PUP.Optional.FrostwireTB.A

[mof]

Good morning Naathim !!!

 

I did the FRST instructions and here is a copy of the logfix (will now do the other scan) ;

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:24-08-2014 03
Ran by Windows7 at 2014-08-26 11:04:08 Run:1
Running from C:\Users\Windows7\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKU\S-1-5-21-1019755614-1115449502-2846687370-1000\...\MountPoints2: {254a8ba5-6d27-11e1-88a1-806e6f6e6963} - E:\DistinguishOS.exe
FF Plugin: @oberon-media.com/ONCAdapter -> C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{5F387297-4BDB-48CD-8DB0-ACAD1415FABA}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.129\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{7F902AD4-FC6A-4B2F-8B8D-B6DD4E329B76}\InprocServer32 -> C:\Users\Windows7\AppData\Local\ASKTOO~1\DOWNLO~1\AVIRAW~1.DLL No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{A0359AE6-F410-4425-A975-684AAB785ABD}\InprocServer32 -> C:\Users\Windows7\AppData\Local\ASKTOO~1\DOWNLO~1\AVIRAB~1.DLL No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Windows7\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File
Hosts:
Task: C:\Windows\Tasks\AutoKMS.job => ?
AlternateDataStreams: C:\ProgramData\TEMP:5547042D
AlternateDataStreams: C:\ProgramData\TEMP:A1D3FEF0
AlternateDataStreams: C:\ProgramData\TEMP:ADE16379
AlternateDataStreams: C:\ProgramData\TEMP:B881EAB4
EmptyTemp:
end
*****************

"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{254a8ba5-6d27-11e1-88a1-806e6f6e6963}" => Key deleted successfully.
"HKCR\CLSID\{254a8ba5-6d27-11e1-88a1-806e6f6e6963}" => Key not found.
"HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{5F387297-4BDB-48CD-8DB0-ACAD1415FABA}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{7F902AD4-FC6A-4B2F-8B8D-B6DD4E329B76}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{A0359AE6-F410-4425-A975-684AAB785ABD}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}" => Key deleted successfully.
"HKU\S-1-5-21-1019755614-1115449502-2846687370-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
C:\Windows\Tasks\AutoKMS.job => Moved successfully.
C:\ProgramData\TEMP => ":5547042D" ADS removed successfully.
C:\ProgramData\TEMP => ":A1D3FEF0" ADS removed successfully.
C:\ProgramData\TEMP => ":ADE16379" ADS removed successfully.
C:\ProgramData\TEMP => ":B881EAB4" ADS removed successfully.
EmptyTemp: => Removed 1.1 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====

[mof]

Here is the log file from Security Check below.

Should i also double click on the saved askMBR log file and copy and paste aswell?

Tnx

 

 

