25 replies to this topic

[dpculbertson]

Hi Juliet,

 

Here is the AdwCleaner.txt file contents.

 

Regards,

David

 

# -------------------------------

# Malwarebytes AdwCleaner 7.3.0.0

# -------------------------------

# Build:    04-04-2019

# Database: 2019-06-28.1 (Cloud)

# Support:  https://www.malwarebytes.com/support

#

# -------------------------------

# Mode: Clean

# -------------------------------

# Start:    07-08-2019

# Duration: 00:00:12

# OS:       Windows 10 Home

# Cleaned:  16

# Failed:   0

 

 

***** [ Services ] *****

 

No malicious services cleaned.

 

***** [ Folders ] *****

 

Deleted       C:\Program Files (x86)\DriverToolkit

Deleted       C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverToolkit

Deleted       C:\ProgramData\apn

Deleted       C:\Users\David\AppData\LocalLow\comcasttb

Deleted       C:\Users\David\AppData\Local\DriverToolkit

 

***** [ Files ] *****

 

Deleted       C:\TOSTACK

 

***** [ DLL ] *****

 

No malicious DLLs cleaned.

 

***** [ WMI ] *****

 

No malicious WMI cleaned.

 

***** [ Shortcuts ] *****

 

No malicious shortcuts cleaned.

 

***** [ Tasks ] *****

 

No malicious tasks cleaned.

 

***** [ Registry ] *****

 

Deleted       HKCU\Software\AppDataLow\Software\adawarebp

Deleted       HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\s.thebrighttag.com

Deleted       HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\thebrighttag.com

Deleted       HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\s.thebrighttag.com

Deleted       HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\thebrighttag.com

Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}

Deleted       HKLM\System\CurrentControlSet\Services\EventLog\Application\plsvcv2

Deleted       HKU\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\Updater By Sweetpacks

 

***** [ Chromium (and derivatives) ] *****

 

Deleted       gjkpcnacdgdlpfejlgflolpaigoicibh

 

***** [ Chromium URLs ] *****

 

No malicious Chromium URLs cleaned.

 

***** [ Firefox (and derivatives) ] *****

 

Deleted       Honey

 

***** [ Firefox URLs ] *****

 

No malicious Firefox URLs cleaned.

 

 

*************************

 

[+] Delete Tracing Keys

[+] Reset Winsock

 

*************************

 

AdwCleaner[S00].txt - [2979 octets] - [08/07/2019 06:38:00]

 

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

[dpculbertson]

Hi Juliet,

 

And below is the RogueKiller log contents.

 

Kind regards,

David

 

RogueKiller Anti-Malware V13.3.1.0 (x64) [Jul  1 2019] (Free) by Adlice Software

mail : https://adlice.com/contact/

Website : https://adlice.com/d...ad/roguekiller/

Operating System : Windows 10 (10.0.17134) 64 bits

Started in : Normal mode

User : David [Administrator]

Started from : C:\Program Files\RogueKiller\RogueKiller64.exe

Signatures : 20190708_101946, Driver : Loaded

Mode : Standard Scan, Scan -- Date : 2019/07/08 07:22:22 (Duration : 03:56:00)

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

[Suspicious.Path (Potentially Malicious)] \Sony Corporation\VAIO Care\UpdateContacts -- "%ProgramData%\Sony Corporation\VAIO Care\UpdateContacts.exe" [taskschedule] -> Found

[Suspicious.Path (Potentially Malicious)] \Sony Corporation\VAIO Care\UpdateConfig -- "%ProgramData%\Sony Corporation\VCM Data\UpdateConfig.exe" [taskschedule] -> Found

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

>>>>>> XX - Software

  [PUP.Iolo (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\iolo -- N/A -> Found

  [PUP.IncrediMail (Potentially Malicious)] (X64) HKEY_USERS\.DEFAULT\Software\IncrediMail -- N/A -> Found

  [PUP.Iolo (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-3199809883-61864900-496248842-1001\Software\iolo -- N/A -> Found

