mattbizly

Great, thank you very much for your help. I'll also follow the clean up procedure too. I'll be sure to point my friends this way if they have any problems as well! Many thanks Matt

Great! So that's it?

Hello. Here's the results from the scan with the latest, updated version of MWB. Looks like everything is okay. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 09/05/2015 Scan Time: 18:31:25 Logfile: scan 9may2015.txt Administrator: Yes Version: 2.01.6.1022 Malware Database: v2015.05.09.04 Rootkit Database: v2015.04.21.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Matt Billington Scan Type: Threat Scan Result: Completed Objects Scanned: 424073 Time Elapsed: 45 min, 26 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)

Okay great. I have to go to work today, so it will be a few hours before I can respond, but I will follow your instructions and reply with the scan log this evening. Was the threat alert I got after running Zoek anything to be concerned about, or just part of Zoek that got caught by AVG identy theft protection? Thanks very much Matt

Slightly better. Still having some slowness with Flash Player, but I suppose that's to be expected with an older machine like mine. Should I do any further scans or anything else to see if there is a problem? Also could you explain exactly what 589.tmp was/is? I'm beginning to think I might have paniced and overreacted slightly ... Thanks Matt

Thought you'd probably want the results from the second scan with Malwarebytes, so here they are. Thanks Matt scan2 8may 2015.txt

Here is the result of that scan. When the system rebooted, Malwarebytes automatically started doing a scan; I assumed that was normal so I let it continue. There was a threat message though that popped up when the scan had finished, and before the reboot. I had disabled the resident shield in AVG, however I forgot to disable the identity theft protection part of AVG. It warned of me a threat detected located in "C:\Windows\Sys\WOW64\cmd.exe". It was unable to tell me what type of threat it was, however it was a level 4 severity threat. It popped up exactly as the scan asked for authorisation however, so I assumed it was simply catching that, so I closed the warning and rebooted my laptop as normal. Just though I should tell you in case it's important and not part of the Zoek scan. Anyway, here is the scan results. Zoek.exe v5.0.0.0 Updated 04-May-2015 Tool run by Matt Billington on 08/05/2015 at 19:37:45.78. Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64 Running in: Normal Mode Internet Access Detected Launched: C:\Users\Matt Billington\Desktop\zoek.exe [scan all users] [script inserted] ==== System Restore Info ====================== 08/05/2015 19:50:30 Zoek.exe System Restore Point Created Successfully. ==== Empty Folders Check ====================== C:\PROGRA~2\gravitysensation.com deleted successfully C:\PROGRA~2\MSXML 4.0 deleted successfully C:\PROGRA~2\Sony Ericsson deleted successfully C:\PROGRA~2\VstPlugins deleted successfully C:\PROGRA~2\Wizards of the Coast deleted successfully C:\PROGRA~3\Guitar Pro 6 deleted successfully C:\PROGRA~3\Oracle deleted successfully C:\PROGRA~3\ReaConverter deleted successfully C:\PROGRA~3\Sony Ericsson deleted successfully C:\Users\Matt Billington\AppData\Roaming\Malwarebytes deleted successfully C:\Users\Matt Billington\AppData\Roaming\TP deleted successfully C:\Users\Matt Billington\AppData\Roaming\uTorrent deleted successfully ==== Deleting CLSID Registry Keys ====================== HKEY_USERS\S-1-5-21-2205246989-1021118915-2616197947-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E45FE784-198F-490D-9209-95583AED082D} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes \{E45FE784-198F-490D-9209-95583AED082D} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E45FE784-198F-490D- 9209-95583AED082D} deleted successfully ==== Deleting CLSID Registry Values ====================== ==== Deleting Services ====================== ==== FireFox Fix ====================== ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default user.js not found ---- Lines Search removed from prefs.js ---- user_pref("browser.search.hiddenOneOffs", "Yahoo.co.uk,Bing,Amazon.co.uk,Chambers (UK),DuckDuckGo,eBay.co.uk,Search Term,Twitter,Wikipedia (en)"); ---- FireFox user.js and prefs.js backups ---- prefs_052015_2007_.backup ==== Batch Command(s) Run By Tool====================== ==== Deleting Files \ Folders ====================== C:\PROGRA~2\gravitysensation.com not found C:\PROGRA~2\Sony Ericsson not found C:\PROGRA~2\VstPlugins not found C:\PROGRA~2\Wizards of the Coast not found C:\PROGRA~2\Windows Live SkyDrive deleted C:\PROGRA~3\hash.dat deleted C:\PROGRA~3\Package Cache deleted C:\Windows\wininit.tmp deleted C:\Windows\wininit.ini deleted C:\end deleted C:\Windows\SysNative\config\systemprofile\Searches deleted ==== Firefox Start and Search pages ====================== ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default user_pref("browser.startup.homepage", "http://www.google.com"); ==== Firefox Extensions Registry ====================== [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions] "FFPDFArchitectConverter@pdfarchitect.com"=hex(2):43,00,3a,00,5c,00,50,00,72,\ [] ==== Firefox Extensions ====================== ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default - HP Detect - C:\Users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles \4w50g8uy.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2} - HP Detect - %ProfilePath%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2} - Adblock Plus Pop-up Addon - %ProfilePath%\extensions\adblockpopups@jessehakanen.net.xpi - Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi AppDir: C:\Program Files (x86)\Mozilla Firefox - Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ==== Firefox Plugins ====================== Profilepath: C:\Users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles \4w50g8uy.default 66640A55AEFF3819C94E0A8D40D7E0AD - C:\Windows\SysWOW64\Adobe\Director \np32dsw_1202122.dll - Shockwave for Director / Shockwave for Director 9AE02005247DA91AB1743F5208DBEF76 - C:\Windows\SysWOW64\Macromed\Flash \NPSWF32_17_0_0_169.dll - Shockwave Flash 65C1D9F74004E775F9A8598476ABE5EE - C:\Users\Matt Billington\AppData\LocalLow\Unity \WebPlayer\loader\npUnity3D32.dll - Unity Player ==== Fake Chromium Profiles Check ====================== Fake profile C:\Users\Matt Billington\AppData\Local\Google\Chrome deleted ==== Chromium Look ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions jmfkcklnlgedgbglfkkgedjfmejoahla - C:\Program Files (x86)\AVG\AVG2012\Chrome \safesearch.crx[26/07/2012 03:23] ndibdjnfmopecpmkdieinmbadjfpblof - C:\Program Files (x86)\AVG\AVG2012\Chrome \donottrack.crx[20/04/2012 06:18] ==== Set IE to Default ====================== Old Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://www.google.com" New Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://www.google.com" ==== All HKCU SearchScopes ====================== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes "DefaultScope"="{86EE716B-A1E7-49D2-B19A-C9D62A1D0D3C}" {012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q= {searchTerms}" {86EE716B-A1E7-49D2-B19A-C9D62A1D0D3C} Bing Url="http://www.bing.com/search?q= {searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox" {BB9C072E-41F1-4A88-822E-521B8166F24E} Wikipedia Url="http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}" ==== Deleting CLSID Registry Keys ====================== ==== Deleting CLSID Registry Values ====================== HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions \FFPDFArchitectConverter@pdfarchitect.com deleted successfully ==== Empty IE Cache ====================== C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Matt Billington\AppData\Local\Microsoft\Windows\Temporary Internet Files \Content.IE5 emptied successfully C:\Users\Matt Billington\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low \Content.IE5 emptied successfully C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files \Content.IE5 emptied successfully C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully ==== Empty FireFox Cache ====================== C:\Users\Matt Billington\AppData\Local\Mozilla\Firefox\Profiles\265b3mcj.default\Cache emptied successfully C:\Users\Matt Billington\AppData\Local\Mozilla\Firefox\Profiles\4w50g8uy.default\cache2 emptied successfully ==== Empty Chrome Cache ====================== No Chrome Cache found ==== Empty All Flash Cache ====================== Flash Cache Emptied Successfully ==== Empty All Java Cache ====================== Java Cache cleared successfully ==== C:\zoek_backup content ====================== C:\zoek_backup (files=13 folders=5 3133970 bytes) ==== Empty Temp Folders ====================== C:\Users\Default\AppData\Local\temp emptied successfully C:\Users\Default User\AppData\Local\temp emptied successfully C:\Users\hedev\AppData\Local\temp emptied successfully C:\Users\Matt Billington\AppData\Local\Temp will be emptied at reboot C:\Users\Public\AppData\Local\temp emptied successfully C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully C:\Windows\Temp will be emptied at reboot ==== After Reboot ====================== ==== Empty Temp Folders ====================== C:\Windows\Temp successfully emptied C:\Users\MATTBI~1\AppData\Local\Temp successfully emptied ==== Empty Recycle Bin ====================== C:\$RECYCLE.BIN successfully emptied ==== EOF on 08/05/2015 at 20:20:40.59 ======================

