Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92789 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Vosteran (resolved)


  • This topic is locked This topic is locked
26 replies to this topic

#1 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 10 January 2015 - 06:41 AM

Vosteran search popup when starting chrome browser... can not find it in add/remove programs.

 

Attached File  aswMBR.txt   2.44KB   117 downloads

 

 

 

Attached File  FRST_10-01-2015_07-27-49.txt   24.44KB   161 downloads

 

 

 

 

Attached File  Addition_10-01-2015_07-27-48.txt   33.67KB   94 downloads


    Advertisements

Register to Remove


#2 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,494 posts
  • Interests:Boo!....
  • MVP

Posted 10 January 2015 - 01:47 PM

Hi
Running from C:\Users\William\Downloads
We need to move FRST from your downloads folder to desktop

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE

Farbar Recovery Scan Tool should now be on desktop.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
 

start
CloseProcesses:
HKLM-x32\...\Winlogon: [Shell] explorer.exe, C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe [13848576 ] () <=== ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1328426514-2669664763-694145802-1001 -> {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/...=MSSEDF&pc=MSE1
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MDAE3EEB0-4A1E-4A3B-9753-6F5260EA3613&SearchSource=55&CUI=&UM=6&UP=SP904D0DAA-292A-43F8-AA60-2FEC3E1140F3&SSPV=
CHR StartupUrls: Default -> "hxxp://www.msn.com/", "hxxp://Vosteran.com/?f=7&a=vst_frmr_15_02_ch&cd=2XzuyEtN2Y1L1Qzu0EtDyCzyzyyDtAtD0ByC0EyBzytAyE0BtN0D0Tzu0StCtCtDtAtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDyD1V1QtN1L1G1B1V1N2Y1L1Qzu2SyEzyyBtByBtCzytDtGtCyE0A0EtG0B0C0A0EtG0D0C0DyDtGtCtAtB0DtBzzzzyByDtBtDyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szyzy0CyByEtAzzyDtGyByDzzyEtGyE0B0CtDtGzztBzytBtG0FtAzyzztAyCzyyDyC0E0FyE2Q&cr=1861526441&ir="
S2 cyycfhtzro64; C:\Program Files\005\cyycfhtzro64.exe run options=01110010050000000000000000000000 sourceguid=B021CBBD-E38E-4F8C-8E93-6624B0597A23 [X]
C:\Program Files\005\cyycfhtzro64.exe
C:\Users\William\AppData\Local\Temp\bitool.dll
C:\Users\William\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4a4gve.dll
C:\Users\William\AppData\Local\Temp\DTLite4491-0356.exe
C:\Users\William\AppData\Local\Temp\Gtuner.exe
C:\Users\William\AppData\Local\Temp\HPPSdr.exe
C:\Users\William\AppData\Local\Temp\ICReinstall_CR_Downloader_for_mega-man-4.exe
C:\Users\William\AppData\Local\Temp\ICReinstall_samsung-usb-driver-for-mobile-phones.exe
C:\Users\William\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\nsiD758.tmp.exe
C:\Users\William\AppData\Local\Temp\nsk2297.exe
C:\Users\William\AppData\Local\Temp\nso2092.exe
C:\Users\William\AppData\Local\Temp\nsu3BEE.exe
C:\Users\William\AppData\Local\Temp\nsv3E60.exe
C:\Users\William\AppData\Local\Temp\nszCF8B.exe
C:\Users\William\AppData\Local\Temp\proxy_vole6791855571275520233.dll
C:\Users\William\AppData\Local\Temp\Quarantine.exe
C:\Users\William\AppData\Local\Temp\raptrpatch.exe
C:\Users\William\AppData\Local\Temp\raptr_stub.exe
C:\Users\William\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe
C:\Users\William\AppData\Local\Temp\siinst.exe
C:\Users\William\AppData\Local\Temp\sqlite3.dll
C:\Users\William\AppData\Local\Temp\strings.dll
C:\Users\William\AppData\Local\Temp\Wildstar.exe
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:B1FBBD09
EmptyTemp:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


*******

Since you have a Windows 8.1 machine a couple of tools might not run, if so, just continue to the next.

