need help

[csj31]

hi i scan my computer every morning and the scan shows potential threats detected i quarantine and delete and by the next morning i am doing it again finding the same results.i haven't downloaded anything or even been on the internet and scan still shows threats detected.other than that my computer runs normal i don't know where the threats came from or how to get rid of it.

my summary is 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/19/17
Scan Time: 6:58 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1538
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: HOMEPC\charles

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 437760
Time Elapsed: 4 min, 56 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.AdvancedSystemCare, C:\PROGRAMDATA\IObit\ASCDownloader, Quarantined, [1859], [380336],1.0.1538

File: 1
PUP.Optional.AdvancedSystemCare, C:\ProgramData\IObit\ASCDownloader\Downloader.log, Quarantined, [1859], [380336],1.0.1538

Physical Sector: 0
(No malicious items detected)

(end)

please advise me on what action to take.

[Android8888]

Hello csj31 and Forum.

I'm Android 8888 and I'll be helping you with your malware issues. Please ask questions if anything is unclear.

The two threats that Malwarebytes found are called Potentially Unwanted Programs (PUP) and were quarantined so they are no longer active and you don't need to worry about.

However you may delete the quarantined threats so they do not reappear in the next scans.

To permanently delete them:

• Open Malwarebytes;
• On the left pane select Quarantine;
• Checkmark (tick) the upper checkbox to select all threats.
• Click the Delete button located at the bottom right-corner.
• Close Malwarebytes.

If you stiil need help and want to check your system further for malware, please read the following instructions, perform the FRST scan and attach the two logs for my review in your next reply.

Please download FRST FRST 64-bit

• Move the executable (FRST64.exe) on your Desktop;
• Right-click on the executable and select Run as Administrator;
• Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
• Make sure the Addition.txt box is checked;
• Click on the Scan button;
  
• On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
• Please attach both FRST.txt and Addition.txt in your next reply;
  

Thank you.

Android8888

[csj31]

i have deleted them from quarantine and they keep coming back. here is what you asked for i think

FRST.txt

Addition.txt

[Android8888]

Hello csj31.

Thank you for those logs.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Please DO NOT run any tools on your own and follow the directions in the order listed.

Make sure to run all the tools from the Desktop and with Administrator privileges.

That being said, let's start cleaning up your system.

Now I need some information about the following files (in bold):

C:\Users\charles\Documents\cc_20170318_231817.reg
C:\Users\charles\Documents\cc_20170318_231730.reg

These are Registry files. Did you created them or are they familiar to you? Let me know that in your next reply.

Next,

Please go to VirusTotal and submit the following file (in bold) for a scan and post the link to the detection results:

C:\.dir  

(Note the dot before the letters)

 

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located);
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: BleepingComputer.com and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply;
  

Next,

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes;
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. The log can also be found in C:\AdwCleaner\AdwCleaner[Cx].txt where x is a number. Please attach that log in your next reply;
  

To summarize, your next reply should include:

Information about the two Registry files;
The links to the result from scanning the file at VirusTotal.
The fixlog.txt produced by FRST;
The JRT log;
The AdwCleaner clean log.

Let me also know how is your computer running.

fixlist.txt

[csj31]

the 2 files were registry backups from the program ccleaner

the links to VirusTotal are:

https://www.virustotal.com/en/file/42d14e4f8512a50240c9d72cceb8fde5d45d424e688fbd2d8400a398d8f0d5db/analysis/

https://www.virustotal.com/en/file/192aa81f009b93cd9dcf8e7947e28dd76e1052b1796ce22a4288393d649139e4/analysis/

my computer so far seems to be running normal.i just scanned again with malwarebytes and it found nothing.ill scan again in the morning because that is usually when malwarebytes detects it.

thanks for the help i will keep you informed

JRT.txt

Fixlog.txt

AdwCleaner[C0].txt

[Android8888]

Hello csj31 and thank you for keeping me informed.

Things are looking good on your system.

 

You didn't submit the .dir file at VirusTotal as I asked you in my previous post:
 

15 hours ago, Android8888 said:

Next,

Please go to VirusTotal and submit the following file (in bold) for a scan and post the link to the detection results:

C:\.dir  

(Note the dot before the letters)

Please submit the .dir file (if present) for a scan at Virus Total and post the link to the detection result in your next reply.

 

Next,

The following scan may take several hours to complete but is a very thorough scan to search for infections or leftovers that may not have been detected on previous scans.

Please scan your computer with ESET Online Scanner.

• Click on this link to open ESET Online Scanner in a new window.
  
  1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
  2. Close all your programs and browsers.
  3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.

