Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Infected SteamWebHelper.exe


Recommended Posts

A few days ago i experienced some sort of adware whil browsing using chrom. I ran Malewarebytes Anti-Maleware and it found some files which i then removed. The problem seem to be solved.
Today while using Steam, Malewarebytes started to block some sites, while some new Steam windows opend with ads (with the "powered by dnsunlocker" line) as well as some suspicious "JavaScript Confirm" window. The Task Manager revealed that three instances of "SteamWebHelper.exe" were running. As i tried to terminate those proccesses the "JavaScript Confirm" window dissapeared only to reappear along with the proccesses.
I once again ran both Malewarebytes Anti-Maleware and Avast Free Antivirus Scan but nothing was found although i am sure i am still infected in some way.
Any help would be appreciated.
As a side question, if i were to update to Windows 10 is it possible that Viruses are carried over or does it have the same effect as completly reinstalling the OS?

Java Script Confirmation.PNG

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello  and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Continue please:

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

 

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

 

Next,

Please open Malwarebytes Anti-Malware.

 

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

 

To get the log from Malwarebytes do the following:

 

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options: > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt)  Please attach those logs to your reply.

Let me see those logs in your reply....

Thank you,

Kevin.

 

Link to post
Share on other sites

Thanks for your fast reply.
Today while i was using steam nothing of the previously described problem appeared. Is it possible that the virus tries to hide itself or only starts at random times?

Anyways, here are the log files as well as the Malewarebytes log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Suchlaufdatum: 15.04.2016
Suchlaufzeit: 21:21
Protokolldatei: 
Administrator: Ja

Version: 2.2.1.1043
Malware-Datenbank: v2016.04.15.05
Rootkit-Datenbank: v2016.04.09.01
Lizenz: Testversion
Malware-Schutz: Aktiviert
Schutz vor bösartigen Websites: Aktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 8.1
CPU: x64
Dateisystem: NTFS
Benutzer: Admin1

Suchlauftyp: Bedrohungssuchlauf
Ergebnis: Abgeschlossen

Durchsuchte Objekte: 416990
Abgelaufene Zeit: 11 Min., 59 Sek.

Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(keine bösartigen Elemente erkannt)

Module: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 0
(keine bösartigen Elemente erkannt)

Registrierungswerte: 0
(keine bösartigen Elemente erkannt)

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 0
(keine bösartigen Elemente erkannt)

Dateien: 0
(keine bösartigen Elemente erkannt)

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

Addition.txt

FRST.txt

Rkill.txt

Link to post
Share on other sites

Thanks for the logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Can you post a recent Protection log from Malwarebytes that will show blocked site details...

Open Malwarebytes..

 

  • Click on the History tab > Application Logs.
  • Double click on the Protection Log which shows the most recent Date and time..
  • Click Export > From export you have three options: > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

Download Sophos Free Virus Removal Tool from here: http://downloads.sophos.com/tools/withides/Sophos Virus Removal Tool.exe      and save it to your desktop.

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

Post those logs also let me know if there are any remaining issues or concerns..

Thank you,

Kevin

 

Fixlist.txt

Link to post
Share on other sites

So far i havn't had anymore problems.

Here is the Sophos Log:

2016-04-16 08:33:57.591    Sophos Virus Removal Tool version 2.5.5
2016-04-16 08:33:57.591    Copyright (c) 2009-2014 Sophos Limited. All rights reserved.