And here are the two logs from Farbar. Thanks for the help so far Matt Addition.txt FRST.txt

Here is the scan from Malwarebytes. It came up clean. Also I don't know if this is relevant, but I have been having lots of problems with Flash Player lately. Crashing, errors, videos not loading, exiting from full screen. Mostly on Youtube. Constantly getting messages about unresponsive plug ins when watching video online. Tried updating Flash player (using Firefox by the way) and that hasn't seemed to fix the problem. Just some extra info that may help diagnose the problem. scan 8may2015.txt

Thank you for the offer of help Twin Headed Eagle. The Malwarebytes scan will only be a couple more minutes, after which I'll do the scan with Farbar and post both sets of results in this thread. I'll do it as two seperate posts to avoid confusion. Matt

Hi guys, Just found a process running on my Windows 7 Home Premium 64 laptop. It was listed as 589.tmp. I Googled it, and found not a lot of useful information (and none from a source that I was familiar with or trusted). Currently waiting for Malwarebytes to finish scanning my laptop, but I just wanted to make a post and ask if this is malware that anyone here is familiar with? I'm fairly certain that it is malicious software as I have noticed a drop in my laptops performance lately, however will post up the scan log afterwards. Also, should I post that as an attachment, or copy paste the text into the post itself? Thanks in advance for any help and advice. Matt

Hi MrC Sorry about the slow reply. The full scan came back clean, so I think the issue is resolved. I wil try and and keep things up to date. Thanks again for all your help, it's been very useful. I know where to go if I have any future problems! All the best, Matt

Just an update - quick scan came up clean, here's the log. Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.01.14.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Matt Billington :: MATTSMACHINE2 [administrator] 15/01/2014 18:32:11 mbam-log-2014-01-15 (18-32-11).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 222156 Time elapsed: 5 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Is it worth doing another full scan? Cheers Matt

Hi MrC, The full scan finished up and I had one of those PUP.OptionalMintCastNetworks things again, but only the one. I removed that and will probably run a quick scan. Do you have any recommendations? Cheers Matt

Hold fire! Got a problem detected during the scan doh! Will let you know what it is when it has finished ... Cheers Matt