Jump to content

Can't Remove Threats


Recommended Posts

When I run Malwarebytes it finds 7-8 threats and says it removes them on restart. But after I restart and rerun Malwarebytes they all are back. I'm getting hundreds of popups that firefox is bocking and a few that its not, as well as an audio message saying i have a virus. the files it finds are Backdoor.Bot, PUP.Optional.PennyBee, PUP.Optional.Shopperz.BrwsrFish <- This one comes up 5-6 times all files and one folder with the same name.

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also give an update on any remaining issues or concerns...

Thank you,

Kevin....

Fixlist.txt

Link to post
Share on other sites

So I got as far as downloading the fixlist and running the fix on frst and now EVERY webpage i try to open gives this error message. The owner of search.yahoo.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. this page I can add an exception to and access but its only text in a very basic layout.. I can't access any sites right now unless I add an exception and then i just get text.

Link to post
Share on other sites

it redirects to http://rtbtracking.com/Redirect/ in IE when I try to access any website, idk if that helps or not.. also I see the link to click to attach files now but it is dead. This is the content to the fixlog Fix result of Farbar Recovery Scan Tool (x64) Version: 24-07-2016 Ran by Truck (2010-01-01 00:52:00) Run:1 Running from C:\Users\Truck\Downloads Loaded Profiles: Truck (Available Profiles: Truck) Boot Mode: Normal ============================================== fixlist content: ***************** Start CreateRestorePoint: CloseProcesses: Replace: C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.21673_none_40503f45b2481bc5\dnsapi.dll C:\Windows\System32\dnsapi.dll Replace: C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.21673_none_4aa4e997e6a8ddc0\dnsapi.dll C:\Windows\SysWOW64\dnsapi.dll HKU\S-1-5-21-472870500-1239675286-1634081429-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8551848 2015-10-19] (Piriform Ltd) HKU\S-1-5-21-472870500-1239675286-1634081429-1000\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIICE.EXE [283232 2012-02-29] (SEIKO EPSON CORPORATION) HKU\S-1-5-21-472870500-1239675286-1634081429-1000\...\MountPoints2: {0d51ce0b-6c91-11e4-af6f-2c41385d81da} - F:\TL_Bootstrap.exe HKU\S-1-5-21-472870500-1239675286-1634081429-1000\...\MountPoints2: {0e001639-9ae9-11e2-b1f6-2c41385d81da} - F:\VZW_Software_upgrade_assistant.exe HKU\S-1-5-21-472870500-1239675286-1634081429-1000\...\MountPoints2: {4df33281-4e88-11e4-b4d0-2c41385d81da} - F:\VZW_Software_upgrade_assistant.exe HKU\S-1-5-21-472870500-1239675286-1634081429-1000\...\MountPoints2: {fd498f27-4473-11e2-a0fc-2c41385d81da} - F:\LaunchU3.exe -a HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION Toolbar: HKU\S-1-5-21-472870500-1239675286-1634081429-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\2976B926591BF844FC1E4C25910DCA392976 [2015-11-10] <==== ATTENTION FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-06-02] <==== ATTENTION S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.) [File not signed] S3 ALSysIO; \??\C:\Users\Truck\AppData\Local\Temp\ALSysIO64.sys [X] C:\Windows\system32\REN8FEF.tmp C:\Program Files (x86)\GUTE82D.tmp C:\Users\Truck\AppData\Local\nsv9336.tmp C:\ProgramData\tempimage.bmp RemoveProxy: CMD: ipconfig /flushdns EmptyTemp: end ***************** Restore point was successfully created. Processes closed successfully. C:\Windows\System32\dnsapi.dll => moved successfully C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.21673_none_40503f45b2481bc5\dnsapi.dll copied successfully to C:\Windows\System32\dnsapi.dll C:\Windows\SysWOW64\dnsapi.dll => moved successfully C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.21673_none_4aa4e997e6a8ddc0\dnsapi.dll copied successfully to C:\Windows\SysWOW64\dnsapi.dll HKU\S-1-5-21-472870500-1239675286-1634081429-1000\Software\Microsoft\Windows\CurrentVersion\Run\\CCleaner Monitoring => value removed successfully HKU\S-1-5-21-472870500-1239675286-1634081429-1000\Software\Microsoft\Windows\CurrentVersion\Run\\EPLTarget\P0000000000000000 => value removed successfully "HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d51ce0b-6c91-11e4-af6f-2c41385d81da}" => key removed successfully HKCR\CLSID\{0d51ce0b-6c91-11e4-af6f-2c41385d81da} => key not found. "HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e001639-9ae9-11e2-b1f6-2c41385d81da}" => key removed successfully HKCR\CLSID\{0e001639-9ae9-11e2-b1f6-2c41385d81da} => key not found. "HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4df33281-4e88-11e4-b4d0-2c41385d81da}" => key removed successfully HKCR\CLSID\{4df33281-4e88-11e4-b4d0-2c41385d81da} => key not found. "HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd498f27-4473-11e2-a0fc-2c41385d81da}" => key removed successfully HKCR\CLSID\{fd498f27-4473-11e2-a0fc-2c41385d81da} => key not found. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully "HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully HKU\S-1-5-21-472870500-1239675286-1634081429-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found. C:\Program Files (x86)\mozilla firefox\2976B926591BF844FC1E4C25910DCA392976 => moved successfully C:\Program Files (x86)\mozilla firefox\firefox.cfg => moved successfully USBAAPL64 => service removed successfully ALSysIO => service removed successfully C:\Windows\system32\REN8FEF.tmp => moved successfully C:\Program Files (x86)\GUTE82D.tmp => moved successfully C:\Users\Truck\AppData\Local\nsv9336.tmp => moved successfully C:\ProgramData\tempimage.bmp => moved successfully ========= RemoveProxy: ========= HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\S-1-5-21-472870500-1239675286-1634081429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully ========= End of RemoveProxy: ========= ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End ofCMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9578341 B Java, Flash, Steam htmlcache => 6715 B Windows/system/drivers => 129032 B Edge => 0 B Chrome => 287744 B Firefox => 378636452 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 85192 B Public => 0 B ProgramData => 0 B systemprofile => 44091436 B systemprofile32 => 5044691 B LocalService => 0 B NetworkService => 4970 B Truck => 17776195 B RecycleBin => 387740 B EmptyTemp: => 442.9 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 00:52:33 ====

