Blocks incoming attack on c:\windows\system32\svchost.exe

[CLZ]

I recently removed all sorts of malware and at the end of the process and what seems to be a clean computer, I still keep getting a succession of block notices:  Inbound attempted attacks on c:\windows\system32\svchost.exe

The attempts are made through various IP addresses and ports.   Help, please!

[dbreeze]

Hello and
If you've not already done so please start here and post back the 2 log files FRST.txt and Addition.txt

P2P/Piracy Warning:
 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
    
  
  
• Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
• Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
• The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
• When we are done, I'll give you instructions on how to cleanup all the tools and logs
• Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
• Your topic will be closed if you haven't replied within 3 days
• (If I have not responded within 24 hours, please send me a Private Message as a reminder)
  

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

 

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

[AdvancedSetup]

Topic reopened per request

[CLZ]

Addition.txt

FRST.txt

[dbreeze]

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

PROGRAM NAMES GO HERE
Coupon Printer for Windows
QuickTime 7

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.  

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter.  Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [QuickTime Task] => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-21-1688672369-560665978-2355779204-1000\...\Run: [BingSvc] => C:\Users\Carol\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
C:\Users\Carol\AppData\Local\Microsoft\BingSvc
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
SearchScopes: HKU\S-1-5-21-1688672369-560665978-2355779204-1000 -> {E7EBE7C7-F075-4C6F-826B-54AB89BF9CA9} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
FF DefaultSearchEngine.US: Yahoo Web
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2013-08-02] (Coupons, Inc.)
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll
FF SearchPlugin: C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\i5edkgu9.default-1445014727016\searchplugins\yahoo-ysp.xml [2015-11-23]
C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\i5edkgu9.default-1445014727016\searchplugins\yahoo-ysp.xml
FF HKLM-x32\...\Firefox\Extensions: [virtualKeyboard@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\virtualKeyboard@kaspersky.ru => not found
FF HKU\S-1-5-21-1688672369-560665978-2355779204-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => not found
2016-06-10 14:35 - 2016-06-10 14:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2016-06-10 14:35 - 2016-06-10 14:35 - 00000000 ____D C:\Program Files (x86)\QuickTime
2016-06-16 20:01 - 2014-05-04 19:02 - 00000000 __SHD C:\Users\Carol\AppData\LocalLow\EmieUserList
2016-06-16 20:01 - 2014-05-04 19:02 - 00000000 __SHD C:\Users\Carol\AppData\Local\EmieUserList
2016-06-16 20:01 - 2014-05-04 19:02 - 00000000 __SHD C:\Users\Carol\AppData\Local\EmieSiteList
2016-06-16 20:01 - 2014-04-22 15:28 - 00000000 __SHD C:\Users\Carol\AppData\LocalLow\EmieSiteList
2010-12-08 22:06 - 2010-12-08 22:07 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-12-08 22:00 - 2010-12-08 22:01 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2010-12-08 22:03 - 2010-12-08 22:04 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-12-08 22:01 - 2010-12-08 22:03 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2010-12-08 22:04 - 2010-12-08 22:06 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
C:\Users\Carol\AppData\Local\Temp\birmyrjm.dll
C:\Users\Carol\AppData\Local\Temp\bnmt9gwf.dll
Task: {03B63A7B-E323-4BA4-8CB5-938767546AD8} - System32\Tasks\{9BC30D0B-53C9-4CB3-AF7D-E8BCD14CBA53} => pcalua.exe -a C:\Users\Carol\AppData\Local\Temp\firefoxjre_exe-1.exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {4817A06B-5DCB-44B7-9B28-5E0406198C40} - System32\Tasks\{A9508906-60FC-4CB8-B672-E3C41F544A30} => pcalua.exe -a "C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUEU76SS\EarthLinkMailSetup[1].exe" -d C:\Users\Carol\Desktop
Task: {589C5FD8-1A6E-4FDB-A545-D58633900D08} - System32\Tasks\{2744E65E-8743-4A81-9AB6-A31A15E2ED9F} => pcalua.exe -a E:\PC_AP_Setup.exe -d E:\
Task: {5CF36E73-594C-4B6E-8E61-8393C31B544D} - System32\Tasks\{65BAC406-099F-44CB-A1F0-1C8390A1EEF7} => pcalua.exe -a "C:\Users\Carol\Desktop\Adobe\Photoshop Lightroom 4.2\Install Lightroom 4.exe" -d "C:\Users\Carol\Desktop\Adobe\Photoshop Lightroom 4.2"
Task: {664CCAAD-AEFC-48EA-9ED9-BD30CD9E9E87} - System32\Tasks\{985AB0CA-A785-4375-8893-720E2953F46B} => pcalua.exe -a "C:\Users\Carol\AppData\Local\Temp\Temp1_3.2 Inch Software.zip\3.2 Inch Software\PC_AP_Setup.exe"
Task: {82278FB2-5ACB-4369-BCB9-79EE9E3543EE} - System32\Tasks\{DA937782-E1D2-4AA9-85AC-4547BE98C73E} => pcalua.exe -a C:\Users\Carol\AppData\Local\Temp\jre-8u71-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1
Task: {FADD67AA-D5A3-4D94-89EB-D5BF33B5F648} - System32\Tasks\{A8AEF0C1-BA6E-4927-8B70-51580FF7628B} => pcalua.exe -a C:\Users\Carol\Downloads\Lightroom_5_LS11_win_5_7_1.exe -d C:\Users\Carol\Downloads
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