2016-04-16 08:33:57.591    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-04-16 08:33:57.591    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-04-16 08:33:57.591    Checking for updates...
2016-04-16 08:33:57.598    Update progress: proxy server not available
2016-04-16 08:34:03.696    Option all = no
2016-04-16 08:34:03.696    Option recurse = yes
2016-04-16 08:34:03.696    Option archive = no
2016-04-16 08:34:03.696    Option service = yes
2016-04-16 08:34:03.696    Option confirm = yes
2016-04-16 08:34:03.696    Option sxl = yes
2016-04-16 08:34:03.697    Option max-data-age = 35
2016-04-16 08:34:03.697    Option EnableSafeClean = yes
2016-04-16 08:34:04.918    Option vdl-logging = yes
2016-04-16 08:34:04.920    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-04-16 08:34:04.920    Machine ID:    ad35307857c64296b86684abcedb7767
2016-04-16 08:34:04.920    Component SVRTcli.exe version 2.5.5
2016-04-16 08:34:04.920    Component control.dll version 2.5.5
2016-04-16 08:34:04.920    Component SVRTservice.exe version 2.5.5
2016-04-16 08:34:04.920    Component engine\osdp.dll version 1.44.1.2240
2016-04-16 08:34:04.920    Component engine\veex.dll version 3.64.0.2240
2016-04-16 08:34:04.921    Component engine\savi.dll version 9.0.0.2240
2016-04-16 08:34:04.921    Component rkdisk.dll version 1.5.30.0
2016-04-16 08:34:04.921    Version info:    Product version    2.5.5
2016-04-16 08:34:04.921    Version info:    Detection engine    3.64.0
2016-04-16 08:34:04.921    Version info:    Detection data    5.25
2016-04-16 08:34:04.921    Version info:    Build date    08.03.2016
2016-04-16 08:34:04.921    Version info:    Data files added    350
2016-04-16 08:34:04.921    Version info:    Last successful update    (not yet updated)
2016-04-16 08:34:14.617    Downloading updates...
2016-04-16 08:34:14.618    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement SAVIW32 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE526 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE527 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE528 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE529 LATEST 
2016-04-16 08:34:14.618    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-04-16 08:34:14.618    Update progress: [I19463] Syncing product SAVIW32 68
2016-04-16 08:34:15.185    Update progress: [I19463] Syncing product IDE526 167
2016-04-16 08:34:15.499    Installing updates...
2016-04-16 08:34:16.103    Error level 1
2016-04-16 08:34:16.149    Update progress: [I19463] Syncing product IDE527 142
2016-04-16 08:34:16.149    Update progress: [I19463] Syncing product IDE528 44
2016-04-16 08:34:16.149    Update progress: [I19463] Syncing product IDE529 1
2016-04-16 08:34:18.992    Update successful
2016-04-16 08:34:23.930    Option all = no
2016-04-16 08:34:23.930    Option recurse = yes
2016-04-16 08:34:23.930    Option archive = no
2016-04-16 08:34:23.930    Option service = yes
2016-04-16 08:34:23.930    Option confirm = yes
2016-04-16 08:34:23.930    Option sxl = yes
2016-04-16 08:34:23.931    Option max-data-age = 35
2016-04-16 08:34:23.931    Option EnableSafeClean = yes
2016-04-16 08:34:24.027    Option vdl-logging = yes
2016-04-16 08:34:24.029    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-04-16 08:34:24.029    Machine ID:    ad35307857c64296b86684abcedb7767
2016-04-16 08:34:24.029    Component SVRTcli.exe version 2.5.5
2016-04-16 08:34:24.030    Component control.dll version 2.5.5
2016-04-16 08:34:24.030    Component SVRTservice.exe version 2.5.5
2016-04-16 08:34:24.030    Component engine\osdp.dll version 1.44.1.2240
2016-04-16 08:34:24.030    Component engine\veex.dll version 3.64.0.2240
2016-04-16 08:34:24.030    Component engine\savi.dll version 9.0.0.2240
2016-04-16 08:34:24.030    Component rkdisk.dll version 1.5.30.0
2016-04-16 08:34:24.030    Version info:    Product version    2.5.5
2016-04-16 08:34:24.030    Version info:    Detection engine    3.64.0
2016-04-16 08:34:24.030    Version info:    Detection data    5.25
2016-04-16 08:34:24.030    Version info:    Build date    08.03.2016
2016-04-16 08:34:24.030    Version info:    Data files added    350
2016-04-16 08:34:24.030    Version info:    Last successful update    16.04.2016 10:34:18

2016-04-16 09:54:16.782    Could not open C:\hiberfil.sys
2016-04-16 09:54:28.325    Could not open C:\pagefile.sys
2016-04-16 10:01:53.026    Could not open C:\swapfile.sys
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{5cf124ab-03ad-11e6-8430-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{99bc1b67-03ab-11e6-842e-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{d0880954-0133-11e6-842b-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{fa98281b-03ac-11e6-842f-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:57.270    Could not open C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Current Session
2016-04-16 10:01:57.273    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK (virus scan failed)
2016-04-16 10:01:57.279    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK (virus scan failed)
2016-04-16 10:01:57.955    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\LOCK (virus scan failed)
2016-04-16 10:01:57.959    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\GCM Store\LOCK (virus scan failed)
2016-04-16 10:01:58.239    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOCK (virus scan failed)
2016-04-16 10:01:58.250    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK (virus scan failed)
2016-04-16 10:06:42.356    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-04-16 10:06:42.357    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-04-16 10:06:43.235    Could not open C:\Windows\System32\config\BBI
2016-04-16 10:06:43.241    Could not open C:\Windows\System32\config\DRIVERS
2016-04-16 10:06:43.246    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-04-16 10:06:43.246    Could not open C:\Windows\System32\config\RegBack\SAM
2016-04-16 10:06:43.247    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-04-16 10:06:43.247    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-04-16 10:06:43.248    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-04-16 10:42:00.827    >>> Virus 'Mal/Generic-S' found in file D:\Users\Thomas\Documents\FreePDF - CHIP-Installer.exe\FILE:0000
2016-04-16 10:42:00.827    Disinfection not offered
2016-04-16 10:43:34.392    Could not open LOGICAL:0005:00000000
2016-04-16 10:43:34.396    Could not open F:\
2016-04-16 10:43:34.435    Could not open PHYSICAL:0082:0000:0000:0001
2016-04-16 10:43:34.437    The following items will be cleaned up:
2016-04-16 10:43:34.437    Mal/Generic-S
 

