"Internet Security" Virus

[MrCharlie]

OK..........

 

Lots of adware found....lets clear it out.....

• Please re-run AdwCleaner
• Click on Delete button.
• Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Last.........

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[mk1717]

AdwCleaner[s1]:

---------------------------------

# AdwCleaner v2.306 - Logfile created 08/14/2013 at 20:34:02
# Updated 19/07/2013 by Xplode
# Operating system : Windows Vista Home Premium Service Pack 2 (64 bits)
# User : Owner - GATEWAY-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Owner\Desktop\adwcleaner v2.306.exe
# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dhdepfaagokllfmhfbcfmocaeigmoebo
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16496

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [3458 octets] - [14/08/2013 20:21:10]
AdwCleaner[s1].txt - [3116 octets] - [14/08/2013 20:34:02]

########## EOF - C:\AdwCleaner[s1].txt - [3176 octets] ##########

 

 

 

jrt.txt

---------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.4.5 (08.13.2013:1)
OS: Windows Vista Home Premium x64
Ran by Owner on Wed 08/14/2013 at 20:42:32.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011501160}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{2D3FF308-244A-4F51-A2BF-564622F9C1EC}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{2D75E8E9-7F30-4477-9302-50724928B300}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{3CE9B52D-98FF-40A6-B788-D9B994DD7DD6}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{4AD34232-4315-4AA8-A56A-0166B3FA5DE9}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{4E228082-D949-4710-8A61-6EC571B28F71}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{51A4C48F-E5EC-407D-B8DE-D7B9124D1C6C}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{6EA168E2-D310-4EE8-8CEA-2B03A36A879F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{6FBCB31C-8984-41A2-9D9A-98FDA8E9C923}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{8FD3B8A3-0A2E-487E-9869-D5EE210454C0}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{9DBCAD16-E5B7-4ECA-A5B3-F3A330D33ECD}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{A96A5507-D608-4513-B3E7-F69C4BE03BF8}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{B57ABAB6-A9B8-4A37-94C0-10324D58D78C}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{CADD9825-93DA-42D9-9EA9-1F133F362C2E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{E2D46164-7ACD-4196-9F96-B3A321BF7B6D}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{FF17C52C-7741-4768-AA14-3E9798236FA9}

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/14/2013 at 20:48:20.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

mbam-log-2013-08-14 (20-51-20)

---------------------------------

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.14.03

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: GATEWAY-LAPTOP [administrator]

8/14/2013 8:51:20 PM
mbam-log-2013-08-14 (20-51-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 263573
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[MrCharlie]

How is it??  MrC

[mk1717]

It seems to be working great.  If you think this task is done, I'd like to run a full scan Malwarebytes, full scan AVG2011 (they're great for removing tracking cookies), and a full scan Super-Anti-Spyware, but the earlier instructions say don't run extra scans until we're done.  Those are my feel-good utilities.  Is it time for these now?

 

Another side item, may want to open a new topic for it, my other 'working' computer seemed to crap out just this morning.  Don't think it's a virus though.  The screen started to flicker, I got a box that says the video driver stalled and recovered, that repeated a few times, and then I got blue sceen.  After reboot, same thing happened a few times, and now I can't seem to bring the system up even in safe mode.  Did my video card up and die today?  Time to open a 2nd topic?

 

Thanks for everything, and let me know if you think we've completed.

Mike

[MrCharlie]

Yes, run your scans and start a new topic for the other computer.

When done........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get "Unsupported operating system. Aborting now", just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[mk1717]

Full scan with Malwarebytes showed 12 items, ugh.  It was 90min in and still running, so I let it continue overnight.  But this morning it looked like Windows update automatically downloaded some updates at 3:19AM and did a reboot and interrupted the scan, so I don't see a malwarebytes report generated since that last quick scan I ran and posted yesterday that seemed to be clean. 

 

When I logged in something new asked me permission to run and I denied it.  It had a name I didn't recognize.  So I started another full scan again at 7AM today (Thur 8/15) and will post the log tonight.  We can discuss that before doing our final security checks.

 

Regarding the other computer, some blogs from several month ago talk about video card voltage changes, and some claim a virus that attacks the video card, but I will open a new topic for that later per direction.

[MrCharlie]

OK...MrC

[mk1717]

OK, maybe not a problem but I'll let you decide.  I saw the 12 items again, halted the scan and saved the results, and they're the 12 items stored in C:\Qoobox\Quarrantine\C\Users\Owner.  That Qoobox directory is new, and has some Combofix documents in it, so I'm guessing that's ok since Combofix created it.  Here's the log from the full scan which I interrupted after I saw the 12 items detected.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.15.03

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: GATEWAY-LAPTOP [administrator]

8/15/2013 6:56:29 AM
MBAM-log-2013-08-15 (07-29-05).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 119483
Time elapsed: 28 minute(s), 47 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:\Qoobox\Quarantine\C\Users\Owner\acrobat.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\acrobatreader50761.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\flashplayer553906.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\flashplayer821120.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\icq.exe.vir (Rootkit.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\notepad.exe.vir (Rootkit.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\opera.exe.vir (Rootkit.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\rundll32266486.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\skype.exe.vir (Rootkit.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\vlcplayer314397.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\cba6fad2-434e-422f-8b70-23e287c83523ad\cbafadefbecad.exe.vir (Trojan.FakeMS.WL) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Owner\AppData\Roaming\74F0.tmp.vir (Trojan.Krypt) -> No action taken.