  [PUP.IncrediMail (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18\Software\IncrediMail -- N/A -> Found

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

[PUP.Easeware (Potentially Malicious)] (folder) Easeware -- C:\Users\David\AppData\Roaming\Easeware -> Found

[PUP.Iolo (Potentially Malicious)] (folder) iolo -- C:\Users\David\AppData\Roaming\iolo -> Found

[PUP.Iolo (Potentially Malicious)] (folder) iolo -- C:\ProgramData\iolo -> Found

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

>>>>>> Firefox Addon

  [PUP.Gen2 (Potentially Malicious)] Honey (C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\92o22qtv.default-1497019795269\extensions\jid1-93CWPmRbVPjRQA@jetpack) -- jid1-93CWPmRbVPjRQA@jetpack -> Found

>>>>>> Chrome Addon

  [PUP.Gen0 (Potentially Malicious)] Honey (C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\BMNLCJ~1) -- bmnlcjabgnpnenekpadlanbbkooimhnj -> Found

[Juliet]

For the Rogue Killer scan, did you allow it to delete what it found?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Let's check for remnants.

you're already running Malwarebytes 3, open Malwarebytes and check for updates. It might have already updated and if so just continue.

Then click on the Scan tab and select Threat Scan and click on Start Scan button.

If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
Upon completion of the scan (or after the reboot), click the Reports tab.
Double-click the Scan Log.
At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

You can access the logs by going in the "Reports" tab, clicking on the latest "Scan" entry (the one with detections), then clicking on the "Export" button in the bottom-left corner and select "Copy to clipboard". After that, all you have to do is paste it here
Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~

Emsisoft Emergency Kit - Fix Mode
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.

• Download the Emsisoft Emergency Kit and execute it. From there, click on the Install button to extract the program in the EEK folder;
• Once the extraction is complete, the EEK folder will open. Right-click on start emergency kit scanner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• EEK will suggest that you run an online update before using the program. Click on Yes to launch it.
• After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).
• Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;
• If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
• After the restart, open EEK again (in the C:\EEK folder);
• This time, click on Logs;
• From there, go under the Quarantine Log tab, and click on the Export button;
• Save the log on your desktop, then open it, and copy/paste its content in your next reply;

Please post these 2 logs when finished.
[/quote]

NOTE:
If nothing is found by Emsisoft no need to worry about posting a log.

How is the computer now?

[dpculbertson]

Hi Juliet,

 

Below is the RogueKiller logs with the deletes.

 

I will follow up on your next suggestions.

 

Thanks,

David

 

RogueKiller Anti-Malware V13.3.1.0 (x64) [Jul  1 2019] (Free) by Adlice Software

mail : https://adlice.com/contact/

Website : https://adlice.com/d...ad/roguekiller/

Operating System : Windows 10 (10.0.17134) 64 bits

Started in : Normal mode

User : David [Administrator]

Started from : C:\Program Files\RogueKiller\RogueKiller64.exe

Signatures : 20190708_101946, Driver : Loaded

Mode : Standard Scan, Delete -- Date : 2019/07/08 14:19:18 (Duration : 03:56:00)

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

[Suspicious.Path (Potentially Malicious)] \Sony Corporation\VAIO Care\UpdateContacts -- "%ProgramData%\Sony Corporation\VAIO Care\UpdateContacts.exe" (taskschedule) -> Deleted

[Suspicious.Path (Potentially Malicious)] \Sony Corporation\VAIO Care\UpdateConfig -- "%ProgramData%\Sony Corporation\VCM Data\UpdateConfig.exe" (taskschedule) -> Deleted

[PUP.Iolo (Potentially Malicious)] HKEY_LOCAL_MACHINE\Software\iolo --  -> Deleted

[PUP.IncrediMail (Potentially Malicious)] HKEY_USERS\.DEFAULT\Software\IncrediMail --  -> Deleted