 Results of screen317's Security Check version 0.99.87  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
COMODO Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner     
 Java 7 Update 55  
 Java version out of Date!
 Adobe Flash Player     14.0.0.145  
 Adobe Reader XI  
 Mozilla Firefox (31.0)
 Google Chrome 36.0.1985.125  
 Google Chrome 36.0.1985.143  
````````Process Check: objlist.exe by Laurent````````  
 Comodo Firewall cmdagent.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
 

[mof]

PS, i'll update Java. I have the Java plugin disabled in Firefox, which is the browser i use most of the time. I also always use Toolwiz Time Freeze whenever i use Java.

Tnx

[Naathim]

Good morning from Poland!


Here are once again, for yur convenience instructions for aswMBR and how to update java. Updated Java is crucial, as it is the most exploited thing nowadays.



Scan with aswMBR

Please download aswMBR by Avast! & Gmer and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on the icon and select Run as Administrator to start the tool.
• Allow virtualisation if offered.
• If you are prompted to download the latest anti-virus definitions from avast!, click No.
• Select Scan.
• Upon completion, you will see Scan finished successfully. Click Save log.

Do NOT click Fix or FixMBR!
A file (MBR.dat) will be created on your desktop. Do NOT click or delete it!

Copy the contents of the logfile ans paste in into your next reply.
Do not forget to re-enable your previously switched-off protection software



Update outdated software

Staying always updated is crucial, not only for your operating system, but also for any third-party installed software.
Your logs clearly indicate that some of your software needs updating.

Updating Java manually

• Click the Start button
• Click Control Panel
• Double click Java - Looks like a coffee cup. You may have to switch to Classical View to see it.
• Click the Update tab
• Click Update Now
• Allow any updates to be downloaded and installed.
• If prompted (during the installation) to also install ASK toolbar, leave this unchecked - Ask does not have a good reputation.
• From Control panel also please remove any older versions of Java - do not leave them installed!.

Please remember to keep software up-to-date.

[mof]

The copy & paste of aswMBR.

Cheers.

 

 

 

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-08-26 11:25:13
-----------------------------
11:25:13.830    OS Version: Windows 6.1.7601 Service Pack 1
11:25:13.830    Number of processors: 4 586 0x3601
11:25:13.830    ComputerName: WINDOWS7-PC0451  UserName: Windows7
11:26:18.665    Initialize success
11:26:18.696    VM: initialized successfully
11:26:18.727    VM: Intel CPU virtualization not supported
11:26:18.837    write error "aswEngin.dll". The process cannot access the file because it is being used by another process.
11:28:05.443    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
11:28:05.458    Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
11:28:05.864    Disk 0 MBR read successfully
11:28:05.880    Disk 0 MBR scan
11:28:05.895    Disk 0 Windows 7 default MBR code
11:28:05.911    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
11:28:05.926    Disk 0 Boot: NTFS     code=2
11:28:05.942    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       102400 MB offset 206848
11:28:05.973    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       202743 MB offset 209922048
11:28:05.989    Disk 0 scanning sectors +625139712
11:28:06.129    Disk 0 scanning C:\Windows\system32\drivers
11:28:15.895    Service scanning
11:28:38.203    Modules scanning
11:28:47.563    Disk 0 trace - called modules:
11:28:47.703    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
11:28:47.734    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862c1030]
11:28:47.766    3 CLASSPNP.SYS[8878159e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84b37028]
11:28:47.797    Scan finished successfully
11:30:56.903    Disk 0 MBR has been saved successfully to "C:\Users\Windows7\Desktop\MBR.dat"
11:30:56.934    The log file has been saved successfully to "C:\Users\Windows7\Desktop\aswMBR.txt"

 

[Naathim]

Looks good



Scan with Malwarebytes' Anti-Malware

Please re-run Malwarebytes' Anti-Malware.

• First of all, select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the newest Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.



Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Enable detecion of potentially unwanted applications is checked.
• In the Advanced Settings dropdown menu:
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Use custom proxy settings is unchecked.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don't forget to re-enable previously switched-off protection software!

[mof]

Hello again Naathim,

 

I did a threat scan of Malware Bytes and NO threats shown. Unfortunately i'm too dumb to know how to reduce the size of the scan results page - to click the export button - to give you a copy of the log (my screen is too small and i cannot drag the window to a smaller size). But zero detections so all clean on there by the looks of it!!!

 

The ESET scan (below) has just finished, and to me looks all clean as well. I can delete that one ''threat'' if needed, but i think that's not any adware. I got alot of extra stuff already on this machine when i bought this laptop and deleted the program Web Cam Surveyor as my AV picked it up and i wasnt entirely sure that it could possibly be used for spyware.

 

I'm surprised this adware got through my Comodo CIS and Toolwiz Time Freeze as i thought, or rather assumed, i'd be near bullet proof with both. I think it might have got on my machine before i installed Toolwiz though, and possibly been installed when my girlfriend downloaded an online game as i vaguely remember Oberon media. Could have been me with Java though.

 

So the nasties have been removed?

 

Sorry to have bothered you.

 

 

 

ESET scan log ;

 

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=6534992cc53cc64686a757c7cbf1ee58
# engine=19844
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-08-26 10:37:30
# local_time=2014-08-26 05:37:30 (+0700, SE Asia Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='COMODO Antivirus'
# compatibility_mode=3074 16777213 100 84 0 55520872 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 35508348 160680641 0 0
# scanned=120460
# found=1
# cleaned=0
# scan_time=8506
sh=13EE8C9FCE6F74512DCD188CCA0655C5EDE37612 ft=1 fh=756c61b76c471ca8 vn="MSIL/HackKMS.A potentially unsafe application" ac=I fn="C:\Windows\AutoKMS\AutoKMS.exe"
 

[Naathim]

This file belongs to Microsoft Office Crack, but since is inactive (and wasn't due to your FRST logfiles), I will remove it.



Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Press the + R on your keyboard at the same time. Type Notepad and click OK.

• Copy the entire content of the codebox below and paste into the Notepad document:
  

  startC:\Windows\AutoKMS\AutoKMS.exeend

• Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  > XP users click run after receipt of Windows Security Warning - Open File.
  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

[mof]

Log result.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:24-08-2014 03
Ran by Windows7 at 2014-08-26 19:23:33 Run:2
Running from C:\Users\Windows7\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Windows\AutoKMS\AutoKMS.exe
end
*****************

C:\Windows\AutoKMS\AutoKMS.exe => Moved successfully.

==== End of Fixlog ====

[Naathim]

Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
• Push Run.
• When finished, it will display a notepad report.

Include it for my review.
Please also manually reboot your machine after posting your logfile.

[mof]

Nice tool.

 

Log report ;

 

 

 

# DelFix v10.8 - Logfile created 26/08/2014 at 19:44:27
# Updated 29/07/2014 by Xplode
# Username : Windows7 - WINDOWS7-PC0451
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Windows7\Desktop\aswMBR.txt
Deleted : C:\Users\Windows7\Desktop\Fixlog.txt
Deleted : C:\Users\Windows7\Desktop\FRST.exe
Deleted : C:\Users\Windows7\Desktop\JRT.txt
Deleted : C:\Users\Windows7\Desktop\MBR.dat
Deleted : C:\Users\Windows7\Downloads\Addition.txt
Deleted : C:\Users\Windows7\Downloads\AdwCleaner.exe
Deleted : C:\Users\Windows7\Downloads\aswMBR.exe
Deleted : C:\Users\Windows7\Downloads\esetsmartinstaller_enu(1).exe
Deleted : C:\Users\Windows7\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Windows7\Downloads\FRST.txt
Deleted : C:\Users\Windows7\Downloads\JRT.exe
Deleted : C:\Users\Windows7\Downloads\JavaRa-2.0.zip
Deleted : C:\Users\Windows7\Downloads\SecurityCheck.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR
Deleted : HKLM\SYSTEM\CurrentControlSet\Services\aswMBR

~ Cleaning system restore ...


New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

[Naathim]

Delicious and so, that's it. The journey ends here



Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

 

Recommended reading:

MUST READ - security tips: Computer Security - a short guide to staying safer online.
MUST READ - general maintenance: What to do if your Computer is running slowly?

Recommended additional software:

TFC - to clean unneeded temporary files.
Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
McShield - to prevent infections spread by removable media.
CryptoPrevent - to secure yourself from very severe CryptoLocker infection.
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.


Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.

Stay safe,
Naat

[mof]

Naathim,

 

Thanks alot for that.

 

My system is now clean, and it's also been an education !!

 

I seriously hope i wont have to bother you again.

 

I'll get reading those links.

 

All the best.

[Naathim]

Thank you and likewise!

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!