BY4dvz9.pngAdwCleaner
  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts.
  • Click Scan.
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
  • Follow the prompts and allow your computer to reboot.
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


thisisujrt.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
~~~~~~~`
please post
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#3 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 05:51 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-01-2015
Ran by William at 2015-01-11 06:46:37 Run:1
Running from C:\Users\William\Desktop
Loaded Profile: William (Available profiles: William)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CloseProcesses:
HKLM-x32\...\Winlogon: [Shell] explorer.exe, C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe [13848576 ] () <=== ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1328426514-2669664763-694145802-1001 -> {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/...=MSSEDF&pc=MSE1
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MDAE3EEB0-4A1E-4A3B-9753-6F5260EA3613&SearchSource=55&CUI=&UM=6&UP=SP904D0DAA-292A-43F8-AA60-2FEC3E1140F3&SSPV=
CHR StartupUrls: Default -> "hxxp://www.msn.com/", "hxxp://Vosteran.com/?f=7&a=vst_frmr_15_02_ch&cd=2XzuyEtN2Y1L1Qzu0EtDyCzyzyyDtAtD0ByC0EyBzytAyE0BtN0D0Tzu0StCtCtDtAtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDyD1V1QtN1L1G1B1V1N2Y1L1Qzu2SyEzyyBtByBtCzytDtGtCyE0A0EtG0B0C0A0EtG0D0C0DyDtGtCtAtB0DtBzzzzyByDtBtDyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szyzy0CyByEtAzzyDtGyByDzzyEtGyE0B0CtDtGzztBzytBtG0FtAzyzztAyCzyyDyC0E0FyE2Q&cr=1861526441&ir="
S2 cyycfhtzro64; C:\Program Files\005\cyycfhtzro64.exe run options=01110010050000000000000000000000 sourceguid=B021CBBD-E38E-4F8C-8E93-6624B0597A23 [X]
C:\Program Files\005\cyycfhtzro64.exe
C:\Users\William\AppData\Local\Temp\bitool.dll
C:\Users\William\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4a4gve.dll
C:\Users\William\AppData\Local\Temp\DTLite4491-0356.exe
C:\Users\William\AppData\Local\Temp\Gtuner.exe
C:\Users\William\AppData\Local\Temp\HPPSdr.exe
C:\Users\William\AppData\Local\Temp\ICReinstall_CR_Downloader_for_mega-man-4.exe
C:\Users\William\AppData\Local\Temp\ICReinstall_samsung-usb-driver-for-mobile-phones.exe
C:\Users\William\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\William\AppData\Local\Temp\nsiD758.tmp.exe
C:\Users\William\AppData\Local\Temp\nsk2297.exe
C:\Users\William\AppData\Local\Temp\nso2092.exe
C:\Users\William\AppData\Local\Temp\nsu3BEE.exe
C:\Users\William\AppData\Local\Temp\nsv3E60.exe
C:\Users\William\AppData\Local\Temp\nszCF8B.exe
C:\Users\William\AppData\Local\Temp\proxy_vole6791855571275520233.dll
C:\Users\William\AppData\Local\Temp\Quarantine.exe
C:\Users\William\AppData\Local\Temp\raptrpatch.exe
C:\Users\William\AppData\Local\Temp\raptr_stub.exe
C:\Users\William\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe
C:\Users\William\AppData\Local\Temp\siinst.exe
C:\Users\William\AppData\Local\Temp\sqlite3.dll
C:\Users\William\AppData\Local\Temp\strings.dll
C:\Users\William\AppData\Local\Temp\Wildstar.exe
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:B1FBBD09
EmptyTemp:
End
*****************
 
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-1328426514-2669664763-694145802-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{80c554b9-c7f8-4a21-9471-06d606da78a2}" => Key deleted successfully.
HKCR\CLSID\{80c554b9-c7f8-4a21-9471-06d606da78a2} => Key not found. 
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
cyycfhtzro64 => Service deleted successfully.
"C:\Program Files\005\cyycfhtzro64.exe" => File/Directory not found.
C:\Users\William\AppData\Local\Temp\bitool.dll => Moved successfully.
"C:\Users\William\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4a4gve.dll" => File/Directory not found.
C:\Users\William\AppData\Local\Temp\DTLite4491-0356.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\Gtuner.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\HPPSdr.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\ICReinstall_CR_Downloader_for_mega-man-4.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\ICReinstall_samsung-usb-driver-for-mobile-phones.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\nsiD758.tmp.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\nsk2297.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\nso2092.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\nsu3BEE.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\nsv3E60.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\nszCF8B.exe => Moved successfully.