[PUP.Iolo (Potentially Malicious)] HKEY_USERS\S-1-5-21-3199809883-61864900-496248842-1001\Software\iolo --  -> Deleted

[PUP.IncrediMail (Potentially Malicious)] HKEY_USERS\S-1-5-18\Software\IncrediMail --  -> Deleted

[PUP.Easeware (Potentially Malicious)] Easeware -- %_David_appdata%\Easeware -> Deleted

[PUP.Iolo (Potentially Malicious)] iolo -- %_David_appdata%\iolo -> Deleted

[PUP.Iolo (Potentially Malicious)] iolo -- %programdata%\iolo -> Deleted

[PUP.Gen2 (Potentially Malicious)] Honey -- jid1-93CWPmRbVPjRQA@jetpack -> Deleted

[PUP.Gen0 (Potentially Malicious)] Honey -- bmnlcjabgnpnenekpadlanbbkooimhnj -> Deleted

[dpculbertson]

Hi Juliet,

 

Below is the Malwarebytes log content.

 

Kind regards,

David

 

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 7/8/19

Scan Time: 2:38 PM

Log File: 997121a6-a1af-11e9-bfcc-5453ed374f86.json

 

-Software Information-

Version: 3.8.3.2965

Components Version: 1.0.613

Update Package Version: 1.0.11456

License: Trial

 

-System Information-

OS: Windows 10 (Build 17134.829)

CPU: x64

File System: NTFS

User: DPCVAIOT\David

 

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 426640

Threats Detected: 0

Threats Quarantined: 0

Time Elapsed: 36 min, 2 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Warn

PUM: Detect

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 0

(No malicious items detected)

 

Physical Sector: 0

(No malicious items detected)

 

WMI: 0

(No malicious items detected)

 

 

(end)

[dpculbertson]

Hi Juliet,

 

Below is the content of the Emsisoft log.  I will work with the computer to see if performance is improved.

 

Thank you again for your help.

 

Kind regards,

David

 

Emsisoft Emergency Kit 2019.6.0.9501 stable [en-us]

OS: Windows 10 (Version 10.0, Build 17134, 64-bit Edition)

 

Forensics log

 

Date Component Action Details

7/8/2019 5:01:11 PM User DPCVAIOT\DAVID Infection quarantined PUP "Application.AdSend (A)" in "PLSAPP.EXE".

7/8/2019 5:01:10 PM User DPCVAIOT\DAVID Infection quarantined Malware "Application.Downloader (A)" in "vlcmediaplayer-setup.exe".

7/8/2019 4:59:08 PM Scanner Scan finished Found 2 objects , user to decide on further actions.

7/8/2019 4:46:06 PM Scanner Detection PUP "Application.Downloader (A)" in "vlcmediaplayer-setup.exe" (SHA1: aad3bd46af3d80115486f4085411c35c82154ca5)

7/8/2019 4:22:34 PM Scanner Detection PUP "Application.AdSend (A)" in "PLSAPP.EXE"

7/8/2019 4:22:13 PM User Update Downloaded and installed 78 files (16472 kb) (2 min. 57 sec.).

7/8/2019 4:19:43 PM User DPCVAIOT\David Scan started Malware Scan

7/8/2019 4:19:43 PM User DPCVAIOT\David Setting modified "Detect PUPs" has been changed to "Enabled".

7/8/2019 4:19:17 PM Core Notification "Recommended Reading:9 critical cyber safety lessons to teach your kids".

[Juliet]

looking good

[Juliet]

Think it's time to remove tools and quarantine folders?

[dpculbertson]

Hi Juliet,

 

Sorry for the delay.  Yes, ready to remove.

 

Kind regards,

David

[Juliet]

• Please download DelFix or from Here and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
• Activate UAC
• Remove disinfection tools
• Click the Run button.
• -- This will remove the specialized tools we used to disinfect your system.
  Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

**************

Safe surfing

[Juliet]

Glad we could help.
Since this issue appears resolved ... this Topic is closed.