Link to post
Share on other sites

I cannot read that log correctly, the lines are merged into each other.... I can see that the two patched files "dnsapi.dll" have been replaced successfully, we have made progress. Not sure why your browsers are acting as you describe..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt  under "Optional scan" Select scan, when done post the new logs....

Link to post
Share on other sites

I ran Mbam and restarted, it took a few trys but this page is coming up correctly again. It seems to me like a virus or malware is hacking security certificates for every website, I cleaned it with mbam but its back again and my browser will probably mess up again next time i restart. But at least Ive got it working long enough to get these logs posted.

Here is the Mbam log from that scan, its the same thing that has been coming up.

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2016.07.24.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17959
Truck :: TRUCK-HP [administrator]

1/1/2010 2:43:29 AM
mbam-log-2010-01-01 (02-43-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 287441
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Program Files\shopperz121120151821 (PUP.Optional.Shopperz.BrwsrFlsh) -> Delete on reboot.

Files Detected: 6
C:\Program Files\shopperz121120151821\csrcc.exe (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\shopperz121120151821\unins000.exe (PUP.Optional.PennyBee) -> Delete on reboot.
C:\Program Files\shopperz121120151821\csrcc.exe (PUP.Optional.Shopperz.BrwsrFlsh) -> Delete on reboot.
C:\Program Files\shopperz121120151821\Ebeavmee.dll (PUP.Optional.Shopperz.BrwsrFlsh) -> Delete on reboot.
C:\Program Files\shopperz121120151821\Ebeavmee64.dll (PUP.Optional.Shopperz.BrwsrFlsh) -> Delete on reboot.
C:\Program Files\shopperz121120151821\prc.exe (PUP.Optional.Shopperz.BrwsrFlsh) -> Delete on reboot.

(end)

 

Anyway, Goodnight, We can work more on this tomorrow, Thanks for all of your help.

 

Addition.txt

Fixlog.txt

FRST.txt

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs, also give an update on any remaining issues or concerns...

Thank you,

Kevin..

Fixlist.txt

Link to post
Share on other sites

Thanks for those logs, if no remaining issues or concerns continue to clean up:

To remove Zemana and Sophos download and use the following Uninstaller Tool:

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Program name to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.