Jump to content

suspicious ****.tmp.exe files on startup


Recommended Posts

good afternoon,

recently my laptop symantec program started sending messages with an oct4ba2.tmp.exe file being reported as having been downloaded and of suspicious origin, each time im given the option of removing the program but it persists each time on computer startup. I downloaded malwarebytes and have attempted to use that program but havent seen any proogress from simply scanning and quaraanting the problem, any help would be greatly appreciated.

Link to post
Share on other sites
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
    • If it asks you to restart your computer to complete the removal, do so;
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply;
Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/4/17
Scan Time: 9:40 AM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2290
License: Trial

-System Information-
OS: Windows 10 (Build 14393.1358)
CPU: x64
File System: NTFS
User: LAPTOP-F9KC7O72\RReub

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404756
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 13 min, 36 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

scan was run once prior to me creating the forum here are the results of that as some items were quarantined

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/3/17
Scan Time: 12:17 PM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2285
License: Trial

-System Information-
OS: Windows 10 (Build 14393.1358)
CPU: x64
File System: NTFS
User: LAPTOP-F9KC7O72\RReub

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404959
Threats Detected: 21
Threats Quarantined: 21
Time Elapsed: 12 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 21
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\CLSID\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\TYPELIB\{921462B2-5269-45A2-AA8D-F8F7A3690255}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\INTERFACE\{FD1B7376-A344-48BD-857D-C87B4D8502EF}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{FD1B7376-A344-48BD-857D-C87B4D8502EF}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FD1B7376-A344-48BD-857D-C87B4D8502EF}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{921462B2-5269-45A2-AA8D-F8F7A3690255}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{921462B2-5269-45A2-AA8D-F8F7A3690255}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\Amazon1ButtonRuntime.AmazonRuntimeServer, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{6557DB6C-EFE1-45AC-92A6-FBB1554B7502}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\TYPELIB\{48DDEC26-CEC3-478E-9566-0842DAF10CEA}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{6B7479D5-C493-40F0-99B6-BFC901980034}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BFF94CF8-2D3B-4B2F-BB83-3600280AFEBA}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{6B7479D5-C493-40F0-99B6-BFC901980034}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BFF94CF8-2D3B-4B2F-BB83-3600280AFEBA}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{48DDEC26-CEC3-478E-9566-0842DAF10CEA}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{48DDEC26-CEC3-478E-9566-0842DAF10CEA}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{6557DB6C-EFE1-45AC-92A6-FBB1554B7502}, Quarantined, [1507], [386607],1.0.2285
PUP.Optional.Amazon1Button, HKLM\SOFTWARE\CLASSES\Amazon1ButtonRuntime.Amazon1ButtonRuntime, Quarantined, [1507], [386607],1.0.2285

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Your FRST logs are incomplete. Did you have any issue with the scan?

  • Step #2 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    •  
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      CreateRestorePoint:
      CloseProcesses:
      EmptyTemp:
      C:\Users\RReub\AppData\Local\Host App Service\
      HKU\S-1-5-21-925126538-334947261-793745087-1001\...\RunOnce: [Uninstall C:\Users\RReub\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RReub\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64"
      2017-06-12 22:19 - 2017-06-12 22:19 - 00000000 ____D C:\Users\RReub\AppData\Local\GOG.com
      2017-06-12 22:14 - 2017-07-03 13:27 - 00000000 ____D C:\ProgramData\GOG.com
      2017-06-12 22:14 - 2017-07-03 13:27 - 00000000 ____D C:\Program Files (x86)\GOG Galaxy
      2017-06-12 22:12 - 2017-06-12 22:13 - 157116344 _____ (GOG.com ) C:\Users\RReub\Downloads\setup_gwent_1.2.10.31_en.exe
      2017-06-12 22:12 - 2017-06-12 22:13 - 00000064 _____ C:\Users\RReub\Downloads\gogGalaxy(1).auth
      2016-09-16 14:35 - 2016-09-16 14:36 - 58523704 _____ (SweetLabs,Inc.) C:\Users\RReub\AppData\Local\Temp\oct1F9D.tmp.exe
      2017-06-17 12:23 - 2017-06-17 12:23 - 39831840 _____ (SweetLabs,Inc.) C:\Users\RReub\AppData\Local\Temp\octB32D.tmp.exe
      File: C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe
      CMD: bitsadmin /reset /allusers
      CMD: ipconfig /flushdns
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.