• Check mark Download latest version of ESET Online Scanner and click the Accept button.
• Click Yes to accept any security warnings that may appear.
• Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
• Then click Advanced settings and check mark the following options:
  
  • Enable detection of potentially unsafe applications
  • Clean threats automatically
    
• Click the Scan button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats.
• Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.
  

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

Please post:
The link to the result from scanning the file .dir at VirusTotal;
The ESET log (if it produced one).

[csj31]

here are the results

https://www.virustotal.com/en/file/8f9a1dbe869013d547c0d37b7d58a97f6e7623349621adcc3637c9b24755ab82/analysis/1490033275/

ESETScan.txt

[Android8888]

Hello csj31.

ESET found and deleted some threats. So let's perform another couple of scans to make sure there are no remnants of infection that could be left behind.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Next button.
• Select 'I accept the terms in the license agreement', then click Next twice.
• Click the Install button and wait until the installation is complete.
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
• Click Yes to accept any security warnings that may appear.
• After it updates and a "Start Scanning" button appears in the lower right:
  
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.

• Click the "Start Scanning" button in the lower right to start the scan.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
• If any threats are found click Details, then View Log file (bottom left-hand corner).
• Copy and paste its contents in your next reply and note any errors encountered.
• Close the Notepad document, close the Threat Details screen, then click Start cleanup.
• Click Exit to close the program.
• If no threats were found, please confirm that result.
  

Note: Whenever necessary, the log will be in the following location:

C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

 

Next,

Follow the instructions below to download and execute a scan on your system with FRST, and provide a new set of logs for my review in your next reply.

• Right-click on the executable and select Run as Administrator;
• Accept the disclaimer by clicking on Yes;
• Make sure the Addition.txt checkbox is checkmarked;
• Click on the Scan button;
• On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
• Please attach both FRST.txt and Addition.txt in your next reply;
  

Please copy and paste the entire content of the Sophos Virus Removal Tool log and attach the two new logs (FRST.txt and Addition.txt) in your next reply.

[csj31]

sophos said your computer is clean.

FRST.txt

Addition.txt

SophosVirusRemovalTool.log

[Android8888]

Hello csj31.

SVRT did not found threats which is a very good sign.

Let's perform a fix with the ZOEK tool to remove some stubborn entries that are not needed.

Follow the instructions below to perform a fix with ZOEK and post the log.

• Download zoek.exe and move the executable on your Desktop;
• Download the attached zoekscript.txt file and move it on your Desktop as well;
• Drag and drop the zoekscript.txt file on the top zoek.exe;
  
• If you get a UAC prompt, accept it;
• Answer Yes to the window below and ZOEK will run the fix automatically;
  
  Credits: Aura
• On completion, Notepad will open the zoek-results.log file (this file can be found directly at the root of the C: drive as well). If the computer needs to restart after the fix, Notepad will open after it;
• Please attach the zoek-results.log in your next reply;
  

Next, I would like to see a scan log from RogueKiller.

Please download RogueKiller 32/64 Bits Installer (setup.exe) by Tigzy and save it to your Desktop.

• Right click on the file setup.exe and select Run as administrator to install the tool.
• Click Yes to accept any security warnings that may appear.
• Choose the installation language and click OK.
• Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
• Now close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the RogueKiller icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming.
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.
  

Please attach the RKlog.txt to your next reply.

Let me know how is the computer behaving at this point. Does Malwarebytes still find any malicious entries?

zoekscript.txt

[csj31]

my computer is acting normally and malwarebytes finds no threats since yesterdays scans.

zoek-results.log

RKlog.txt

[Android8888]

Hello csj31.

Thanks for those logs and Malwarebytes information.

Please proceed as follow:

Close all programs and browsers.
Please disconnect any USB or external drives from the computer before you run this scan!
Re-run RogueKiller.
Right-click on the icon and select Run as administrator.
Click the Scan tab and then click the Start Scan button.
Wait until the scan has finished. This may take some time consuming.
When the scan completes:

Checkmark (tick) all Registry entries:

[PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\APN PIP -> Found
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\Conduit -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\PIP -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\Visualbee -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\APN PIP -> Found
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\Conduit -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\PIP -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\Visualbee -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\AppDataLow\Toolbar -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\AppDataLow\Toolbar -> Found
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\AppDataLow\Software\Conduit -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_chux_ON_H_4870\Software\AppDataLow\Software\ConduitSearchScopes -> Found
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\AppDataLow\Software\Conduit -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_chux_ON_H_4870\Software\AppDataLow\Software\ConduitSearchScopes -> Found

Checkmark (tick) the following Web Browsers entry:

[PUM.NewTab][Firefox:Config] iee0zf8t.default-1447315560753 : user_pref("browser.newtab.url", "http://search.swagbucks.com/?f=51"); -> Found

Click on Remove Selected button.
Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
Close RogueKiller.
Please attach the RKlog.txt to your next reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the security warning.
• Once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your Desktop and click the Save button.
• Please attach the saved report in your next reply.