THINGS TO REPLY WITH >>>>

• Did the uninstalls go fine or were there any problems?
• The Fixlog.txt log file.
• How is your system running now?
• Where or how was your system cleaned?  Can you provide a link to the thread / web-site (if that was where the cleaning was directed at)?  I just would like to see what was removed and how.  Thanks.

 

[CLZ]

Seems to have gone very well.   Overall performance is improved and there have been no more pop-ups notifying of blocking attacks.   One question for you, though: for the past few months I'm continually running out of hard drive space and moving files and folders to an external hard drive--I seriously have next to nothing in terms of my own data files left on my hard drive (and I've been running Disk Cleanup religiously).  This started after I picked up the malware.  I'm talking about 3 gigs or more 'disappearing' over the course of a day or so.  I kept moving files to my external drive.  Recently, I had to start removing programs.   I haven't downloaded any new programs.  Could this be a function of the malware?  Is there something I'm overlooking?

Program Removal Error Message:  Coupon Printer:  May already have been uninstalled.  Would you like to remove from programs and features list?   I clicked yes.  The program name removed smoothly.  Before removal I noticed that there was no file size data next to it.

Hopefully, the files will appear in order.

Fixlog.txt

MBAR log from 5/30/16   Run prior to coming on to the forum.

MBAR log after FARBAR Recovery 6/18/16.

ADWCleanerC1.txt   Run prior to coming on the forum.

Rogue Killer -  Run prior to coming on the forum.   Did not pursue any removal with this program.

Hitman Pro -   Run prior to coming on the forum. Looking to free up disk space, I deleted the original log file.  I just ran this new scan today after the FARBAR Recovery.

 

Thanks so much again for your help.   I'd love to hear what you have to say about the drive space.   Again, thanks!

Fixlog.txt

malwarebytes 2016-05-30.txtl.txt

malwarebytes 2016-06-18.txt

AdwCleanerC1.txt

roguetxt.txt

HitmanPro_20160619_0016.log

[dbreeze]

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

 

We will check into the disk space issue next.

[CLZ]

19 hours ago, dbreeze said:

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

 

We will check into the disk space issue next.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 7 Home Premium x64
Ran by Carol (Administrator) on Mon 06/20/2016 at 23:29:02.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 46