"C:\Users\William\AppData\Local\Temp\proxy_vole6791855571275520233.dll" => File/Directory not found.
C:\Users\William\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\raptrpatch.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\raptr_stub.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\siinst.exe => Moved successfully.
C:\Users\William\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\William\AppData\Local\Temp\strings.dll => Moved successfully.
C:\Users\William\AppData\Local\Temp\Wildstar.exe => Moved successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
C:\ProgramData\TEMP => ":B1FBBD09" ADS removed successfully.
EmptyTemp: => Removed 15.2 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 06:46:48 ====


#4 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 06:03 AM

# AdwCleaner v4.107 - Report created 11/01/2015 at 06:53:50
# Updated 07/01/2015 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : William - BILL-PC
# Running from : C:\Users\William\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v39.0.2171.95
 
 
-\\ Chromium v
 
 
*************************
 
AdwCleaner[R0].txt - [5459 octets] - [10/01/2015 06:51:35]
AdwCleaner[R1].txt - [874 octets] - [10/01/2015 06:55:37]
AdwCleaner[R2].txt - [986 octets] - [11/01/2015 06:52:15]
AdwCleaner[R3].txt - [788 octets] - [11/01/2015 06:53:50]
AdwCleaner[S0].txt - [4470 octets] - [10/01/2015 06:52:38]
AdwCleaner[S1].txt - [934 octets] - [10/01/2015 06:56:42]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [966 octets] ##########


#5 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 06:04 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8.1 Pro x64
Ran by William on Sun 01/11/2015 at  6:57:26.51
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\browserpluginhelper
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Program Files (x86)\myfree codec"
Successfully deleted: [Folder] "C:\Users\William\documents\optimizer pro"
Successfully deleted: [Empty Folder] C:\Users\William\appdata\local\{95DD20F6-507D-4254-B0C6-D187C2769568}
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/11/2015 at  6:58:43.90
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#6 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,494 posts
  • Interests:Boo!....
  • MVP

Posted 11 January 2015 - 06:35 AM

Tell me how the computer is now?


Download Malwarebytes Anti-Malware http://www.bleepingc...s-anti-malware/ to your desktop.
  • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Dections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
  • Then click on Scan
  • When the scan is finished and the log pops up...select Copy to Clipboard
  • Please paste the log back into this thread for review
  • Exit Malwarebytes
  • ***************************************

    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.


    Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note:
      For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
    • Click the blue Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
    • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
    • Click on Advanced Settings
    • Make sure that the option Remove found threats is unticked.
    • Ensure these options are ticked
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    • Click Start
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
    • Close the ESET online scan.
please post
Malwarebytes log
Eset log
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#7 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 06:49 AM

Its the same. When i start Chrome two Vosteran tabs open instead of one



#8 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,494 posts
  • Interests:Boo!....
  • MVP

Posted 11 January 2015 - 06:53 AM

Download Malwarebytes Anti-Malware http://www.bleepingc...s-anti-malware/ to your desktop.

  • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Dections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
  • Then click on Scan
  • When the scan is finished and the log pops up...select Copy to Clipboard
  • Please paste the log back into this thread for review
  • Exit Malwarebytes
  • ***************************************

    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.


    Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note:
      For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
    • Click the blue Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
    • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
    • Click on Advanced Settings
    • Make sure that the option Remove found threats is unticked.
    • Ensure these options are ticked
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    • Click Start
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
    • Close the ESET online scan.
please post
Malwarebytes log
Eset log


Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#9 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 07:01 AM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/11/2015
Scan Time: 7:56:00 AM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.01.11.05
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: William
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357334
Time Elapsed: 4 min, 37 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 5
PUP.Optional.TopArcadeHits.A, HKU\S-1-5-21-1328426514-2669664763-694145802-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{CF190686-9E72-403C-B99D-682ABDB63C5B}, , [150cac4a6b1e7db9ef4a50cf9d66b64a], 
PUP.Optional.Highlightly, HKLM\SOFTWARE\WOW6432NODE\Highlightly, , [5ac71adc4247181e82a37c5ed52fe61a], 
PUP.Optional.DownloadTerms.A, HKLM\SOFTWARE\WOW6432NODE\DOWNLOADTERMS, , [a37ea5512267a5919311e00b8b7936ca], 
PUP.Optional.DealCabby.A, HKU\S-1-5-21-1328426514-2669664763-694145802-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DealCabby, , [81a0e90dc4c567cf64c738b4f50fba46], 
PUP.Optional.DownloadTerms.A, HKU\S-1-5-21-1328426514-2669664763-694145802-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DOWNLOADTERMS, , [a57c28ce5c2d56e07e2713d80103fd03], 
 
Registry Values: 8
Backdoor.Agent.PGen, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|Policies, C:\WINDOWS\system32\directx\diagx.exe, , [de43a5515d2c4cea6be485fbb1533dc3]
PUP.Optional.DownloadTerms.A, HKLM\SOFTWARE\WOW6432NODE\DOWNLOADTERMS|age, 1369540800, , [a37ea5512267a5919311e00b8b7936ca]
Backdoor.Agent.PGen, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|Policies, C:\WINDOWS\system32\directx\diagx.exe, , [e33e7f7771184de9e46bfb857391619f]
PUP.Optional.BrowserManager.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|FUPM Browser, C:\Program Files (x86)\FUPM Browser\BrowserManager.exe, , [0120c4327b0e63d3e45418685ea5817f]
PUP.Optional.BrowserManager.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BrowserManager, C:\Program Files (x86)\FUPM Browser\BrowserManager.exe, , [8d941ed8f693b2841524a2dea65d07f9]
PUP.Optional.DownloadTerms.A, HKU\S-1-5-21-1328426514-2669664763-694145802-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DOWNLOADTERMS|age, 1369540800, , [a57c28ce5c2d56e07e2713d80103fd03]
Trojan.Agent.CNS, HKU\S-1-5-21-1328426514-2669664763-694145802-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, explorer.exe, C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe, , [e8397383ef9afd390f66c9a64db6ac54]
Backdoor.Agent.PGen, HKU\S-1-5-21-1328426514-2669664763-694145802-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|Policies, C:\WINDOWS\system32\directx\diagx.exe, , [c35ec135aedb8da97bd3c6badd27fe02]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 5
PUP.Optional.DealPly.A, C:\Users\William\AppData\Roaming\DealPly, , [c95853a30386ca6caf40131fa65dff01], 
PUP.Optional.DealPly.A, C:\Users\William\AppData\Roaming\DealPly\UpdateProc, , [c95853a30386ca6caf40131fa65dff01], 
PUP.Optional.NextLive.A, C:\Users\William\AppData\Roaming\newnext.me, , [e938669097f275c1bdfd66cecd3606fa], 
PUP.Optional.NextLive.A, C:\Users\William\AppData\Roaming\newnext.me\cache, , [e938669097f275c1bdfd66cecd3606fa], 
PUP.Optional.Updater.A, C:\Users\William\AppData\Roaming\DSite\UpdateProc, , [6ab7a3534841aa8caec19eb211f27a86], 
 
Files: 11
PUP.Optional.OpenCandy, C:\Users\William\AppData\Roaming\DTLite4481-0348.exe, , [e33e41b57b0e191d67ffaf07ee17817f], 
PUP.Optional.NextLive.A, C:\Users\William\AppData\Roaming\newnext.me\nengine.dll, , [5fc2af47e1a8ac8aca14b6bf22df5ea2], 
PUP.Optional.NextLive.A, C:\Users\William\AppData\Local\genienext\nengine.dll, , [81a041b53e4bf442cf0f6b0af30ef50b], 
Backdoor.Agent.E, C:\Windows\SysWOW64\directx\diagx.exe, , [49d8a5510485360072a63876758ed927], 
Malware.Trace, C:\Users\William\AppData\Roaming\cglogs.dat, , [a37e4ea8d0b9ad898d1c9d4129da2ad6], 
