Think I still have malware/trojans -

[46HudsonPU]

Hello,

My OS is WIN7 (64 bit), and keep the OS current & up-to-date.

I am running Symantec AV (kept current), as well as Microsoft Security Essentials (also kept up-to-date).  Ran Norton Power Eraser a few days ago (didn't find anything), however I was convinced that there were issues (I changed security settings on my PC prohibiting downloads, and was getting 'pop-ups' telling me that downloads were not authorized).  Symantec was also blocking external actions, indicating 'Ad-clicker' and another Trojan were attempting access.

 

I downloaded installed and ran Malwarebytes Anti-Malware (Trial), which found 12 instances of malware/virus.  I have re-run scans, which has not found any additional issues - however was still getting 'pop-ups'  (both by anti-malware & Symantec) telling me that outgoing packets routed to various ports were being 'blocked', indications that malware was still running on the PC.

 

Also of note: 

- About 5 days ago, I turned-off my wireless (manually connects now, not automatic), rebooted my PC, and created an administrator-level account on my PC;

- At that time, I changed the permissions on the account that I use ('Rick' - which had previously been administrator-level) to a regular 'User' level account; 

 

This morning (after running another anti-malware scan), I was still having issues, so -

- I logged-in with the 'Administrator-level account', and deleted the 'Rick' account (which had been my regularly used account on the PC).  I also deleted the C:\users\Rick folder, and all contents, and went into regedit  (HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\ProfileList\) and removed the account information for 'Rick';

- I then created a new account called 'Rick', as a 'User';

 

The 'Also of note' was all done, based on the malwarebytes anti-malware finding all the malware rooted within the user profile of 'Rick'.

 

No other actions have been done to this point. 

 

Please see the attached files, per your instructions -

 

[46HudsonPU]

Thank you for your assistance and support.  It has been invaluable.

[LiquidTension]

Hello, 
 
I'm sorry your topic was overlooked. This past month the forum has been incredibly busy, and some topics are regrettably missed.
The majority of helpers in this forum section are volunteers. I can appreciate your frustration, but sarcasm is hardly appropriate. 
 
As per the I'm infected - What do I do now? topic (which I see you've read) -

NOTE: Please be patient.  When the site is busy it can sometimes take up to 48 hours before someone will be able to assist you.
If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 
---------
 
If you still require assistance, please delete your copy of FRST. Redownload a fresh copy using the set of instructions in the topic linked above. Run a scan, and post the two logs (FRST.txt and Addition.txt) generated.

[46HudsonPU]

LiquidTension - Here are the updated files.

 

I deleted the two files off my PC, and re-ran the utility this AM -

 

Addition.txt

FRST.txt

[LiquidTension]

Hello 46HudsonPU, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
• If you are unable to copy/paste your logs directly into your post, please attach the file. 
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page. 
   

======================================================
 
Please provide an update on the issues you're currently experiencing. 
 
STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startHKLM\...\Run: [] => [X]HKLM-x32\...\Run: [] => [X]Winlogon\Notify\ScCertProp: wlnotify.dll [X]AppInit_DLLs-x32: c:\progra~3\browse~1\261040~1.25\{c16c1~1\browse~1.dll => "c:\progra~3\browse~1\261040~1.25\{c16c1~1\browse~1.dll" File Not Foundc:\progra~3\browse~1BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No FileBHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No FileS3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0; \??\c:\gencotst\pcdsrvc_x64.pkms [X]U3 SPBBCDrv; No ImagePathS3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]S3 tsusbhub; system32\drivers\tsusbhub.sys [X]S3 VGPU; System32\drivers\rdvgkmd.sys [X]C:\Users\GO0B3R_!5\AppData\Local\Temp\_isF4FA.exeCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name.
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 Malwarebytes Anti-Malware (MBAM)

• Open Malwarebytes Anti-Malware and click Update Now.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 3
 TDSSKiller Scan

• Please download TDSSKiller and save the file to your Desktop.
• Right-Click TDSSKiller.exe and select  Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to:
  • Loaded Modules
  • Detect TDLFS file system
  • Verify file digital signatures
• Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
• ​Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.
• A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
   

STEP 4
 RogueKiller

• Please download RogueKiller (x64) and save the file to your Desktop.
• Close any running programmes.
• Right-Click RogueKiller.exe and select  Run as administrator to run the programme.
• Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
• A browser window may open. Close the browser window.
• Click . Upon completion, click .
• Close the programme. Do not fix anything!
• A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 5
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Fixlog.txt
• MBAM log
• TDSSKiller log (attached!)
• RKreport.txt
• What issues are you currently experiencing?