 

And here is the Malewarebytes Protection Log:

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 16.04.2016 09:52, SYSTEM, THOMAS-PC, Scheduler, Failed, Unable to access update server, 
Update, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Scheduler, Malware Database, 2016.4.15.6, 2016.4.16.1, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Refresh, Starting, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Refresh, Success, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Scan, 16.04.2016 10:01, SYSTEM, THOMAS-PC, Context, Start: 16.04.2016 09:52, Dauer: 8 Min. 11 Sek., Bedrohungssuchlauf, Abgeschlossen, 0 Malware-Erkennung, 0 Nicht-Malware-Erkennungen, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malware Protection, Starting, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malware Protection, Started, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malware Protection, Starting, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malware Protection, Started, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malware Protection, Starting, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malware Protection, Started, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Update, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Scheduler, Malware Database, 2016.4.16.1, 2016.4.16.2, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Refresh, Starting, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Refresh, Success, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 

(end)

Fixlog.txt

Link to post
Share on other sites

So far i havn't had anymore problems.

Here is the Sophos Log:

2016-04-16 08:33:57.591    Sophos Virus Removal Tool version 2.5.5
2016-04-16 08:33:57.591    Copyright (c) 2009-2014 Sophos Limited. All rights reserved.

2016-04-16 08:33:57.591    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-04-16 08:33:57.591    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-04-16 08:33:57.591    Checking for updates...
2016-04-16 08:33:57.598    Update progress: proxy server not available
2016-04-16 08:34:03.696    Option all = no
2016-04-16 08:34:03.696    Option recurse = yes
2016-04-16 08:34:03.696    Option archive = no
2016-04-16 08:34:03.696    Option service = yes
2016-04-16 08:34:03.696    Option confirm = yes
2016-04-16 08:34:03.696    Option sxl = yes
2016-04-16 08:34:03.697    Option max-data-age = 35
2016-04-16 08:34:03.697    Option EnableSafeClean = yes
2016-04-16 08:34:04.918    Option vdl-logging = yes
2016-04-16 08:34:04.920    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-04-16 08:34:04.920    Machine ID:    ad35307857c64296b86684abcedb7767
2016-04-16 08:34:04.920    Component SVRTcli.exe version 2.5.5
2016-04-16 08:34:04.920    Component control.dll version 2.5.5
2016-04-16 08:34:04.920    Component SVRTservice.exe version 2.5.5
2016-04-16 08:34:04.920    Component engine\osdp.dll version 1.44.1.2240
2016-04-16 08:34:04.920    Component engine\veex.dll version 3.64.0.2240
2016-04-16 08:34:04.921    Component engine\savi.dll version 9.0.0.2240
2016-04-16 08:34:04.921    Component rkdisk.dll version 1.5.30.0
2016-04-16 08:34:04.921    Version info:    Product version    2.5.5
2016-04-16 08:34:04.921    Version info:    Detection engine    3.64.0
2016-04-16 08:34:04.921    Version info:    Detection data    5.25
2016-04-16 08:34:04.921    Version info:    Build date    08.03.2016
2016-04-16 08:34:04.921    Version info:    Data files added    350
2016-04-16 08:34:04.921    Version info:    Last successful update    (not yet updated)
2016-04-16 08:34:14.617    Downloading updates...
2016-04-16 08:34:14.618    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement SAVIW32 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE526 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE527 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE528 LATEST 
2016-04-16 08:34:14.618    Update progress: [I49502] Found supplement IDE529 LATEST 
2016-04-16 08:34:14.618    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-04-16 08:34:14.618    Update progress: [I19463] Syncing product SAVIW32 68
2016-04-16 08:34:15.185    Update progress: [I19463] Syncing product IDE526 167
2016-04-16 08:34:15.499    Installing updates...
2016-04-16 08:34:16.103    Error level 1
2016-04-16 08:34:16.149    Update progress: [I19463] Syncing product IDE527 142
2016-04-16 08:34:16.149    Update progress: [I19463] Syncing product IDE528 44
2016-04-16 08:34:16.149    Update progress: [I19463] Syncing product IDE529 1
2016-04-16 08:34:18.992    Update successful
2016-04-16 08:34:23.930    Option all = no
2016-04-16 08:34:23.930    Option recurse = yes
2016-04-16 08:34:23.930    Option archive = no
2016-04-16 08:34:23.930    Option service = yes
2016-04-16 08:34:23.930    Option confirm = yes
2016-04-16 08:34:23.930    Option sxl = yes
2016-04-16 08:34:23.931    Option max-data-age = 35
2016-04-16 08:34:23.931    Option EnableSafeClean = yes
2016-04-16 08:34:24.027    Option vdl-logging = yes
2016-04-16 08:34:24.029    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-04-16 08:34:24.029    Machine ID:    ad35307857c64296b86684abcedb7767
2016-04-16 08:34:24.029    Component SVRTcli.exe version 2.5.5
2016-04-16 08:34:24.030    Component control.dll version 2.5.5
2016-04-16 08:34:24.030    Component SVRTservice.exe version 2.5.5
2016-04-16 08:34:24.030    Component engine\osdp.dll version 1.44.1.2240
2016-04-16 08:34:24.030    Component engine\veex.dll version 3.64.0.2240
2016-04-16 08:34:24.030    Component engine\savi.dll version 9.0.0.2240
2016-04-16 08:34:24.030    Component rkdisk.dll version 1.5.30.0
2016-04-16 08:34:24.030    Version info:    Product version    2.5.5
2016-04-16 08:34:24.030    Version info:    Detection engine    3.64.0
2016-04-16 08:34:24.030    Version info:    Detection data    5.25
2016-04-16 08:34:24.030    Version info:    Build date    08.03.2016
2016-04-16 08:34:24.030    Version info:    Data files added    350
2016-04-16 08:34:24.030    Version info:    Last successful update    16.04.2016 10:34:18