Successfully deleted: C:\Users\Carol\AppData\Local\{013273C2-2C2D-4EC7-B070-86714F2B2DCE} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{021E0511-02E3-4754-9DE6-91515C543036} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{06CD7F6B-73A1-42B3-AC47-3D6D5EF6027D} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{18F4F198-E32C-4E0C-A2CA-7BE876B33CE2} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{1A796155-D9A3-41EA-8379-3E50F45AED48} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{27613F31-3EBB-4932-9AB9-9DD488911309} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{2A1DB8CB-8792-4B4E-9BC1-BCD4F043617D} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{2CE06E8E-3008-4BF9-99C4-7C05512A8454} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{2D7D54DB-74FE-47CC-A314-B9874A71FC42} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{344C9E67-C903-41B4-B65A-17A6E3EA3C23} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{356909A2-91D6-408C-AA60-E1AB45127080} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{3723B845-C1F8-4CE3-A792-DF97C44F2B10} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{37ED4F9F-3852-43E4-AE71-BC44909AFC40} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{3B3908E4-8D5A-4459-9FB8-FFC42FE16F9C} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{3D8FDCA4-5663-4D55-97C5-D7645EAA11F9} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{5211DAF8-17D0-45E0-AB56-B7C4D2DC1ACB} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{548814F2-12A8-40A7-8AFA-FAABD98C6FF6} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{571D836D-32CC-4D3D-A14B-93E723C019F3} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{5F37EC4E-1ECC-49D3-9DC4-CA457A9EE807} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{64981C43-28CD-480D-9F48-364A98B1C8F9} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{692A6D29-F132-4C3C-B1AD-2EC20C46ED32} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{78AF12C1-78AD-4556-B091-AA9BA7EFB22C} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{78C1DA15-963A-4EAE-A3C3-E816D45170EB} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{9F2378C7-782B-48D9-8499-53A2379D8389} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{9F7795DC-4C05-4F85-9B37-429605DB7189} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{A3813F36-0BDA-4B51-B88F-03E20A7BC96C} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{A90FC897-1DDD-473D-9EE1-1A004B74FCB3} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{B702E046-6F54-48A0-88A2-F17DC4B68495} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{BD011A5D-882A-4894-B5C3-9D24B016F9B9} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{C079C022-BA08-4EEC-AE1F-1DC750C36FCF} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{C6E5D343-F691-45F8-90E8-5AC5968F1FD6} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{C785CBF7-3476-4C71-A5A8-EC011A2FC318} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{E2A5F473-8701-4A31-BF5B-952A818228AB} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{E698B766-52F9-4F7D-B813-0308B00A506E} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{E75630DF-E68D-412D-90A7-A8C559E78442} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\{EBD4099D-378B-44A8-9962-40D8719E040A} (Empty Folder)
Successfully deleted: C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\i5edkgu9.default-1445014727016\extensions\bingsearch.full@microsoft.com\search.xml (File)
Successfully deleted: C:\Windows\system32\Tasks\EasySpeedUpManager (Task)
Successfully deleted: C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K3NBXG9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BM1Z6UI3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MISIEQY2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SM64BAW1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K3NBXG9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BM1Z6UI3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MISIEQY2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SM64BAW1 (Temporary Internet Files Folder)

 

Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 06/20/2016 at 23:32:06.83
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[dbreeze]

That's quite a few files deleted by JRT.  Let's check with AdwCleaner again.

---

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

1. Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
   You will see the following console: You will see the following console:

   

2. Click the Scan button and wait for the scan to finish.

3. After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.

4. Click the Clean button.

5. Everything checked will be deleted.

6. When the program has finished cleaning a report appears.

7. Once done it may ask to reboot (depending on what it found to remove): please allow this

   

8. On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

 

[CLZ]

On ‎6‎/‎18‎/‎2016 at 4:45 PM, CLZ said:

Addition.txt

FRST.txt

Two things before I get started with this.  (I'll proceed without waiting for your reply.)   I just didn't want to forget to tell you.

1.   Sigh.  Not too long ago the pop-up blocker came up again--this time, once only (it used to come up twice in rapid succession).   Same message:  incoming attack on c:\windows\system32\svchotst.exe. 

2.  When I started checking my download folder to see whether or not I still had an AdwCleaner program on the computer from the last time I ran it, I noticed couponprinter.exe in the folder--one of the first things you had me get rid of.  Waiting to here from you for instructions on how to get rid of it.  (I would do shift+delete, but I'm concerned about registry issues.)

[CLZ]

AdwCleaner 'found no malicious software on your computer'.   It didn't produce a log file and no reboot required.

[dbreeze]

The file (couponprinter.exe) in the download folder can be deleted (shift+delete) as this is the install file not the actual adware.

---

Download zoek.exe from here: Bleepingcomputer

• Close/disable all anti virus and anti malware programs so they do not interfere with the download or running of Zoek.exe
  (Here or here you can read a manual how to disable your security applications.)
• Doubleclick zoek.exe to start the program.
• Click the More Options button and select the "Do a Deep Scan" option.
• Close any open browsers.
• Click the "Run script" button and wait patiently.
• When finished the logfile will be opened in notepad.
• The zoek-results.log can also be found on your systemdrive.
• Please post the logfile for further review in your next comment.
  

 

[CLZ]

zoek-results.txt

[CLZ]

New pop-up block message a few minutes ago.   Something I suspected, but had nothing to go on till now.   The malware slowed down my Kaspersky software and it took forever to load.  Every time I booted up the computer, Seagate Dashboard updater would load very quickly to tell me about updates way before Seagate would load. I didn't let the update run.  I solved the Kaspersky program issue by running a new release update.

New Malware Bytes block:   IP: 80.82.79.104, Port 888, Inbound  c:\program files (x86)\Seagate\S...Dashboard 2.01\mobile service.exe

[CLZ]

Oops as written this makes no sense.   I meant to say that Seagate Dashboard would ask to update before Kaspersky loaded.

[dbreeze]

Do you use Seagate Dashboard much or is it just nice to have as a drive monitoring tool?  Do you use the backup functions, for example?