(end)

[MrCharlie]

OK, that will be deleted when we properly uninstall ComboFix when we are done....MrC

[mk1717]

SecurityCheck ran OK.  Here's the result. 

 

Talk more tonight.

Mike

 

 

Checkup.txt

-----------------------

 Results of screen317's Security Check version 0.99.72 
 Windows Vista Service Pack 2 x64 (UAC is enabled) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton 360                        
AVG Anti-Virus Free Edition 2011  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware Free Edition  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 6 Update 30 
 Java 6 Update 5 
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 AVG avgwdsvc.exe
 AVG avgtray.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````
 

[MrCharlie]

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please uninstall all Java from your add/remove programs:
Java™ 6 Update 30
Java™ 6 Update 5

Java version out of Date! <-------Download and install the latest version (Version 25) from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

-----------------------------------------------

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (may be down right now)

Good Luck and Thanks for using the forum, MrC

[mk1717]

I updated Java and Adobe, also downloaded Foxit.  After running OTC the computer rebooted, but then Java updater popped up like it always does and says yet another update was available.  I had always ignored this thinking it wasn't real, but now that I'm updated I thought this wouldn't appear, and it did.  Should the java updater still be bugging me like this?

 

Aside of that Java quirk still going on, I think we might be done.  Do you agree?  I'm frustrated at how long we had to work on this, but I'm pleased that it appears to be succesful.  Thanks for the Preventative Maintenance recommendations, I will try to adopt them for myself.

 

Thanks,

Mike

[mk1717]

Oh, one other thing.  My Malwarebytes free version, what all is it supposed to do?  Does it fix things but not prevent things from getting in?  Is that one possible reason we had to fix this recent intrusion?  Is the paid version required for real-time protection in addition to a problem-fixing capability?

[MrCharlie]

Should the java updater still be bugging me like this?

No, if you have the latest version installed, it should'nt  be popping up.
Are you sure there's no old versions in the add/remove programs?

Open up your control panel > Java > General Tab > click on About > should show Java 7 Update 25
On the Update Tab > un-check > Check for updates automatically

---------------------------------------------

Oh, one other thing. My Malwarebytes free version, what all is it supposed to do?
It's just a scanner, no realtime protection


Does it fix things but not prevent things from getting in?
Correct

Is that one possible reason we had to fix this recent intrusion?
Yes

Is the paid version required for real-time protection in addition to a problem-fixing capability?
Yes

 

MrC

[mk1717]

Java 7 Update 25, so the version and updates are right, but I don't have an Update tab in the Java Control Panel.  There's General. Java, Security, and Advanced.  I didn't see update control under any of the tabs.

[MrCharlie]

"Java Auto Update is currently not available for 64-bit versions of Java. 64-bit versions of Java do not include the Update tab in the Java Control Panel."

 

 

 

If this is in your add/remove programs, you can uninstall it if you're still having problems:

 

Java Auto Updater

 

MrC

[mk1717]

I think you're right about multiple versions. 

 

If I right click the "Java Update Available" icon in the lower right part of the tray, and click Properties, I get a window which has the Update Tab.  If I then click on the Java Tab and then click the View button, I see products 1.6.0_05 and 1.6.0_30.

 

If I open Programs and Features, I see "Java 7 Update 25 (64 bit)", "Java 6 Update 5", and "Java Update 30".  Since we just installed Java 7 Update 25, I assume the other two are the older version, and the same ones related to the Java icon in the tray.  If I uninstall the latter 2 in Programs and Features, I assume that will eliminate the older versions.  Do you agree.

 

Also, while running Super Anti Spyware, a full scan that's still running into it's 10th hour, it saw 190 adware tracking cookies, and 1 Trojan.Dropper/SVCHost-Fake.  I assume the tool will eliminate that as it completes, but shouldn't we have found everything by now?

[MrCharlie]

If I uninstall the latter 2 in Programs and Features, I assume that will eliminate the older versions. Do you agree.

Yes, that should do it

Also, while running Super Anti Spyware, a full scan that's still running into it's 10th hour, it saw 190 adware tracking cookies, and 1 Trojan.Dropper/SVCHost-Fake. I assume the tool will eliminate that as it completes, but shouldn't we have found everything by now?

None of the tools we ran targets cookies, basically they're harmless.
Trojan.Dropper/SVCHost-Fake <---not sure what this is, you have the log or file it targeted?

MrC

[mk1717]

Super Anti Spyware usually runs real long for a full scan, like a day or more, not sure why.  But I stopped it to get your answer. 

 

It flagged:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\SVCHOST.exe

 

I'm thinking we'll select Trust/Allow that item.  Would that be correct?  Odd that it flagged it as a Trojan.

 

Mike

[MrCharlie]

Yes that's a good one.

A lot of the tools we use are targeted as a virus or malware.

MrC

[mk1717]

Excellent.  I think we've wrapped up this topic.  I'll make a donation now.

 

Thanks,

Mike

[MrCharlie]

OK...Take Care MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.