[46HudsonPU]

LiquidTension - I will be working through this list today.  I will let you know how it goes, and provide the requested documentation/information as it goes along.

[46HudsonPU]

LiquidTension - I have completed Steps 1-4, following the instructions given for each step.  Please see the attached logs.

 

Currently:  Quite a bit of what I consider the obvious signs of infection (pop-ups, anti-virus notifications & anti-malware notifications) have gone away.  However, I still see occasional latency, and when task manager is opened I do see multiple processes actively loading (svchost.exe, etc..).  I know this is somewhat expected and determined by the activities on the computer at the time, however it does appear to be very excessive at times - with little or no activities by myself. 

 

Please note that there are two (2) TSSKiller txt files.  That utility required a re-boot after making the changes required in your instructions (specifically 'Loaded Modules' checkbox).  I am including both of those txt files, although I think the smaller of the logs is just a reference to the required reboot.

 

 

 

 

RKreport_SCN_11292014_092214_log.txt

TDSSKiller.3.0.0.41_29.11.2014_09.11.18_log.txt

TDSSKiller.3.0.0.41_29.11.2014_09.05.25_log.txt

Malwarebytes log - 20141129.txt

Fixlog.txt

[LiquidTension]

Hello, 
 
Thank you for the logs.

Please do the following. 
 
STEP 1
 Process Explorer

• Please download Process Explorer and save the file to your Desktop.
• Right-Click ProcessExplorer.zip and click Extract All. Click Extract. 
• Open the ProcessExplorer folder on your Desktop, right-click procexp.exe and click  Run as administrator to run the programme.
• Click  View DLLs.
• If any of the following processes are highlighted in blue, click the process. Click File, Save As, and save the file in the same folder. Do so for each highlighted process.
  • smss.exe
  • services.exe
  • lsm.exe
  • svchost.exe
  • winlogon.exe
  • dllhost.exe
  • spoolsv.exe
  • taskhost.exe
  • explorer.exe
  • Smc.exe
• Attach the file(s) in your next reply. 
   

STEP 2
 Farbar Recovery Scan Tool (FRST) Scan

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• ProcessExplorer files
• FRST.txt
• Addition.txt

[46HudsonPU]

Am running Step 1, Process Explorer.  Nothing in blue, however there are about 20 processes in red.  Please advise -

[LiquidTension]

Did a panel appear in the bottom half of the screen when you clicked View DLLs?

Please take a screenshot of the Process Explorer window, and upload the image to Imgur.com. Copy/paste the URL in your next reply.

[46HudsonPU]

^{Yes the screen appears at the bottom.  When I click on the items in red, it shows the .dll files in that particular process.}  

 

^{Here is the link to the image -}

^{http://imgur.com/Ym43WBu}

[LiquidTension]

Okay, thank you.

Please reboot your computer. Then rerun RogueKiller and post the log (RKreport.txt) generated.

Rerun FRST (Step 2), and post the two logs (FRST.txt and Addition.txt) as well.

[46HudsonPU]

Done.  Logs are attached -

 

RKreport_SCN_11292014_141308.log

Addition.txt

FRST.txt

[LiquidTension]

Hello, 

 

I see there are Trend Micro remnants left on your machine. When did you uninstall Trend Micro? What version was the programme? 

 

-------------

 

STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startHKLM-x32\...\RunOnce: [{96EC210A-1472-4A1F-AB0E-26EFAFE40947}] => cmd.exe /C start /D "C:\Users\GO0B3R~1\AppData\Local\Temp" /B {96EC210A-1472-4A1F-AB0E-26EFAFE40947}.exe -accepteula -accepteulaksn -activeimages -postbootC:\Users\GO0B3R_!5\AppData\Local\Temp\{96EC210A-1472-4A1F-AB0E-26EFAFE40947}.exeHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\03372914.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\03372914.sys => ""="Driver"EmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 Clean Boot

• Press the Windows Key  + r on your keyboard at the same time. Type msconfig and click OK.
• If prompted for an administrator password or for confirmation, type the password, or provide confirmation.
• In the General tab, click Selective Startup.
• Remove the checkmark next to Load startup items.
• Click the Services tab.
• Place a checkmark next to Hide all Microsoft services.
• Click Disable all, followed by OK.
• When prompted, click Restart and boot normally into Windows.
   