 

[CLZ]

Seagate was another issue I needed to take care of.   I haven't connected the drive to do a back-up in quite a while.   About a year ago I needed to contact Seagate because the drive (which is actually quite a bit larger than my c:\ drive) was full!   The only thing I am/was using it for is data file back up.  I had needed to retrieve a file and somehow managed to replicate the back up three times.  The drive needed Seagate tech intervention to remove the extra back ups.   The drive is full again and I know I hadn't touched it trying to get a file from it this time.  Taking care of that is next on my 'to do' list. 

  

[dbreeze]

From the scans it looked like Seagate could be an issue.  I was just wondering if uninstalling it stopped the blocked messages.

[CLZ]

Was it uninstalled?  If need be I can always reinstall.  Let me take a step back.   I'm confused now, and I've probably confused you.

When I talked about the first issues I had with Seagate replicating the backups of the data, that was before the computer was infected with malware.  The program itself (at the time) doesn't allow the user to delete the replicated back ups.   I'm pretty sure the malware wasn't on my computer yet when the drive indicated it was full a second time.   Since the Seagate external drive program only backs up data (automatically) and I bought another external drive intended for my photography work, I saved important files to the new external drive and put off doing anything about the Seagate drive.   That was quite a while ago.   In the meantime, I'd be willing to bet that there were plenty of incremental updates to Seagate Dashboard.   But, the pop-up asking me to update didn't become insistent on my updating until the malware was on the computer.  The kicker was that it probably slowed the Kaspersky load time to a crawl.  It would launch as much as 5 minutes earlier than Kaspersky was able to load.

[CLZ]

Clarification #2.   The first time ever that I saw Malware Bytes block Seagate Dashboard was after we removed all the other stuff.

[dbreeze]

 

This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead.  ESET Online does work with IE 10 and earlier.

You can leave Kaspersky Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner  <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

Double click on the icon on your desktop.

Check (accept) the Terms of Use.

Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked

Now click on: Start

 

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan is finished, if any threats are found you will see the screen below.  Click to view the found threats.

At the bottom of the listed threats, there is an option to save the results to a text file.  Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.

Attach the saved log file in your next reply please.  Thanks.

[CLZ]

Ugh.  The hyperlink you provided pulled up a new tab with this thread instead of EST Scanner.   I thought I'd try not to bother you about it.  I searched on line for the site and pulled up a page identical to the one shown and downloaded.

I'm using Firefox to run this.   There was no eset smartinstaller and the scan settings were worded slightly differently, but no different enough to cause any alarm.   The program ran and found 5 infected items in an earlier version of Lightroom that's still on the computer. (I found this recently after Lightroom's main catalog corrupted.   I wanted to get the malware off the computer before tackling this.)

The program hung twice before finishing the scan and giving me a log file. The scan window went completely blank and needed to be closed down.

Waiting for further instructions from you.  Uninstall the program I downloaded?   Here's the link I pulled the file from:  http://www.eset.com/us/online-scanner/?CMP=knc-inmkt-Bing-B|S-US-BR-C-Other|B&utm_source=bing&utm_medium=knc&utm_campaign=B|S-US-BR-C-Other|B&utm_content=inmkt&utm_term=%2Beset %2Bonline&bkw=%2Beset %2Bonline&bcr=9455517912&bcp=28294984&bag=2822342639

[dbreeze]

I apologize for the problem with the link.  The forum software was changed recently and I'm having some issues with it.

Yes, please uninstall the ESET Online Scanner.

Then please try the following scanner; there should not be any issues with this one.

Go to Emsisoft and download the Emsisoft Free Emergency Kit from here.

• Double click on the EmsisoftEmergencyKit.exe file and then click on Extract to unpack the files (the default directory of C:\EEK is fine).
• Go to the new directory and right click on Start Emergency Kit Scanner.exe and choose 'Run as Administrator'.
• Once the scanner loads, click on 1.Update to check for and load the current updates.
• When the updates are finished, click on Malware Scan in the 2. Scan box.
• Please enable the PUP detection option.  (The Kit may ask about this after it is loading updates or right when the scan starts; it will only ask once, so enable it when the Kit asks.)
• If the scan finds anything, it will open a scan finding window.  Please click on View Report; copy this report and paste it here in reply post.
• Please close the Emergency Kit Scanner program now.
  

 

[CLZ]

Emsisoft Emergency Kit - Version 11.0
Last update: 6/27/2016 9:31:16 AM
User account: Carol-PC\Carol

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    6/27/2016 9:33:23 AM

Scanned    79022
Found    0

Scan end:    6/27/2016 9:53:26 AM
Scan time:    0:20:03