 

Next,

Please download Emsisoft Emergency Kit and save it to your computer Desktop.

• Right-click the icon and select Run as administrator to run the tool.
• Click Yes to accept the security warning.
• Click on the Install button and wait until the installation complete. When finished it will open a new window.
• Right-click the on the start emergency kit scanner file and select Run as administrator.
• Click Yes to accept the security warning.
• The tool will search for updates. If an update is found click Yes to accept and install it.
• After the update complete, click on Malware Scan under 2. Scan and click Yes to accept and let Emsisoft Emergency Kit detect PUPs.
• Once the scan is complete, make sure that every item in the list is checked, and click on Delete selected;
• If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
• After the restart, go to C:\EEK and click on the start emergency kit scanner file again to open it;
• Now click on Logs tab menu;
• From there, go under the Scan Log tab, and click on the Export button;
• Save the log on your Desktop, then attach it in your next reply;

 

To summarize, please attach the following logs in your next reply:
RKlog.txt;
Zemana log;
Emsisoft Emergency Kit log.

[csj31]

here are the logs

RKlog.txt

Zemana log.txt

Emsisoft Emergency Kit log.txt

[Android8888]

Hi csj31.

Okay, let's make sure that EEK removed the 3 threats it found, then re-run JRT, AdwCleaner and FRST. I need to review those logs to check if there are any stubborn remnants of infection.

• Go to C:\EEK and right-click the on the start emergency kit scanner file and select Run as administrator.
• Click Yes to accept the security warning.
• The tool will search for updates. If an update is found click Yes to accept and install it.
• After the update complete, click on Malware Scan under 2. Scan and click Yes to accept and let Emsisoft Emergency Kit detect PUPs.
• Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
• If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
• After the restart, go to C:\EEK and click on the start emergency kit scanner file again to open it;
• Now click on Logs tab menu;
• From there, go under the Quarantine Log tab, and click on the Export button;
• Save the log on your Desktop, then attach it in your next reply;

Next,

Please re-run Junkware Removal Tool.

• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: BleepingComputer.com and Aura
• Once the scan is complete, a log will open;
• Please attach the log in your next reply.

Next,

Please re-run AdwCleaner.

• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes;
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in;
• Please attach the clean log in your next reply;

Next,

Please re-run FRST64.

• Right-click on the FRST64 executable and select Run as Administrator;
• Accept the disclaimer by clicking on Yes and wait a few seconds so the tool can update;
• Make sure the checkbox Addition.txt is checked;
• Click on the Scan button;
• On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
• Please attach both FRST.txt and Addition.txt in your next reply;
  

 

Please attach:

EEK quarantine log;

JRT log;

AdwCleaner log;

The FRST.txt and Addition.txt logs.

[csj31]

here are the logs you asked for

Addition.txt

AdwCleaner[S5].txt

EEK quarantine log.txt

FRST.txt

JRT.txt

[Android8888]

Hello csj31.

Your logs are clean and that means your computer appear to be free of malware.

Now run the following fix just to do some tidy up.
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); Note: Do not open that file.
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

Next,

Please read the instructions in the links below and reset your Internet browsers.

Reset Mozilla Firefox:
How to reset Mozilla Firefox

Reset Google Chrome:
How to reset Google Chrome

Please attach the fixlog.txt and let me know how is the computer running at this point.

Are there any more issues or concerns with your computer?

fixlist.txt

[csj31]

my computer seems to be running fine thanks for all of your help.

Fixlog.txt

[Android8888]

34 minutes ago, csj31 said:

my computer seems to be running fine thanks for all of your help.

I'm glad to hear that csj31. You are very welcome!

 

You have outdated versions of Java installed in your computer. These versions contain security vulnerabilities that can be exploited by malware.
The latest version is Java 8 Update 121. You can download it here: https://www.java.com/en/download/

If present remove the old version(s) of Java through right-click on Start > Control Panel > Programs and Features.
Once old versions are gone, please install the newest version.

 

Please download, install and run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated. Outdated programs are a front door of malware infections.

 

Since everything is running well, you can now delete the tools we used in the malware removal process.

Follow the instructions below to download and execute DelFix.

• Download DelFix and move the executable to your Desktop;
• Right-click on DelFix.exe and select Run as Administrator;
• Check the following options :
  
  • Remove disinfection tools (this option will remove the tools used in the cleaning process).
  • Create registry backup (this option will create a backup from the Windows Registry).
  • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
    
• Once the options mentionned above are checked, click on Run;
• After DelFix is done running, a log will open. I don't need to see the log;
  

Are there any further issues or concerns?...

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!