|
Post by bemills on Feb 23, 2015 6:38:09 GMT -8
That's odd. It has been a long time that I get these warnings from Symantec every time I enable the network card. Today the warning was "Trojan Zbot Activity 15'. Anyway, I ran FRST64 after downloading the file. The machine rebooted with the network card enabled, so for the first time in many months it booted up with it enabled. So far, no warnings from Symantec. Hmmmm. Attached is the resulting file. CUsersBarbaraDesktopFixlog.txt (15.17 KB)
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Feb 23, 2015 23:11:22 GMT -8
Glad to know the fix worked on that problem. We need to see if there is other malware hidden on the system. Read carefullyDownload Adwcleaner from here to your desktop and run a scan. You may have to right click adwcleaner.exe and choose "Run as Administrator" from the menu. (Click the Scan button to start the scanning). It will create a log after it is finished scanning. If not (or if it just asks for you to uncheck what you don't wanted deleted), there is a Report button in the middle of the main window; click that and it will make the log file. Once the report file is made, you can leave AdwCleaner running (but don't delete anything yet) or you can close it down (we can always get a fresh scan done before the deletions). ONE SCAN ONLY, PLEASEAttach or paste the log back here for review and further instructions. Thanks.
|
|
|
Post by bemills on Feb 24, 2015 6:59:52 GMT -8
Here you go. This is the ADwCleaner[R0].txt file contents:
# AdwCleaner v4.111 - Logfile created 24/02/2015 at 07:57:14 # Updated 18/02/2015 by Xplode # Database : 2015-02-18.3 [Server] # Operating system : Windows 7 Home Premium Service Pack 1 (x64) # Username : Barbara - STUDYPC # Running from : C:\Users\Barbara\Desktop\AdwCleaner.exe # Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage File Found : C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal File Found : C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.saveur.com_0.localstorage File Found : C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.saveur.com_0.localstorage-journal File Found : C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage File Found : C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17631
-\\ Google Chrome v
[C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} *************************
AdwCleaner[R0].txt - [2339 bytes] - [24/02/2015 07:57:14]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2398 bytes] ##########
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Feb 24, 2015 7:40:37 GMT -8
FIRSTPlease run AdwCleaner again (if you don't have it running from the last scan) and a) Click the Scan Button and wait for the scan to finish, (If Adwcleaner has been left open at the finish of the scan this is already done). b) Make sure in your case all the items under each TAB are ticked / checked then. c) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted. d) It should create a new log afterwards (with S0 in the name). e) Please attach or copy the log into your reply here. SECOND(Note: You may have to disable SEP to allow this to scan.) Malwarebytes' Anti-MalwarePlease download the latest version of Malwarebytes' Anti-Malware from HereDouble Click on the mbam-setup.exe file to install the application. Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link Once the program has loaded and updated, select " Scan Now >>" to start the scan. The scan may take some time to finish, so please be patient. If any malware is found, you will be presented with a screen like the one below. Please click on the Export Log button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop). After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that. Please attach the report file to a post here; I will review the file and script what needs to be removed.
|
|
|
Post by bemills on Feb 26, 2015 6:01:44 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Feb 26, 2015 21:54:53 GMT -8
This next step may take a while (just to warn you) ..... ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier. You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control key and click on the following link to open ESET OnlineScan in a new window. Link =>> ESET Online Scanner << Click the Run ESET Online Scanner located on the left side of the page (not the free trial). For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step) Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop. Double click on the icon on your desktop. Check (accept) the Terms of Use. Click the START button. Accept any security warnings from your browser. Now in the Computer scan settings window that appears:- Make sure that the option Enable detection of potentially unwanted applications is selected. Now click on Advanced Settings and configure the options as follows: Remove found threats is Not checkedScan archives is checkedScan for potentially unsafe applications is checkedEnable Anti-Stealth Technology is checkedNow click on: StartESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats. At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry). Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish. Attach the saved log file in your next reply please. Thanks.
|
|
|
Post by bemills on Feb 28, 2015 6:42:40 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Feb 28, 2015 18:37:29 GMT -8
Yes; long but thorough scan. You may want to read carefully all of this message first before starting the steps. NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemDownload the script file that is attached by right clicking on it and selecting "Save Target As..." or "Save Link As ...." (depends on the browser you are using). Please make sure that the file type is set as Text File (or All Files but NOT as a HTML file) and the files name is Fixlist.txt , have it on the Desktop, so that fixlist.txt is next to FRST64.exe, DO NOT DRAG AND DROP to download the script, it won't work properly for FRST.The script tells FRST what to do. Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..."When the tool opens click Yes to disclaimer. (if it still does) Press the Fix button just once and wait. The script will be processed and your system restarted to complete the removal / breakage of the malware. The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste) Attachments:Fixlist.txt (374 B)
|
|
|
Post by bemills on Mar 1, 2015 8:55:38 GMT -8
That took a little while but certainly not 7 hours. Also, for some reason the Fixlist.txt would not Save AS a text file. I had to login, click on the link, cut and paste the contents to a text file on my desktop. Anyway, here is the Fixlog.txt contents:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-02-2015 Ran by Barbara at 2015-03-01 09:32:58 Run:2 Running from C:\Users\Barbara\Desktop Loaded Profiles: Barbara (Available profiles: Barbara & Administrator) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start CreateRestorePoint: CloseProcesses: C:\Users\Barbara\AppData\Local\Temp\24ac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YJUT23FU\ds[1].htm C:\Users\Barbara\AppData\Local\Temp\24ac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YJUT23FU\v9w2rqju9v[1].htm C:\Windows\Installer\3e73d034.msi EmptyTemp: Reboot: end *****************
Restore point was successfully created. Processes closed successfully. C:\Users\Barbara\AppData\Local\Temp\24ac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YJUT23FU\ds[1].htm => Moved successfully. C:\Users\Barbara\AppData\Local\Temp\24ac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YJUT23FU\v9w2rqju9v[1].htm => Moved successfully. C:\Windows\Installer\3e73d034.msi => Moved successfully. EmptyTemp: => Removed 17.8 GB temporary data.
The system needed a reboot.
==== End of Fixlog 09:46:34 ====
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Mar 1, 2015 9:16:52 GMT -8
If you did not do so at the send of its scan, please uninstall ESET Online Scanner at this time. Next, we need to remove the tools we've used during cleaning your machine. [/a] Ensure the following is ticked: - Activate UAC
- Remove disinfection tools
- Create registry backup
- Purge system restore
- Reset system settings
[/ul] Then click Run. The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply. Once you have the log file saved, please reboot your system to complete the clean up process. Your system looks clean and your logs are fine. Unless Quads wants something else done, you are done and free to go.Final word from me: Surf safely, and watch when installing or letting anything add itself to your system. Remember, the best security is not on your system but in the chair in front of it. Take care and thanks for sticking with us in this rushed time.
|
|