2016-04-16 09:54:16.782    Could not open C:\hiberfil.sys
2016-04-16 09:54:28.325    Could not open C:\pagefile.sys
2016-04-16 10:01:53.026    Could not open C:\swapfile.sys
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{5cf124ab-03ad-11e6-8430-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{99bc1b67-03ab-11e6-842e-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{d0880954-0133-11e6-842b-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:53.053    Could not open C:\System Volume Information\{fa98281b-03ac-11e6-842f-6805ca2ae175}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-04-16 10:01:57.270    Could not open C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Current Session
2016-04-16 10:01:57.273    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK (virus scan failed)
2016-04-16 10:01:57.279    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK (virus scan failed)
2016-04-16 10:01:57.955    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\LOCK (virus scan failed)
2016-04-16 10:01:57.959    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\GCM Store\LOCK (virus scan failed)
2016-04-16 10:01:58.239    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOCK (virus scan failed)
2016-04-16 10:01:58.250    Could not check C:\Users\Admin1\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK (virus scan failed)
2016-04-16 10:06:42.356    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-04-16 10:06:42.357    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-04-16 10:06:43.235    Could not open C:\Windows\System32\config\BBI
2016-04-16 10:06:43.241    Could not open C:\Windows\System32\config\DRIVERS
2016-04-16 10:06:43.246    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-04-16 10:06:43.246    Could not open C:\Windows\System32\config\RegBack\SAM
2016-04-16 10:06:43.247    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-04-16 10:06:43.247    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-04-16 10:06:43.248    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-04-16 10:42:00.827    >>> Virus 'Mal/Generic-S' found in file D:\Users\Thomas\Documents\FreePDF - CHIP-Installer.exe\FILE:0000
2016-04-16 10:42:00.827    Disinfection not offered
2016-04-16 10:43:34.392    Could not open LOGICAL:0005:00000000
2016-04-16 10:43:34.396    Could not open F:\
2016-04-16 10:43:34.435    Could not open PHYSICAL:0082:0000:0000:0001
2016-04-16 10:43:34.437    The following items will be cleaned up:
2016-04-16 10:43:34.437    Mal/Generic-S
 

 

And here is the Malewarebytes Protection Log:

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 16.04.2016 09:52, SYSTEM, THOMAS-PC, Scheduler, Failed, Unable to access update server, 
Update, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Scheduler, Malware Database, 2016.4.15.6, 2016.4.16.1, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Refresh, Starting, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Refresh, Success, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 09:56, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Scan, 16.04.2016 10:01, SYSTEM, THOMAS-PC, Context, Start: 16.04.2016 09:52, Dauer: 8 Min. 11 Sek., Bedrohungssuchlauf, Abgeschlossen, 0 Malware-Erkennung, 0 Nicht-Malware-Erkennungen, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malware Protection, Starting, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malware Protection, Started, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 10:17, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malware Protection, Starting, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malware Protection, Started, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 10:27, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malware Protection, Starting, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malware Protection, Started, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 10:29, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 
Update, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Scheduler, Malware Database, 2016.4.16.1, 2016.4.16.2, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Refresh, Starting, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Refresh, Success, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Starting, 
Protection, 16.04.2016 12:07, SYSTEM, THOMAS-PC, Protection, Malicious Website Protection, Started, 

(end)

 

 

EDIT: After running Sophos Virus Removal Tool again i realized that it had the same result as the first time. When i click the solve button a message about beeing unsuccessful appears.

Phobos Removal Tool.PNG

Link to post
Share on other sites

Thanks for that log, we need to check the suspect entry....

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file D:\Users\Thomas\Documents\FreePDF - CHIP-Installer.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Thank you,

Kevin...

 

 

Link to post
Share on other sites

Virus Total rusult:

 

Antivirus Ergebnis Aktualisierung
AVG Downloader.Generic14.LBF 20160417
AegisLab Troj.W32.Gen.llLl 20160417
Avira (no cloud) PUA/DownloadSponsor.Gen 20160416
Bkav W32.HfsAdware.BB89 20160415
CAT-QuickHeal PUA.Chipdigita.Gen 20160416
Comodo Application.Win32.DownloadSponsor.DAE 20160416
DrWeb Adware.Downware.10859 20160417
ESET-NOD32 a variant of Win32/DownloadSponsor.A potentially unwanted 20160416
GData Win32.Application.DownloadSponsor.G 20160417
Ikarus PUA.DownloadSponsor 20160416
Jiangmin Trojan/Staser.ajz 20160417
K7AntiVirus Unwanted-Program ( 004a9c9e1 ) 20160417
K7GW Unwanted-Program ( 004a9c9e1 ) 20160417
Kaspersky Trojan.Win32.Staser.bpjy 20160417
McAfee Generic.dx!5E1C31B168DB 20160417
McAfee-GW-Edition BehavesLike.Win32.Downloader.dh 20160416
NANO-Antivirus Trojan.Win32.VbCrypt.eabmpe 20160417
Panda Trj/Genetic.gen 20160416
Qihoo-360 HEUR/QVM41.1.0000.Malware.Gen 20160417
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 [F] 20160417
Sophos Mal/Generic-S 20160417
Tencent Trojan.Win32.Staser.axlaa 20160417
Yandex Riskware.Agent! 20160416
nProtect Trojan/W32.Staser.961360 20160415
ALYac   20160417
AVware   20160417
Ad-Aware   20160417
AhnLab-V3   20160416
Alibaba   20160415
Antiy-AVL   20160416
Arcabit   20160417
Avast   20160417
Baidu   20160416
Baidu-International   20160416
BitDefender   20160417
CMC   20160415
ClamAV   20160417
Cyren   20160417
Emsisoft   20160417
F-Prot   20160417
F-Secure   20160417
Fortinet   20160417
Kingsoft   20160417
Malwarebytes   20160417
eScan   20160417
Microsoft   20160417
SUPERAntiSpyware   20160417
Symantec   20160417
TheHacker   20160416
TrendMicro   20160417
TrendMicro-HouseCall   20160417
VBA32   20160415
VIPRE   20160417
ViRobot   20160417
Zillya   20160416
Zoner   20160417

those with nothing in the second column had a green chek mark

Link to post
Share on other sites

Open Notepad, select "Format" from the menu bar, make sure "Word Wrap" is not checked. Copy the text from the code box below to Notepad.
 
 
 
@echo off
del /f /s /q "D:\Users\Thomas\Documents\FreePDF - CHIP-Installer.exe"
del %0

 



Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this: user posted image<--XP user posted image <--vista or windows 7/8
Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.
Let me know if that completes ok.....
 
What is the current status of your system, do you have any remaining issues or concerns?
 
Thank you,
 
Kevin
Link to post
Share on other sites

Excellent, if no remaining issues or concerns run the following to clean up..

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.