Jump to content

Suspecting some sort of malware

Recommended Posts

Hello all!


I have a problem, I suspect that my computer has been infected, but nothing I cannot seem to find it. Although, I am not sure if it's actually infected, or if something's just glitched.

The effect is that from time to time, random tabs in my browser (Chrome) opens. The interesting thing is that the tabs are websites are never loaded and there's always something related to what I'm currently doing in the URL.


I did a search with both malwarebytes and HitmanPro, and found a few things that might have caused the problem and I thought that the problem would be solved, however, it occured again now.


I have attached the Hijackthis logfile.


Neither Hitman Pro or Malwarebytes have found anything on the last scans.


Link to post
Share on other sites

  • Root Admin

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
Link to post
Share on other sites

  • Root Admin

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Link to post
Share on other sites

  • Root Admin

That log was good and the file it listed is not an issue.

Let me have you run this online scan to help look for any potential threats.


Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan or download an installer if using another browser
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
Link to post
Share on other sites

Currently scanning...

It found a few "variants of toolbar", which is nothing I recognise (babylon, AZ and some other things). So I'm just gonna go ahead and remove them (If I'll be able to).
This is the punishment for not being awake while installing a program without double checking that there'll be no toolbars and other stuff as well.


I'll link the log when it's done as well, but since it clearly states toolbars (which is nothing I use to start with), I'm just gonna remove these.

Link to post
Share on other sites

Here's the log form the scan, and there are a few nasty things. I'll run the scan again and delete the threats since they're all something I don't want.


C:\Users\Christoffer\AppData\Local\Temp\ICReinstall_ZipOpenerSetup (1).exe Win32/InstallCore.BN.Gen application
C:\Users\Christoffer\AppData\Local\Temp\ICReinstall_ZipOpenerSetup (2).exe Win32/InstallCore.BN.Gen application
C:\Users\Christoffer\AppData\Local\Temp\Setup__2338_il359057 (1).exe a variant of Win32/Amonetize.D application
C:\Users\Christoffer\AppData\Local\Temp\Setup__2338_il359057.exe a variant of Win32/Amonetize.D application
C:\Users\Christoffer\AppData\Local\Temp\10022171.Uninstall\uninstaller.exe a variant of Win32/InstallCore.AZ application
C:\Users\Christoffer\AppData\Local\Temp\1AD85436-BAB0-7891-A98C-BEF0ED583AE4\Latest\BExternal.dll a variant of Win32/Toolbar.Babylon.C application
C:\Users\Christoffer\AppData\Local\Temp\1AD85436-BAB0-7891-A98C-BEF0ED583AE4\Latest\IEHelper.dll Win32/Toolbar.Babylon.E application
C:\Users\Christoffer\AppData\Local\Temp\1AD85436-BAB0-7891-A98C-BEF0ED583AE4\Latest\Setup.exe a variant of Win32/Toolbar.Babylon.E application
C:\Users\Christoffer\AppData\Local\Temp\8207093.Uninstall\uninstaller.exe a variant of Win32/InstallCore.AZ application
C:\Users\Christoffer\AppData\Local\Temp\is357113909\DeltaTB.exe a variant of Win32/Toolbar.Babylon.E application
C:\Users\Christoffer\AppData\Local\Temp\is357113909\uninstaller.exe a variant of Win32/InstallCore.AZ application
C:\Users\Christoffer\Downloads\cbsidlm-tr1_13-SpeedFan-ORG-10067444.exe Win32/DownloadAdmin.G application
C:\Users\Christoffer\Downloads\Setup__2338_il359057 (1).exe a variant of Win32/Amonetize.D application
C:\Users\Christoffer\Downloads\Setup__2338_il359057.exe a variant of Win32/Amonetize.D application
C:\Users\Christoffer\Downloads\ZipOpenerSetup (1).exe Win32/InstallCore.BN.Gen application
C:\Users\Christoffer\Downloads\ZipOpenerSetup (2).exe Win32/InstallCore.BN.Gen application
C:\Users\Christoffer\Downloads\ZipOpenerSetup.exe Win32/InstallCore.BN.Gen application
Link to post
Share on other sites

  • Root Admin


Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


Please download AdwCleaner by Xplode to your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.


Next, download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Link to post
Share on other sites

Sorry for the delay, I was on holiday  during the week. But thank you for all your help and I hope that you are willing to continue helping me, even though I had this break.


I ran these scans now, and the result is as following:


JRT Scan:


~~~ Files

~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\Users\Christoffer\appdata\local\swvupdater"
~~~ Event Viewer Logs were cleared
Scan was completed on 29/06/2013 at 21:07:24.63
End of JRT log


AdwCleaner log:


# AdwCleaner v2.303 - Logfile created 06/29/2013 at 21:12:27

# Updated 08/06/2013 by Xplode
# Operating system : Windows 8  (64 bits)
# User : Christoffer - CHRIS
# Boot Mode : Normal
# Running from : C:\Users\Christoffer\Downloads\AdwCleaner.exe
# Option [Delete]
***** [services] *****
***** [Files / Folders] *****
File Deleted : C:\windows\Tasks\DSite.job
Folder Deleted : C:\Users\Christoffer\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Folder Deleted : C:\Users\Christoffer\AppData\Roaming\DSite
***** [Registry] *****
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\5d6ddd8e734e913
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Tarma Installer
***** [internet Browsers] *****
-\\ Internet Explorer v10.0.9200.16537
[OK] Registry is clean.
-\\ Google Chrome v27.0.1453.116
File : C:\Users\Christoffer\AppData\Local\Google\Chrome\User Data\Default\Preferences
AdwCleaner[s1].txt - [1590 octets] - [29/06/2013 21:12:27]
########## EOF - C:\AdwCleaner[s1].txt - [1650 octets] ##########

Security Check logfile:


Results of screen317's Security Check version 0.99.68  

   x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender           
Norton Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version  
 Java 7 Update 21  
 Java version out of Date! 
 Google Chrome 27.0.1453.110  
 Google Chrome 27.0.1453.116  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 


Thank you a lot!

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.