RD Scott

CLOSED Swizzor trojan

Recommended Posts

Hello,

The file logs.db3 is an SQLite database file, I need the scan report show the detection.  The Emergency Kit scan report can be found in C:\EEK\Reports\.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-2279817092-874154453-1386205992-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKU\S-1-5-21-2279817092-874154453-1386205992-1001\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-2279817092-874154453-1386205992-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
ShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  -> No File
ShellExecuteHooks-x32: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} -  -> No File
GroupPolicy: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-2279817092-874154453-1386205992-1001\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM-x32 -> DefaultScope {A8BB4224-9AB9-4670-9EF9-233AC6CCBA6D} URL =
BHO: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
Toolbar: HKU\S-1-5-21-2279817092-874154453-1386205992-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
Toolbar: HKU\S-1-5-21-2279817092-874154453-1386205992-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF user.js: detected! => C:\Users\Roy\AppData\Roaming\Mozilla\Firefox\Profiles\vavfupnk.default\user.js [2017-12-27]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF => not found
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
S0 aswNdisFlt; C:\WINDOWS\System32\DRIVERS\aswNdisFlt.sys [449896 2015-06-18] (Avast Software s.r.o.)
2017-01-03 16:41 - 2017-01-03 16:41 - 000000000 _____ () C:\Program Files (x86)\GUT2B67.tmp
2016-09-20 18:37 - 2016-10-30 16:16 - 000000174 _____ () C:\Users\Roy\AppData\Roaming\WB.CFG
2010-11-02 17:07 - 2014-04-24 17:32 - 000088064 _____ () C:\Users\Roy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-12-20 10:14 - 2016-12-20 10:14 - 000000017 _____ () C:\Users\Roy\AppData\Local\resmon.resmoncfg
HKU\S-1-5-21-2279817092-874154453-1386205992-1001\...\ChromeHTML: ->  <==== ATTENTION
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 1 (GFS Unread Stub)] -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} =>  -> No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 2 (GFS Stub)] -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} =>  -> No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)] -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} =>  -> No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 3 (GFS Folder)] -> {16F3DD56-1AF5-4347-846D-7C10C4192619} =>  -> No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} =>  -> No File
ShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} =>  -> No File
ContextMenuHandlers1: [ExpressZip] -> {8EEA165E-0B8B-4BA7-9796-50214C767171} =>  -> No File
ContextMenuHandlers1: [XXX Groove GFS Context Menu Handler XXX] -> {6C467336-8281-4E60-8204-430CED96822D} =>  -> No File
ContextMenuHandlers3-x32: [XXX Groove GFS Context Menu Handler XXX] -> {6C467336-8281-4E60-8204-430CED96822D} =>  -> No File
ContextMenuHandlers4: [XXX Groove GFS Context Menu Handler XXX] -> {6C467336-8281-4E60-8204-430CED96822D} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [XXX Groove GFS Context Menu Handler XXX] -> {6C467336-8281-4E60-8204-430CED96822D} =>  -> No File
ContextMenuHandlers1_S-1-5-21-2279817092-874154453-1386205992-1001: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
Task: {2B6E236A-A0C3-4A5C-AE30-2D6913E378EA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2CEC64FE-9395-4E7F-8097-561A45E8A957} - \Safer-Networking\Spybot - Search and Destroy\Check for updates -> No File <==== ATTENTION
Task: {2CF1CB35-7BFD-4A33-9F36-343BABFFE21B} - \avast! Emergency Update -> No File <==== ATTENTION
Task: {36B490B6-1978-4D57-B1E4-65801B1C87BF} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {38A43568-FB0B-4E39-9C08-6F855B3137B5} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {63F104C3-C099-4383-9C77-155336AA17B7} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {69389675-766C-4E34-82AF-B165C64761FD} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {77B23120-AB60-42E5-A642-CFC3CE4FDD15} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {78EFD1BA-B4C9-4AB6-B12E-9A031964D78E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {7D9BC803-3B84-4FE9-8BD9-65513A49EB4C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {8A045402-2A25-44EB-A987-3C8DD86F585C} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {A7794F12-6EC9-4DA7-A521-A7784724E298} - \Safer-Networking\Spybot - Search and Destroy\Scan the system -> No File <==== ATTENTION
Task: {BB9F0691-3126-49EE-9877-CE954441D618} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {DD8B00CB-C923-4CB6-A0A4-15473DAE792B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {DF5363EF-DB03-4B6F-A508-A238D4B4A489} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {E1AA2AE5-B7DD-4D39-AACD-E56DAB0C914F} - no filepath
Task: {E63FDB19-77BB-4AF3-8459-7B5F59EC95A0} - \Safer-Networking\Spybot - Search and Destroy\Refresh immunization -> No File <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Looks like you got some adware installed according to the scan report.

See if a system restart fixes the issue with our software, if not you may need to reinstall it.

Please download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on the AdwCleaner icon to run it.
  3. You will need to accept the license agreement from Malwarebytes in order to continue.
  4. Click on the Scan button in the lower-left.
  5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
  6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
  7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
  8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
  9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  10. Please attach that log file to a reply for me to review.
  11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.

Share this post


Link to post
Share on other sites

Ran adware and cleaned most of the PUP's.  I wanted to keep one (ACS).  Outook and Quiken still don't load.  The other .png is the quicken message

Since emsisoft wasn't loading I thought if I unistalled the older trial version and installed a newer version I could put the liscence code in.  There is still an anti-malware folder.  If I deleted the folder would it then allow me to install the latest download?

Thanks for all the time so far.

AdwCleaner[C0].txt

Capture.PNG
Download Image

quiken.PNG
Download Image

Share this post


Link to post
Share on other sites

To remove any remnants of EAM/EEK/EIS use our Emsisoft Cleaning Tool.

Download EmsiClean to your Desktop: https://dl.emsisoft.com/Emsiclean.zip
 
After you downloaded the tool, just run it. Read the disclaimer carefully and press "Yes" if you accept it. The tool will then show a list of all Emsisoft objects it found installed on your system. Simply enable the check boxes of all objects you want to remove. Be careful with objects of type "Folder" though and check their contents before selecting them for removal, as they may still contain data that you may want to save first. Then press the "Remove selected objects" button and reboot when asked.

Install Emsisoft Anti-Malware and enter your license information when prompted.

Run fresh scans with EAM and FRST, attach the new EAM and FRST scan rports to your reply.

Edited by GT500
Updated link for Emsiclean. There are now two versions (32-bit and 64-bit) bundled in a ZIP archive. Run EmsiClean64, and if you see an error message then run EmsiClean32.

Share this post


Link to post
Share on other sites

The only way to fix Quicken is to reinstall it.  You should be able to Repair Outlook from Program and Features in the Control Panel.

Yes, the EAM detection's are all PUP's.  You can let EAM quarantine those if  it is something you do not want on the system.

Share this post


Link to post
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.