  • Step #3 Fix with AdwCleaner
    • Download AdwCleaner by Xplode to your Desktop from the following link.
    • Right-click on AdwCleaner.exe and choose Run as administrator;
    • Click on Option and put a tick mark on everything;
    • Click on Scan and let the program run unhindered;
    • When done, click on Clean and allow the system to reboot after it is done;
    • A log will be opened automatically after the restart. If not, it is located in C:\AdwCleaner\AdwCleaner[CX].txt, where X is replaced with a number;
    • Copy and Paste the contents of this log in your reply.


  • Required Log(s):
    • FRST Fix Log
    • AdwCleaner Log

Regards,
Valinorum

Link to post
Share on other sites

step 2: i may do step 3 tonight or first thing tomorrow around 10

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-07-2017
Ran by RReub (06-07-2017 00:03:00) Run:1
Running from C:\Users\RReub\Desktop
Loaded Profiles: RReub (Available Profiles: RReub)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
C:\Users\RReub\AppData\Local\Host App Service\
HKU\S-1-5-21-925126538-334947261-793745087-1001\...\RunOnce: [Uninstall C:\Users\RReub\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RReub\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64"
2017-06-12 22:19 - 2017-06-12 22:19 - 00000000 ____D C:\Users\RReub\AppData\Local\GOG.com
2017-06-12 22:14 - 2017-07-03 13:27 - 00000000 ____D C:\ProgramData\GOG.com
2017-06-12 22:14 - 2017-07-03 13:27 - 00000000 ____D C:\Program Files (x86)\GOG Galaxy
2017-06-12 22:12 - 2017-06-12 22:13 - 157116344 _____ (GOG.com ) C:\Users\RReub\Downloads\setup_gwent_1.2.10.31_en.exe
2017-06-12 22:12 - 2017-06-12 22:13 - 00000064 _____ C:\Users\RReub\Downloads\gogGalaxy(1).auth
2016-09-16 14:35 - 2016-09-16 14:36 - 58523704 _____ (SweetLabs,Inc.) C:\Users\RReub\AppData\Local\Temp\oct1F9D.tmp.exe
2017-06-17 12:23 - 2017-06-17 12:23 - 39831840 _____ (SweetLabs,Inc.) C:\Users\RReub\AppData\Local\Temp\octB32D.tmp.exe
File: C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\RReub\AppData\Local\Host App Service => moved successfully
HKU\S-1-5-21-925126538-334947261-793745087-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Uninstall C:\Users\RReub\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64 => value removed successfully
C:\Users\RReub\AppData\Local\GOG.com => moved successfully
C:\ProgramData\GOG.com => moved successfully
C:\Program Files (x86)\GOG Galaxy => moved successfully
C:\Users\RReub\Downloads\setup_gwent_1.2.10.31_en.exe => moved successfully
C:\Users\RReub\Downloads\gogGalaxy(1).auth => moved successfully
C:\Users\RReub\AppData\Local\Temp\oct1F9D.tmp.exe => moved successfully
C:\Users\RReub\AppData\Local\Temp\octB32D.tmp.exe => moved successfully

========================= File: C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe ========================

File not signed
MD5: 8213094EA736A9C575AB0E22AD09B0BA
Creation and modification date: 2015-05-19 13:11 - 2015-05-19 13:11
Size: 0335872
Attributes: ----A
Company Name: Intel Corporation
Internal Name: isa.exe
Original Name: isa.exe
Product: Intel(R) Security Assist
Description: Intel(R) Security Assist
File Version: 1.0.0.532
Product Version: 1.0.0.532
Copyright: Copyright ©  2014