PUP.Optional.PricePeep.A, C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_licjnkifamhpbaefhdpacpmihicfbomb_0.localstorage, , [cf525a9c8ffac67083e9449e51b342be], 
PUP.Optional.DealPly.A, C:\Users\William\AppData\Roaming\DealPly\UpdateProc\config.dat, , [c95853a30386ca6caf40131fa65dff01], 
PUP.Optional.NextLive.A, C:\Users\William\AppData\Roaming\newnext.me\nengine.cookie, , [e938669097f275c1bdfd66cecd3606fa], 
PUP.Optional.NextLive.A, C:\Users\William\AppData\Roaming\newnext.me\cache\spark.bin, , [e938669097f275c1bdfd66cecd3606fa], 
PUP.Optional.Updater.A, C:\Users\William\AppData\Roaming\DSite\UpdateProc\config.dat, , [6ab7a3534841aa8caec19eb211f27a86], 
PUP.Optional.Updater.A, C:\Users\William\AppData\Roaming\DSite\UpdateProc\TTL.DAT, , [6ab7a3534841aa8caec19eb211f27a86], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#10 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,494 posts
  • Interests:Boo!....
  • MVP

Posted 11 January 2015 - 07:08 AM

Were you able to run Eset?
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

    Advertisements

Register to Remove


#11 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 07:10 AM

its running now



#12 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,494 posts
  • Interests:Boo!....
  • MVP

Posted 11 January 2015 - 07:16 AM

good
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#13 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 08:06 AM

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Mobogenie\nengine.dll.vir Win32/NextLive.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\WINDOWS\System32\drivers\netfilter64.sys.vir a variant of Win64/Riskware.NetFilter.F application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\bitool.dll.xBAD Win32/Somoto.C potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\DTLite4491-0356.exe.xBAD Win32/DownWare.L potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\ICReinstall_CR_Downloader_for_mega-man-4.exe.xBAD a variant of Win32/InstallCore.BY potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\ICReinstall_samsung-usb-driver-for-mobile-phones.exe.xBAD a variant of Win32/InstallCore.BY potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\nsk2297.exe.xBAD Win32/Conduit.SearchProtect.R potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\nso2092.exe.xBAD Win32/Conduit.SearchProtect.R potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\nsu3BEE.exe.xBAD Win32/Conduit.SearchProtect.R potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\nsv3E60.exe.xBAD Win32/Conduit.SearchProtect.R potentially unwanted application
C:\FRST\Quarantine\C\Users\William\AppData\Local\Temp\nszCF8B.exe.xBAD Win32/Conduit.SearchProtect.R potentially unwanted application
C:\Program Files (x86)\Milestone\MUD\rld.dll Win32/HackTool.Crack.BB potentially unsafe application
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.1.37.zip a variant of Win32/Mobogenie.A potentially unwanted application
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe a variant of Win32/Mobogenie.A potentially unwanted application
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe a variant of Win32/Mobogenie.A potentially unwanted application
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\MUServer.apk a variant of Android/Mobserv.A potentially unwanted application
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll Win32/NextLive.A potentially unwanted application
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe a variant of Win32/Mobogenie.A potentially unwanted application
C:\Users\William\AppData\Roaming\Apple Computer\MobileSync\Backup\dbcbea720481c994ea55a1788150e91d5d01811f\6692793025aa6d397c87371b912530d71bfccec1 Win32/OpenCandy potentially unsafe application
C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe a variant of MSIL/Injector.CVO trojan
C:\Users\William\Downloads\FLVPlayer-Chrome.exe NSIS/TrojanDownloader.Adload.AA trojan
G:\downloads\Shingeki.MSWC.iso Win32/HackTool.Crack.BB potentially unsafe application
G:\downloads\DTLite4481-0348\DTLite4481-0348.exe a variant of MSIL/Injector.CVO trojan


#14 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,494 posts
  • Interests:Boo!....
  • MVP

Posted 11 January 2015 - 09:20 AM

Backdoor.Agent.PGen, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|Policies,

Anytime we're notified an infection had backdoor capabilities I need to make sure you see this warning.

Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear

~~~~~~~~~~~~~~~~~~~~~~~~~

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
 

start
CloseProcesses:
C:\Program Files (x86)\Milestone\MUD\rld.dll
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.1.37.zip
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\MUServer.apk
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe
C:\Users\William\AppData\Roaming\Apple Computer\MobileSync\Backup\dbcbea720481c994ea55a1788150e91d5d01811f\6692793025aa6d397c87371b912530d71bfccec1
C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe
C:\Users\William\Downloads\FLVPlayer-Chrome.exe
G:\downloads\Shingeki.MSWC.iso
G:\downloads\DTLite4481-0348\DTLite4481-0348.exe
EmptyTemp:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


*******

Tell me how the computer is now.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#15 bill213

bill213

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 January 2015 - 10:37 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-01-2015
Ran by William at 2015-01-11 11:33:45 Run:3
Running from C:\Users\William\Desktop
Loaded Profile: William (Available profiles: William)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CloseProcesses:
C:\Program Files (x86)\Milestone\MUD\rld.dll
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.1.37.zip
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\MUServer.apk
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe
C:\Users\William\AppData\Roaming\Apple Computer\MobileSync\Backup\dbcbea720481c994ea55a1788150e91d5d01811f\6692793025aa6d397c87371b912530d71bfccec1
C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe
C:\Users\William\Downloads\FLVPlayer-Chrome.exe
G:\downloads\Shingeki.MSWC.iso
G:\downloads\DTLite4481-0348\DTLite4481-0348.exe
EmptyTemp:
End
*****************
 
Processes closed successfully.
C:\Program Files (x86)\Milestone\MUD\rld.dll => Moved successfully.
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.1.37.zip => Moved successfully.
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe => Moved successfully.
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe => Moved successfully.
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\MUServer.apk => Moved successfully.
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll => Moved successfully.
C:\Users\William\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe => Moved successfully.
C:\Users\William\AppData\Roaming\Apple Computer\MobileSync\Backup\dbcbea720481c994ea55a1788150e91d5d01811f\6692793025aa6d397c87371b912530d71bfccec1 => Moved successfully.
C:\Users\William\AppData\Roaming\Microsoft\Windows\Templates\diagx.exe => Moved successfully.
C:\Users\William\Downloads\FLVPlayer-Chrome.exe => Moved successfully.
G:\downloads\Shingeki.MSWC.iso => Moved successfully.
G:\downloads\DTLite4481-0348\DTLite4481-0348.exe => Moved successfully.
EmptyTemp: => Removed 342.1 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 11:33:58 ====

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users