Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible trojan, please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Possible trojan, please help

Unread postby Gary R » August 11th, 2015, 1:24 pm

Thanks for letting me know about Edge. I expect I'm going to have to update a lot of stuff in respect to W10.

It'll take me a while to go through the latest FRST logs, but I'll get back to you ASAP.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Re: Possible trojan, please help

Unread postby Anon67 » August 11th, 2015, 1:40 pm

the windows 10 update is going to require the rewriting of so many tutorials.

unfortunate

thanks for the help and diligence in going through the logs
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Gary R » August 11th, 2015, 4:23 pm

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).
Code: Select all
C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-3491128345-48547337-2951177495-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
AlternateDataStreams: C:\Program Files (x86)\Intertops Poker:MID
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
Emptytemp:
cmd: ipconfig /flushdns

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Can you also let me know how your computer is behaving now please.




.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible trojan, please help

Unread postby Anon67 » August 11th, 2015, 8:44 pm

I think the computer is performing a little better. Less odd behavior.

I ran it and it again deleted the temporary files and cookies like before.

Restarted.

here's the fixlog

Fixlog.txt
You do not have the required permissions to view the files attached to this post.
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Gary R » August 12th, 2015, 12:49 am

I'm concerned that according to the log the stuff I'm scripting for removal isn't being found when FRST runs its fix.

So can you please run another scan with FRST, so that I can check whether it's still there or not ?

No need to check the Addition.txt button this time, since all I need to see is a Frst.txt log.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible trojan, please help

Unread postby Anon67 » August 12th, 2015, 2:35 am

ok, scan went quickly

here's the generated log

FRST.txt
You do not have the required permissions to view the files attached to this post.
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Gary R » August 12th, 2015, 9:33 am

Good they have been removed, looks like we've got everything, time for a little housekeeping.

First we need to remove the programs we've been using to clean your machine ...

  • Please download delfix and save it to your desktop.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Check the following boxes ...
    • Remove disinfection tools

    ... then click on Run.
  • Once it has finished, a notepad file named DelFix.txt will open. Post the contents of this notepad in your next reply.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible trojan, please help

Unread postby Anon67 » August 12th, 2015, 1:51 pm

# DelFix v1.010 - Logfile created 12/08/2015 at 13:50:34
# Updated 26/04/2015 by Xplode
# Username : yisman - YISMAN-PC
# Operating System : Windows 10 Home (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\yisman\Downloads\FRST-OlderVersion
Deleted : C:\log.txt
Deleted : C:\Users\yisman\Desktop\dds.txt
Deleted : C:\Users\yisman\Downloads\Addition.txt
Deleted : C:\Users\yisman\Downloads\adwcleaner_4.208.exe
Deleted : C:\Users\yisman\Downloads\dds.scr
Deleted : C:\Users\yisman\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\yisman\Downloads\Fixlog.txt
Deleted : C:\Users\yisman\Downloads\FRST.txt
Deleted : C:\Users\yisman\Downloads\FRST64.exe
Deleted : C:\Users\yisman\Downloads\Search.txt
Deleted : HKLM\SOFTWARE\AdwCleaner

########## - EOF - ##########
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Anon67 » August 12th, 2015, 1:52 pm

the reason I came here was to see if it was possible the story I was given, or if I should pursue this further

they claim someone used my IP address and my username and password to steal a thousand dollars from me

is this believable that someone hacked my computer? Did anything turn up that would suggest this?

I was not using any P2P programs and the last time I opened streamtorrent was a long time ago. The version I had is probably well out of date (when I used it, I used to keep updated).
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Gary R » August 12th, 2015, 5:44 pm

There's nothing I have seen on your machine that suggests you have a key logger or any other kind of remote access trojan on your computer. We can run all sorts of other scans, but my gut feeling is your machine is clean of malware.

That does not preclude the possibility that someone who has had access to your machine may have compromised it in a way that we're not able to test for.

