cbowen

CLOSED I have some sort of malware or virus.

Recommended Posts

Kevin, I contacted you in early December and still have a problem. Someone has gotten into my email (Outlook 2010) and has gone to my Amazon account and tried to but things on my account. I have changed passwords on both Amazon and my ISP provider. Also, IE is running extremely slowly. Nearly unusable. Also, a quick flash of a black box in the upper right quadrant of the screen appears - looks like something opening - just a flash.

I am attaching EEK & FRST logs. Hope we can find out what this is this time.

Many thanks,

Tom

Addition.txt

FRST.txt

scan_180122-060039.txt

Share this post


Link to post
Share on other sites

I see no malware related issues in your logs.  However, there are a few things that should be fixed.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

SearchScopes: HKLM -> {0005FBEF-10D4-413D-96AB-9E72B6CD367C} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 CSRBC; C:\Windows\System32\Drivers\csrbcx64.sys [38400 2017-04-04] (CSR plc.) [File not signed]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Kevin,

Forgot to mention. I have been getting a lot of what I think are re-directs in IE. A screen takes over the window telling me I must update Adobe Acrobat. I got burned a couple of years ago by this so I just bail out on it. I have Secunia PSI to keep everything up to date - per your instructions. Something is causing that re-direct to occur.

Thanks again,

Tom

Share this post


Link to post
Share on other sites

I recommend that all users stop using Internet Explorer.  It is no longer under development and only receives security fixes.

Redirects like that are almost always a result of a compromised ad network, a compromised website, or visiting sites that engage in copyright infringement or pornography.

Please download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on the AdwCleaner icon to run it.
  3. You will need to accept the license agreement from Malwarebytes in order to continue.
  4. Click on the Scan button in the lower-left.
  5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
  6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
  7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
  8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
  9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  10. Please attach that log file to a reply for me to review.
  11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.

Share this post


Link to post
Share on other sites

Kevin,

I have had AdwCleaner for a few week s and have run it several times. Today, I updated it and tried to run. It was terminated for some reason. I did, however, find the scan and attached it. There is also a quarantine file which I can send you if you want it. It is from a previous run of AdwCleaner.

I presumed IE was about done for. There is a Windows update available this morning which I have not downloaded as yet, but which browser do you suggest, Chrome or Firefox. I thought about downloading one or the other, but am afraid to since there are so many download sites with viruses built into them. Could you give me a link to a secure download site along with a recommendation?

If you need the quarantine file, let me know. IE seems to be the primary problem. The odd things that happen on screen seem to happen while I am in an IE session.

Thanks,

Tom

AdwCleaner[S7].txt

Share this post


Link to post
Share on other sites

AdwCleaner should not have terminated on its own.  So, something went wrong and it crashed or something killed it.

Chrome, Firefox both are excellent browsers.  Firefox is my default browser.  Download Chrome and Firefox directly from Google or Mozilla.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwibhsnMlfLYAhWk6YMKHVatB6oQFgg6MAE&url=https%3A%2F%2Fwww.google.com%2Fchrome%2Fbrowser%2Fdesktop%2Findex.html&usg=AOvVaw0XVP3LCM5kL0uPj3LId6gl

https://www.mozilla.org/en-US/firefox/new/

Attach the quarantine log to your reply.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Share this post


Link to post
Share on other sites

Kevin,

Many thanks for the links for Firefox & Chrome! I have attached the scanlog. I did not remove the 5 items.

Would I be well advised to remove IE from my system altogether?

Tom

rk_365F.tmp.txt

Share this post


Link to post
Share on other sites

You can have RogueKiller remove all those.  If you use Amazon Assistant you can keep it.  I found it to be annoying and it does track your surfing habits and searches.  I removed it shortly after installing it.

Share this post


Link to post
Share on other sites

Kevin,

Re-ran Roguekiller, found the same 5 - removed them all. Here is the report. I will re-run AdwCleaner to see if it finds anything else and delete if it does.

Should I remove IE from my system or leave it? I do not expect to use it anymore, but there may be things I want to look up within IE at some point. Is there a vulnerability leaving it installed?

Tom

rk_AFE9.tmp.txt

Share this post


Link to post
Share on other sites

Kevin,

It is consistent...when I run AdwCleaner - it finds: Pup.optional.Assistant, When I click on clean, the message is: Caught unhandled unknown exception; terminating. After clicking OK, it can only be shut down by opening task manager and ending current task. Task Mgr. says AdwCleaner is running, but it will run forever and do nothing.

Re-ran Roguekiller and found nothing.

Unpinned IE from my home screen. Computer seems to be running far better with Firefox!

I attached the scan from AdwCleaner - just for good measure.

Tom

AdwCleaner[S11].txt

Share this post


Link to post
Share on other sites

Tom,

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AmazonAssistant.lnk
C:\Users\Default User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AmazonAssistant.lnk
Reg: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application" /f

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Kevin,

Over the weekend I was still seeing the ghost of a file opening in the upper right quadrant of the screen - just for a split second. I certainly hope this fixes that.

Otherwise, the computer is running very well.

Thanks,

TomFixlog.txt

Share this post


Link to post
Share on other sites

Tom,

Looks like there was an error while deleting the reg key.

Run a new scan with RogueKIller and attach the new scan report to your reply.

Share this post


Link to post
Share on other sites

Tom,

Looks like the reg key issue was fixed by FRST.

Getting a window that opens temporarily during Windows start up is not all that unusual.

Run a fresh scan with FRST, attach the new FRST scan reports to your reply.

Share this post


Link to post
Share on other sites

Your FRST logs show no malware.  The Event Log portion of the Additional scan report shows that Windows Defender is having problems updating.  Looks like it may be a networking issue.

Share this post


Link to post
Share on other sites

Kevin,

Yes, Defender is turned off and I cannot turn it on. I have run another FRST scan and here are the results. Strange things happening this morning. Had an update from MS - Shut down to install. It locked up - waited 45 minutes with warning screen to not turn off, I turned off and rebooted. It came up and showed that a security update was installed for C+++.

Security Essentials was MIA for a while, too. Rebooted again and it came back.  Do you think I'm clean?

Tom

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Tom,

Windows Defender is still disabled, but Microsoft Security Essentials (MSE) is enabled and working correctly.  Windows Defender is an add-on at not necessary on Windows 7 systems.  However, I do recommend that you use something more robust than MSE.

I see no malware in your logs.

Share this post


Link to post
Share on other sites

Kevin,

Any recommendations? I tries Emsisoft a few years ago and it crashed my system. Arthur Wilkinson tried to help me repair it, but it would not work. We had to remove it completely. Is there anything else you think would be better?

Tom

Share this post


Link to post
Share on other sites

You could give Emsisoft a try again.  It has undergone several modifications and updates the past few years.

You are using Win 7 Home x64, Emsisoft Anti-Malware 2018 should run with no issues.

Share this post


Link to post
Share on other sites

Tom,

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thanks Kevin!

I think all is removed. I have Emsisoft 2018 installed and running. Looks like it and MS Security can both run in peaceful co-existence - or should I disable MS Security?

Again, THANK YOU!

Tom

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.