Infected with optional.nowuseeitplayer ISP tells me I'm making DDoS

[jumpovitae]

Hi Malware Byte Helpers,

 

• I've had trouble removing optional.nowuseeitplayer from my Windows 10 laptopm
• ISP tells me I'm making DDoS attacks
• Latest update of MalwareBytes has found infection twice so it seems to be coming back

 

Attached:

• FRST.txt
• Addition.txt

 

Thank you greatly for any help you can offer.

 

Kind regards,

Jumpovitae

Addition.txt

FRST.txt

[dbreeze]

Hello and
If you've not already done so please start here and post back the 2 log files FRST.txt and Addition.txt

P2P/Piracy Warning:
 

 

If you're using

Peer 2 Peer

software such as

uTorrent, BitTorrent

or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have

illegal/cracked software, cracks, keygens etc

. on the system, please remove or uninstall them now and read the policy on

Piracy

.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
    

  [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)
  

 

Can you post the Malwarebytes' scan logs please? 

 

Also, are you using / connected to a Synology NAS storage device?

[jumpovitae]

Thanks <dbreeze>, much appreciated.

 

• Malwarebytes logs attached
  • Malware bytes log file trojan found 29122015.txt
  • Malware bytes protection log 29122015.txt

[jumpovitae]

Malware bytes log file trojan found 29122015.txt

[dbreeze]

FIRST >>>>

Since the infection is coming back after MBAM removes it, you might want to test if Google Drive or the NAS is restoring the setting in the background.  Disconnect those two 'services', clean with MBAM and then see if the infection comes back.

Also, System Restore is disabled on your machine.  If this is something you did not do and want enabled, then go to Start Menu, type system restore in the search box (or blank area of the Start Menu) and click on Set a Restore Point.  This should open the System Properties window and load the System Protection tab where you can start the System Restore utility.  Let me know if there are any problems with this.

 
SECOND >>>>

Download the attached fixlist.txt file and save it to the Desktop.  Fixlist.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.


LAST >>>>


AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it may ask to reboot (depending on what it found to remove): please allow this
  
  
• On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.
 

 

[jumpovitae]

Hi <dbreeze>,

 

Didn't find a trace of ad/mal/etc-ware in any scans.  So hopefully it is gone.

FIRST >>>>

• I reckon I've got rid of Google Drive I think it got bundled with a Chrome installation (didn't want it so uninstalled it)
• Turned off the NAS

 

• MBAM found no threats found - Malware bytes scan log 30_12_2015 zero threats found.txt
• I turned ON "system Restore"  - thanks for pointing our it was OFF

 

SECOND >>>>

• FRST Log attached - Fixlog.txt

 

LAST >>>>

AdwCleaner FOUND NO THREATS - log file attached - AdwCleanerS1.txt

 

Jumpovitae comments:

Is it worth trying to scan the Synology NAS? I think it runs a type of Linux, I don't know

 

Cheers,

Jumpovitae

[dbreeze]

I would give it a few days to see if the problem comes back and then try scanning the NAS data files with Avast! .  Depending on the size of the data stored there it could take a long time.  Also check if there is any updates to the 'firmware / OS' in the NAS as last year there was a exploitable vulnerability in the Synology NAS.

 

Let me know how things go for you as I am going to leave this open a few days just in case.  Thanks.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!