Jump to content

Recommended Posts

  • Root Admin

Hello

@Saraaaaaaa and :welcome:

 

Please run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron,

Thanks for getting back to me.  It looks like the proxyhijacker is still there.  Here's my log from Malwarebytes.

Sara

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/14/2017
Scan Time: 3:42 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.07.14.09
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Accounting 2

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 397930
Time Elapsed: 1 hr, 11 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-3637844358-3531687624-954638136-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:64550;https=127.0.0.1:64550, , [6bc64b1b3970a98de2eaf40c2cd6a65a]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Root Admin

Please start an elevated Admin command prompt and type the following one by one and pressing the Enter key at the end of each line.
Then shut the computer down and power off. Then turn the power off on your router as well. Leave both off for 2 minutes with no power.
After 2 minutes go ahead and turn your router back on and leave it running for 2 minutes. Then power your computer back on.
 

ipconfig /flushdns
nbtstat -R
arp -d *
netsh branchcache reset
netsh advfirewall reset
netsh winsock reset
netsh int ipv4 reset
netsh int ipv6 reset
netsh int ip reset c:\resetlog.txt

After the computer powers back on and you're back to the desktop please run the following again from an elevated admin command prompt
 

netsh interface tcp show global
IPCONFIG /ALL

Post back the results of each of those last 2 commands.

 

 

After the computer restart do the following.

Please start an elevated Admin level Command Prompt and type the following exactly and press the Enter key after each line.

SCHTASKS /Query /FO LIST /V >"%USERPROFILE%\Desktop\MyScheduledTasks.txt"

reg export "HKEY_CURRENT_USER\Console" "%USERPROFILE%\Desktop\MyConsoleSettings.txt" /y

Then locate on your desktop the file MyScheduledTasks.txt and MyConsoleSettings.txt  then attach them back on your next reply and I'll take a look and see what's going on.

Thank you

Ron

 

Link to post
Share on other sites

Hi Ron,

I was able to do everything up until those last two commands (that I quoted below).  When I typed the first line, I got the message in the attachment (attach1).  

I have also attached the requested results of netsh interface tcp show global and  IPCONFIG /ALL in the other attachment (attach2)

I did not try the 2nd line below since the first one didn't work. 

Please let me know what to do next.


Thanks!
Sara

 

On 7/14/2017 at 5:02 PM, AdvancedSetup said:

After the computer restart do the following.

Please start an elevated Admin level Command Prompt and type the following exactly and press the Enter key after each line.

SCHTASKS /Query /FO LIST /V >"%USERPROFILE%\Desktop\MyScheduledTasks.txt"

reg export "HKEY_CURRENT_USER\Console" "%USERPROFILE%\Desktop\MyConsoleSettings.txt" /y

Then locate on your desktop the file MyScheduledTasks.txt and MyConsoleSettings.txt  then attach them back on your next reply and I'll take a look and see what's going on.

Thank you

Ron

 

 

attach2.docx

attach1.docx

Link to post
Share on other sites

  • Root Admin

Those both look good. Not seeing an issue there. Can I get a new set of FRST logs and I'll go through them again and see what I can find. Not seeing a reason for them to come back.

Are you using any security software that might be restoring the settings?

Ron

 

 

Link to post
Share on other sites

  • Root Admin

Thanks for the update Sara. Pretty much what I expected. Don't think the computer is infected. Just trying to find out how/why a bad entry is being restored once removed.

You have an old possibly compromised version of Java on the computer. Please go into Control Panel, Program, Add/Remove and uninstall all versions of Java and you can also uninstall the Sophos Virus Removal Tool and restart the computer.

Who is using LogMeIn on this computer? Do you really want or need it?
There is also UltraVNC which is made to remote control a computer. Did you install it? Are you using it?

You're also using a very old version of The Weather Channel app that is typically heavily laden with advertisements which can help lead to an infection. If this is not the paid version without Ads you might want to consider removing it or at least stop it from loading every time the computer starts.

Are you still using some type of NEOPOST Printing, Stamp, or Documenting device? There are drivers for it loading but not sure if you're still using such a device or not.

https://kb.neopostinc.com/

Once you've uninstalled the Java, and Sophos and have rebooted, please run the following.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks Sara

Ron

 

Link to post
Share on other sites

Thanks Ron!

When I went to uninstall Java, I could only find one version.  Do the old versions hide somewhere?

As far as LogMeIn and Ultra VNC.... I log remotely into another computer to do some work and also, if I have issues with the software I use for that work, I can have someone log into my system remotely.  I'm hoping that is what both of those are for.

I also could not find The Weather Channel to uninstall, but I did disable it from loading when I start up my computer.

I do use Neopost, but I uninstalled a new Neopost manager that I had installed a couple months ago.

Sara

Link to post
Share on other sites

  • Root Admin

Sounds good, thanks Sara. Go ahead and uninstall the one Java. Then if you find you do need it make sure you have the latest version from https://java.com

Go ahead and run the FRST fixlist and post back that log. The computer should restart. Then run a new Threat Scan with Malwarebytes and post that log back too.

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

It looks like it is probably due to the SmartApp

Let's remove the proxy, remove the scheduled task, reboot and then run a new scan with Malwarebytes and if I'm right it should be gone now.

 


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.