-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"UninstallString"="C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe /Uninstall /NM="Zip Extractor Packages" /AN="0D0S1L2Z1P1B" /MBN="Zip Extractor Packages""
[HKEY_USERS\S-1-5-21-899990179-4107465522-2500062467-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"DisplayName"="Zip Extractor Packages"
[HKEY_USERS\S-1-5-21-899990179-4107465522-2500062467-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Extractor Packages]
"UninstallerPath"="C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages"

-= EOF =-

 

[ken545]

See if you can run this through VirusTotal


C:\Users\Dana\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages

 

[JD the DJ]

VirusTotal of 'Zip Ex...'

https://www.virustotal.com/en/file/...cc8b5660e1e2f29de8f1ba70/analysis/1385729989/

 

[JD the DJ]

It won't do the folder, seemed to default to the only file in that folder.