STEP 3
 RogueKiller

• Close any running programmes.
• Right-Click RogueKiller.exe and select  Run as administrator to run the programme.
• Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
• A browser window may open. Close the browser window.
• Click . Upon completion, click .
• Close the programme. Do not fix anything!
• A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Trend Micro questions? 
• Fixlog.txt
• RKreport.txt

[46HudsonPU]

Trend Micro?  Honestly, I don't recall.  I've had Symantec on this PC for quite some time - since I bought it (Tried McAfee, but didn't like it).  It may well have come with a 'trial' version of the product (when new), however I installed Symantec on it almost immediately (I work for DOD, and get my choice of McAfee or Symantec at no cost to me).

 

Also - I did have 'Microsoft Security Essentials' on the PC as well.  However, I removed it, shortly after installing the trial version of Malwarebytes.  The MS Security Essentials NEVER (running for years and kept updated) never caught or stopped anything - worthless in my opinion.

 

I will run thru Steps 1-3 (posted above), and will post results when finished.

[46HudsonPU]

Ok, have completed the steps (1-4) indicated in your latest correspondence.  My response to your Trend Micro question is above.

 

Please see the attached files -

 

Question:  Don't I need to 'reverse' the procedure (Step 2) above, to get back to a normal boot (everything loaded)? 

RKreport_SCN_11292014_174320_log.txt

Fixlog.txt

[LiquidTension]

Hello, 
 
Sorry for the delay. 
 

Question:  Don't I need to 'reverse' the procedure (Step 2) above, to get back to a normal boot (everything loaded)? 

Yes. Instructions to do so are in Step 1. 
 
-------------
 
Please refer to the following Trend Micro article. Click Having problems removing Trend Micro?, and follow the instructions for Step 1.
 
Then proceed with the instructions below. 
 
STEP 1
 Normal Boot

• Press the Windows Key  + r on your keyboard at the same time. Type msconfig and click OK.
• If prompted for an administrator password or for confirmation, type the password, or provide confirmation.
• In the General tab, click Normal Startup, followed by OK.
• When prompted, click Restart and boot normally into Windows.
   

STEP 2
 ComboFix

• Note: Please read through these instructions before running ComboFix. 
• Please download ComboFix and save the file to your Desktop. << Important!
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click ComboFix.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
   
• Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
• Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
• Re-enable your anti-virus software.
   

Important Notes:

• Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
• Do NOT use your computer whilst ComboFix is running.
• Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
   
• If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
• ComboFix will disconnect your machine from the Internet as soon as it starts.
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If you are unable to access the Internet after running ComboFix, please reboot your computer. 
   

STEP 3
 Farbar Recovery Scan Tool (FRST) Scan

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• ComboFix.txt
• FRST.txt
• Addition.txt

[46HudsonPU]

LiquidTension - No problem. People have to sleep, etc.

 

Did the following:

- Set the startup boot back to normal (Step #1);

 

- Ran the uninstall for Trend Micro.  Also ran the 'uninstall' drivers listed in the article as well.

 

- Ran Step #2, and Step #3;

 

- See attached logs, Step #4.

 

ComboFix.txt

Addition.txt

FRST.txt

[LiquidTension]

Hello, 
 
I've concluded that your Anti-Virus is injecting into your processes as part of its protection, so your RogueKiller logs are OK. 
 
In regards to the issues described earlier:

However, I still see occasional latency, and when task manager is opened I do see multiple processes actively loading (svchost.exe, etc..).  I know this is somewhat expected and determined by the activities on the computer at the time, however it does appear to be very excessive at times - with little or no activities by myself. 

 
Based on what I've seen thus far; if this is still ongoing, I do not believe it can be attributed to malware. 
 
For now, please do the following. 
 
STEP 1
 Browser Reset
 
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

• Internet Explorer: Backup Internet Explorer Favourites
• Firefox: Backup Firefox Bookmarks
   

Proceed with the reset once done.

• Internet Explorer: How to reset Internet Explorer settings
• Firefox: Reset Firefox
   

STEP 2
 AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
• Click Scan. 
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean. 
• Follow the prompts and allow your computer to reboot. 
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

 
STEP 3
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Did your browsers reset OK?
• AdwCleaner[s0].txt
• ESET Online Scan log

[46HudsonPU]

Re-set browsers, Step #1 - no issues;

 

Ran AdwCleaner, Step #2 - It found some items (some minor items I did not recognize), and cleaned them (see logs - 2, below);

 

Ran ESET Online Scan, Step #3.  It found a couple of items, no actions taken (Log below);

 

Overall, system is much more stable, and seems to function my more quickly, especially after re-setting the browsers.

 

Please let me know if I need to do anything further, based on the attached logs.

MyESETscan.txt

AdwCleanerR0.txt

AdwCleanerS0.txt

[LiquidTension]

Hello, 
 
Thank you for the update. 
 
The files flagged by ESET are not malicious; rather, they're installers that bundle other software. There's no issue deleting the files if you wish, but it won't make a difference either way. 
 
--------------------------
 
Lets update your vulnerable software to reduce the risk of reinfection. 
Below is information on the dangers of Java, and why I suggest you do not keep the programme installed. 
 
Using  Java is an unnecessary security risk; especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.

• Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
• Microsoft: Unprecedented Wave of Java Exploitation
• Ghosts of Java Haunt Users
• Microsoft: Unprecedented Wave of Java Exploitation
• Drive-by Trojan preying on out-of-date Java installations
• Ghosts of Java Haunt Users
• Hole in Patch Process

Java is one of those technologies that you find installed on the majority of computer systems despite the fact that average users do not come across many Java-powered websites or desktop applications [...] According to W3Techs, only four percent of websites use Java on the server side [...] it is used by 0.2 percent of all websites on the client side. And two tenths of a percent includes sites that do not use it for their core functionality [...] there are sites and applications that require Java, and if you use any of them, you obviously need Java. But that makes you a minority. The majority of Internet users do not need Java. They do not need the Java plugin, nor do they need the Java Runtime Environment installed on their operating system.

• You don't need Java
• W3Techs usage statistics and market share data of Java on the web
• Java: Should you remove it?
   

If you choose to keep Java installed, it is paramount you keep the software updated with the latest version.
You can verify/test your Java software installation & version here.

 
STEP 1
 Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

•  Adobe Shockwave Player
•  Follow these instructions to check for and download the latest Windows Updates.
   

STEP 2
 Remove Outdated Software

• Press the Windows Key  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall one at a time.
• Note: The programmes below may not be present. If this is the case, please skip to the next step.
  • Adobe Shockwave Player 12.0
  • Java 7 Update 71 (remove only)
  • Java SE Development Kit 7 Update 45 (64-bit)
• Follow the prompts, and reboot if necessary.
   

STEP 3
 Security Check

• Please download SecurityCheck and save the file to your Desktop.
• Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
• A log (checkup.txt) will automatically open on your Desktop.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• checkup.txt
• How is your computer performing? Are there any outstanding issues?

[46HudsonPU]

Hello Liquid Tension,

Please be a bit more patient with me on this last 'task list' - I will be working through it, and it may take me a couple of evenings (after I get home from work) to get it done.

 

I have already removed all Java.  I did have it on the PC for a reason (which went away a couple of years ago), so it is history.  No issues noted thus far with that.  I will work on the list, and get back to you.

 

Regards -

[LiquidTension]

That's quite alright. Thank you for letting me know.

[46HudsonPU]

Hello LiquidTension,

 

Step #1 - I've updated Adobe Shockwave to the latest version;

 

Step #2 - I removed all Java from my PC (as indicated earlier), and updated Shockwave to latest version;

 

Step #3 - Ran 'SecurityCheck'.  I know I'm running on IE 10.x (all patches and updates applied), however some time ago when IE 11 was released, it was really, really 'funky', so reverted back to IE 10 (I may try IE 11 again, as sooner or later I will need to go to it anyway).  Also, I am running an SSD, so defragging doesn't apply (per the checkup.txt file).

 

Step #4 - Am attaching the checkup.txt file from 'SecurityCheck'.

 

PC seems to be running much better. 

 - An odd thing happened this AM - I opened MS Excel, and it did a 're-installation'.  Opened fine (with all history), after the re-install.  Have seen this happen before (very, very seldom), usually after some software updates/patching from Microsoft - however, I have not seen any significant updates of that type lately.  I will watch that closely for a while...

 

 

 

checkup.txt

[LiquidTension]

Hello, 
 

PC seems to be running much better. 

Very good. 
 

 - An odd thing happened this AM - I opened MS Excel, and it did a 're-installation'.  Opened fine (with all history), after the re-install.  Have seen this happen before (very, very seldom), usually after some software updates/patching from Microsoft - however, I have not seen any significant updates of that type lately.  I will watch that closely for a while...

I'm not entirely sure what may have triggered this. If you experience further issues with Microsoft Excel, I would suggest contacting Microsoft.  

All Clean!
Congratulations, your computer appears clean! 
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful. 
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. 
 
 
STEP 1
 ComboFix Uninstall

• Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
  

  ComboFix /Uninstall

• Click OK.
• Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
   

STEP 2
 DelFix

• Please download DelFix and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
  • Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP
   

The following programmes come highly recommended in the security community.

•  AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware. 
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
•  Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
•  Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing.
Adam