====== End of File: ======


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 1671335 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 34526701 B
Java, Flash, Steam htmlcache => 21017650 B
Windows/system/drivers => 645509187 B
Edge => 33239220 B
Chrome => 0 B
Firefox => 375526001 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 5337088 B
systemprofile32 => 0 B
LocalService => 30435890 B
NetworkService => 6154 B
RReub => 2883017150 B

RecycleBin => 150311055 B
EmptyTemp: => 3.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 00:17:29 ====

Link to post
Share on other sites

step 3:

# AdwCleaner v6.047 - Logfile created 06/07/2017 at 00:41:43
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-06.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : RReub - LAPTOP-F9KC7O72
# Running from : C:\Users\RReub\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

 

***** [ Folders ] *****

[-] Folder deleted: C:\Users\Default\AppData\Local\Host App Service
[-] Folder deleted: C:\Users\Public\Pokki
[-] Folder deleted: C:\Users\Public\App Explorer


***** [ Files ] *****

[-] File deleted: C:\Users\RReub\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk
[-] File deleted: C:\END
[-] File deleted: C:\Users\Public\Desktop\eBay.lnk
[-] File deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk


***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

[-] Task deleted: App Explorer


***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{EB2BEAEF-150C-4DE4-9D09-F16403C22769}
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKU\S-1-5-21-925126538-334947261-793745087-1001\Software\Host App Service
[-] Key deleted: HKU\S-1-5-21-925126538-334947261-793745087-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Key deleted on reboot: HKCU\Software\Host App Service
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Key deleted on reboot: [x64] HKCU\Software\Host App Service
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\analytics.app.amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\homepage-web.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\analytics.app.amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\homepage-web.com


***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared
:: " Image File Execution Options" keys deleted
:: "Prefetch" files deleted
:: Proxy settings cleared
:: TCP/IP settings cleared
:: Firewall rules cleared
:: IPSec settings cleared
:: BITS queue cleared
:: IE policies deleted
:: Chrome policies deleted
:: Chrome preferences reset: C:\Users\RReub\AppData\Local\Google\Chrome\User Data\Default
:: Hosts file cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3855 Bytes] - [06/07/2017 00:41:43]
C:\AdwCleaner\AdwCleaner[S0].txt - [3542 Bytes] - [06/07/2017 00:39:23]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4001 Bytes] ##########

Link to post
Share on other sites

Hi RReube :)

Vali is currently away and asked me to step in so you don't get stalled during your clean-up. Fortunately, he was almost done with your system, there's only 2-3 things left to do. Let's start with a JRT scan.

iT103hr.pngJunkware Removal Tool (JRT)

  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64
Ran by RReub (Administrator) on Sat 07/08/2017 at 21:48:42.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


File System: 0

 


Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{DD8F3CE0-1692-478D-BEA2-D857BC8C314C} (Registry Key)

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 07/08/2017 at 21:53:26.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Link to post
Share on other sites

They were probably from apps/programs that were bundled with your laptop/computer when you bought them. We call them OEM software. Most of them are borderline PUP/Adware and security vendors can decide to flag them at any moments. The two files in your case where from SweetLabs, which is a known PUP/Adware distributor through Pokki and OpenCandy.

https://en.wikipedia.org/wiki/Pokki
https://en.wikipedia.org/wiki/OpenCandy

Or they were dropped by programs you recently installed.

Edited by Aura
Link to post
Share on other sites

No problem RReube, you're welcome!

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.

  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Activate UAC;
    • Remove disinfection tools;
    • Create registry backup;
    • Purge system restore;
    • Reset system settings;
  • Once all the options mentionned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply;

Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.

Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and y5YE7At.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

Antivirus

Antimalware

Firewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.

  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;

Anti-Exploit/Anti-Ransomware

Web Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. 

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.

  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);

As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:


As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :


gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.