There is also the possibility that the website where your money was stolen has been compromised, but without knowing what type of website, or what type of security procedures they have in place, it's impossible for me to make any judgement on what the likelihood of that is.

Personally, if this were my computer, I would reformat it, because then you can be pretty much 100% sure that any unauthorised changes to it will have been removed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible trojan, please help

Unread postby Anon67 » August 12th, 2015, 5:46 pm

it was a gambling website, but they're not likely to share any of their protocols

thanks for the help

a few questions:

1)What was the reason for scrubbing all my cookies and temp files a second time? It had already been done.
2)Why do the detection programs like FRST and adw need to be removed afterwards? Aren't they useful?
3)Should I download Spybot or Spyware Blaster? You seemed to be saying Spybot is useful but Blaster is not.
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Gary R » August 12th, 2015, 6:16 pm

1. I just do it as a matter of course. Sometimes malware installs a number of "temp" files, which can be used to regenerate an infection, so I "flush" the temp folders to ensure they're clean. Cookies just get taken out as a matter of course because of the way the temp file cleaning routine in FRST works.

2. Programs like ADWCleaner and FRST can be "dangerous" if not used with care, ADWCleaner has been known to flag things that do not need removing, and a scriptable tool like FRST in the hands of someone who isn't fully trained in its use, is like having a live grenade on your machine. Add to that the fact that because of the way they function, they can sometimes be flagged by Anti-Virus scans as "malicious", and you can see why it's easier and safer just to remove them.

3. Personally I believe that both Spybot and Spyware Blaster are beyond their sell by date now, and add very little (if anything) to the security of someone's computer. I don't know of any infection currently doing the circuits that is efficiently removed by Spybot, and the method that Spyware Blaster uses to secure your machine (by adding a large number of sites to the "restricted sites" zone in IE) can result in quite noticeable slowdown in your web browsing.

Whilst we're on that subject, I forgot to advise you to clear out the sites listed in your restricted sites zone, unfortunately when Spyware Blaster is removed, it does not remove all the sites it listed, so you need to do that manually.

To be honest I'm not exactly sure how you do that in W10, where Edge is the default browser, for IE it's ... http://windows.microsoft.com/en-gb/wind ... =windows-7
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible trojan, please help

Unread postby Anon67 » August 12th, 2015, 7:16 pm

1)Right but I had done that process earlier, you instructed me to do it already. Then a few posts ago you had me do it a second time.

re: restricted sites

I use Firefox anyway.

If not Spybot or Blaster, what would you suggest for everyday use? I've been using Malwarebytes for five years or so, but I usually like to have multiple programs in case one misses something.

MS Essentials? I have to see if that's on my computer and if it can be enabled.
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm

Re: Possible trojan, please help

Unread postby Gary R » August 13th, 2015, 1:19 am

1. As I said, it's habit, whenever I write a fix I include an instruction to empty temp files.

As far as protection goes, personally I use Microsoft Security Essentials (MSE) and Malwarebytes Anti- Malware (MBAM), anything more is IMO overkill, and is more likely to cause conflict problems than to offer any substantive increase to my online safety.

Your browsing habits will have a much greater affect on your security than your choice of defensive programs ever will.

On Windows 8 and later, Windows Defender was updated to the same capability as MSE, and you therefore won't be able to install that program on a W10 machine, because it's already pre-installed under another name. Why Microsoft chose to stick with the Defender name (which had such a bad reputation) is beyond me, but the truth is the new Defender is actually very good.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible trojan, please help

Unread postby Anon67 » August 13th, 2015, 2:01 am

for some reason defender keeps getting disabled and I keep manually enabling it. I never figured out what was going on there. Maybe using an antivirus program shuts it off.

I just did a search. It seems AVG shuts off Windows Defender. I'll just dump AVG.
Anon67
Regular Member
 
Posts: 19
Joined: July 28th, 2015, 12:14 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 132 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware