Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hidden Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hidden Malware

Unread postby Gary R » September 28th, 2013, 11:27 am

OK, the stuff we scripted for removal seems to have been removed OK, but since you still have problems we obviously need to find out what else may be on your machine, and whether something has been removed that needs to be there.

First ...

Please download Farbar Service Scanner ... by Farbar and save it to your Desktop.
  • Double click FSS.exe to run it. (Vista - W7 users: Please right click on FSS.exe and select Run As Administrator).
  • Select the following options ....
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press the Scan button.
  • When finished, a text file named FSS.txt will be created on your desktop.
  • Copy/Paste the contents in your reply please.

Next ...

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.

Summary of the logs I need from you in your next post:
  • FSS.txt
  • E-Set log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Re: Hidden Malware

Unread postby tnesler » September 29th, 2013, 4:22 pm

Sorry for the delayed response.

Here is the FSS Log

Farbar Service Scanner Version: 13-09-2013
Ran by Treasurer (administrator) on 29-09-2013 at 13:37:30
Running from "C:\Users\Treasurer\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

And Here is what ESET found:

C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.dll.vir Win32/Bundled.Toolbar.Ask.B application
C:\Program Files (x86)\FriendsChecker\IE\common.dll a variant of Win32/ExFriendAlert.B application
C:\Program Files (x86)\PDFCreator\message.exe a variant of Win32/InstallCore.A application
C:\Program Files (x86)\SearchDonkey\Uninstall.exe a variant of Win32/ExFriendAlert.B application

Tom Nesler
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: Hidden Malware

Unread postby Gary R » September 30th, 2013, 4:45 am

OK, your security service is set to disabled, so you need to set it to auto, to do that please do the following ...

  • Click Start and in the Search programs and files field type Services.msc
  • Double click Services.msc which will be found at the top of the search results list.
  • This should open a Services window ...
  • Scan down the list of services until you find Security Center and double click on it to open its Properties window ...
    • Ensure the Startup type is set to Automatic
    • Ensure the Service status: is started, if not hit the Start button.
    • Click OK to close the Properties window, then close the Services window.

Windows Security Center should now be operating, if it is not please let me know.

Next ...

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Program Files (x86)\FriendsChecker\IE\common.dll
C:\Program Files (x86)\PDFCreator\message.exe
C:\Program Files (x86)\SearchDonkey\Uninstall.exe

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Please let me know how your computer is behaving now.

.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hidden Malware

Unread postby tnesler » September 30th, 2013, 7:44 pm

Windows Security Center has been set to Automatic and started Successfully ---(Yayyy!)

Here is the log from OTL

========== FILES ==========
C:\Program Files (x86)\FriendsChecker\IE\common.dll moved successfully.
C:\Program Files (x86)\PDFCreator\message.exe moved successfully.
C:\Program Files (x86)\SearchDonkey\Uninstall.exe moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 09302013_183726

I have downloaded the free version of MalwareBytes. Would you recommend getting the paid version to keep this PC clean or do you recommend another software or even another strategy?
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: Hidden Malware

Unread postby Gary R » October 1st, 2013, 1:16 am

Looks like we've got everything then, and it's time for a little tidying up.

Let's clear out OTL and the files and folders it created. This will also remove SystemLook.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next ...

Let's clear out ADWCleaner and the files and folders it created.

  • Double click AdwCleaner.exe to run it.
  • Click Uninstall.
  • Click Yes to the prompt.
  • AdwCleaner will close and uninstall itself

Note: If AdwCleaner prompts you an update is available, click Cancel and continue to uninstall.

Next ...

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Tweaking.com Registry Backup


As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.

As far as securing your machine is concerned ...

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

With specific regard to the question you asked about Malwarebytes. The difference between the paid version and free version is that the paid version comes with real time protection, and this can add valuable protection. However, in the case of the infection you had, Malwarebytes would not have protected you. For some reason best known to themselves, Malwarebytes do not consider toolbars of the type that infected your machine as malicious, so would not have prevented their installation.

Quite honestly I find this behaviour baffling, and although in other regards Malwarebytes does an excellent job, because of this serious shortcoming, I personally find I can no longer recommend it. Should they ever rectify this deficiency, I would have no hesitation in doing so.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hidden Malware

Unread postby tnesler » October 2nd, 2013, 8:55 am

Things are looking good for me now. My WSC is continuing to load without problems...(Yaaayyy!!). I have removed the programs you recommended. I am wondering though, why do you recommend removing the Tweaking registry backup program? It seems like a good utility to have and use regularly?

One other question, you used several tools to clean out the malware. I presume this is to provide multiple layers of attack. Are you connected to any of these programs? Are they simply efforts by people like yourself to provide relief from Malware?

Thanks again! I will try to pay your good deeds forward in my small ways with others...:-)

PS thanks for the article on Malware security...very interesting!
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: Hidden Malware

Unread postby Gary R » October 2nd, 2013, 11:07 am

The only reason I recommend removing Tweaking.com, is to keep your machine as clear of "clutter" as possible. Although backing up the Registry might seem a good idea, for most "day to day" computer users, it's not really very useful, since most people do not habitually make changes to it other than when they install programs, in which case if a recovery is necessary because a program installed incorrectly, the easiest solution is to use System Restore.

As far as the tools I used to clean your computer are concerned, they were written by security colleagues, and are specifically targetted to the infection you had. They are not for general public use, and could cause damage if used inappropriately, which is why I gave instructions for their removal.

Glad to hear your computer is still behaving itself.

Keep safe,

Gary

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 116 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware