Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware/Virus suspected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware/Virus suspected

Unread postby maranatha-lord » July 6th, 2015, 5:54 pm

Yea it was most recent. Different timestamp but still the same amount of lines ending as the above does :-(
maranatha-lord
Regular Member
 
Posts: 27
Joined: June 28th, 2015, 12:17 pm
Advertisement
Register to Remove

Re: Malware/Virus suspected

Unread postby pgmigg » July 6th, 2015, 11:09 pm

Hello maranatha-lord,

Yea it was most recent. Different timestamp but still the same amount of lines ending as the above does :-(
OK! In such case please run the following:

Step 1.
SystemLook
You should still have SystemLook.exe on your desktop.
  1. Right click on SystemLook.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
    If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.
  2. Highlight and copy the following entries: into SystemLook's main text entry window.
    (Do not include the words Code: Select all - instead of it please click the Select all button next to Code: to select the entire script.)
    Code: Select all
    :Regfind
    Iminent
    Poker
    Realms
    Searchqu
    Searchnu
    Slick
    smartbar
    Somoto
    Sweetpack
    Tarma
    trolltech
    systweak
    vshare
    whitesmoke
    YahooPartnerToolbar
    Yontoo
    
  3. Press the Look button to start the scan. The scan will take a while (even more than hour), so please be patient...
    When finished, a Notepad window will open with the results of the scan.
    A file will be created (on your Desktop) with the results of the scan, named SystemLook.txt
  4. Please post the contents of the SystemLook.txt file in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the SystemLook.txt log file
  3. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Virus suspected

Unread postby maranatha-lord » July 7th, 2015, 4:27 am

SystemLook 30.07.11 by jpshortstuff
Log created at 08:17 on 07/07/2015 by User 1
Administrator - Elevation successful

========== Regfind ==========

Searching for "Iminent"
No data found.

Searching for "Poker"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e880532-7028-48e9-8795-c197ff2ab411}]
@="Previous Versions Poker"

Searching for "Realms"
No data found.

Searching for "Searchqu"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"

Searching for "Searchnu"
No data found.

Searching for "Slick"
No data found.

Searching for "smartbar"
No data found.

Searching for "Somoto"
No data found.

Searching for "Sweetpack"
No data found.

Searching for "Tarma"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mml\OpenWithProgIDs]
"soffice.StarMathDocument.6"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sxm]
@="soffice.StarMathDocument.6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sxm\OpenWithProgIDs]
"soffice.StarMathDocument.6"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0484DE6-AAEE-468a-991F-8D4B0737B57A}\ProgID]
@="soffice.StarMathDocument.6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0484DE6-AAEE-468a-991F-8D4B0737B57A}\VersionIndependentProgID]
@="soffice.StarMathDocument.6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\soffice.StarMathDocument]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\soffice.StarMathDocument\CurVer]
@="soffice.StarMathDocument.6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\soffice.StarMathDocument.6]
[HKEY_LOCAL_MACHINE\SOFTWARE\OpenOffice\OpenOffice\4.1.1\Capabilities\FileAssociations]
".mml"="soffice.StarMathDocument.6"
[HKEY_LOCAL_MACHINE\SOFTWARE\OpenOffice\OpenOffice\4.1.1\Capabilities\FileAssociations]
".sxm"="soffice.StarMathDocument.6"

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\.DEFAULT\Software\Trolltech]
[HKEY_USERS\.DEFAULT\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech]
[HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001\Software\Trolltech]
[HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech]
[HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-18\Software\Trolltech]
[HKEY_USERS\S-1-5-18\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

Searching for "systweak"
No data found.

Searching for "vshare"
No data found.

Searching for "whitesmoke"
No data found.

Searching for "YahooPartnerToolbar"
No data found.

Searching for "Yontoo"
No data found.

-= EOF =-
maranatha-lord
Regular Member
 
Posts: 27
Joined: June 28th, 2015, 12:17 pm

Re: Malware/Virus suspected

Unread postby pgmigg » July 7th, 2015, 11:18 am

Hello maranatha-lord,

Very good! :D Let continue our treatment...

Step 1.
OTL - Run Fix Script
You should still have OTL.exe on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Underneath Output at the top, make sure Standard Output is selected.
  3. Highlight and copy the following entries: into the Image text box.
    (Do not include the words Code: Select all - instead of it please click the Select all button next to Code: to select the entire script.)
    Code: Select all
    :Commands
    [createrestorepoint]
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
    "DllName"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
    "DllName"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
    "DllName"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0C1BA031-45EB-357E-8F55-2E6136D10FBF}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1BFC7AFE-20FE-3F30-B10A-DF4A3EA990AC}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{24E12496-D29C-35E3-AD0F-1D66AD4C2493}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{267658E0-FF47-3CAC-B955-33221CF791F4}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{464FA238-2CEC-34AC-B096-0FEF5A4923AC}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4765A3E5-EF39-32FC-8783-71D68E0A7CD6}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{49312164-AD83-3495-8EBD-26ED739785C0}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{77BA8C2B-C6E5-3F52-8B5B-1D508D998292}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{790C6E53-66B5-3F63-8EBB-2C18D25450AA}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9ACB4E3B-01B0-3F8F-A0CF-08105106E5DA}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{B9FDE49C-D747-3D2C-A15B-7C7E0BA3BB35}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{E3C414FA-7C5D-3F3C-BDD5-A7791B9D1C38}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{EE7421D0-07AC-3EEE-B17B-D014197230FC}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FB211F2C-15DB-3945-AD45-1E6AD697DD95}\1.0.0.0]
    "CodeBase"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e880532-7028-48e9-8795-c197ff2ab411}]
    @=""
    [-HKEY_CURRENT_USER\Software\Trolltech]
    [-HKEY_USERS\.DEFAULT\Software\Trolltech]
    [-HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech]
    [-HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001\Software\Trolltech]
    [-HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech]
    [-HKEY_USERS\S-1-5-18\Software\Trolltech]
    
    :Commands
    [emptyflash]
    [emptyjava]
    [emptytemp]
    
  4. Click under the Custom Scan/Fixes box and paste the copied text.
  5. Click the Run Fix button. If prompted... click OK.
  6. OTL may ask to reboot the machine. Please do so if asked.
  7. Let the program run unhindered and reboot the PC when it is done.
    When the computer reboots, and you start your usual account, a Notepad text file will appear.
  8. Copy the contents of that file and post it in your next reply. The log can also be found, based on the date/time it was created, as C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log

Step 2.
ESET NOD32 Online Scan
  1. Firstly please Disable any Antivirus you have active, as shown in This topic. If active, it could impact the online scan.
    Do NOT use the computer while the scan is running!
    Make sure all other programs and windows are closed!
  2. You need to right-click on the Internet Explorer or Firefox icons on the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  3. Go to ESET Online Scanner - © ESET All Rights Reserved, to run an online scan.
  4. Click the dark blue Run ESET Online Scanner button:
    • If you using Google Chrome or Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted. Then double click on it to install.
    • If you using Internet Explorer please read the End User License Agreement and check the box: Yes, I accept the terms of use. Then click the green Start button.
  5. Accept any security warnings from your browser and allow the download/installation of any required files.
    If your browser blocks or halts a download, please allow it to download any required files.
  6. Under scan settings:
    • Check "Scan archives"
    • UNCHECK "Remove found threats"
  7. Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  8. Click the Start button.
    ESET will install itself, download virus signature database updates and begin scanning your computer.
    The scan will take a while so please be patient. Do NOT use the computer while the scan is running!
  9. When the scan completes, please press the text: Image
  10. Press the text: Image, then save the file to your desktop as ESETScan.txt.
  11. Press the Back button, then press the Finish button.
  12. Copy and paste the contents of ESETScan.txt in your next reply.
    Note: If no threats are found, there is no option to create a log. Just report back to me there was nothing found.

Then:
Please tell me is this computer used for business purposes and connected to a business or educational network?
I need to know it - so I can provide the proper instructions.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log log file after OTL FixScript run
  3. Contents of the ESETScan.txt log file
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Virus suspected

Unread postby maranatha-lord » July 7th, 2015, 3:40 pm

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\\DllName deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\\DllName deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}\\DllName deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0C1BA031-45EB-357E-8F55-2E6136D10FBF}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1BFC7AFE-20FE-3F30-B10A-DF4A3EA990AC}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{24E12496-D29C-35E3-AD0F-1D66AD4C2493}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{267658E0-FF47-3CAC-B955-33221CF791F4}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{464FA238-2CEC-34AC-B096-0FEF5A4923AC}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4765A3E5-EF39-32FC-8783-71D68E0A7CD6}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{49312164-AD83-3495-8EBD-26ED739785C0}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{77BA8C2B-C6E5-3F52-8B5B-1D508D998292}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{790C6E53-66B5-3F63-8EBB-2C18D25450AA}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9ACB4E3B-01B0-3F8F-A0CF-08105106E5DA}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{B9FDE49C-D747-3D2C-A15B-7C7E0BA3BB35}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{E3C414FA-7C5D-3F3C-BDD5-A7791B9D1C38}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{EE7421D0-07AC-3EEE-B17B-D014197230FC}\1.0.0.0\\CodeBase deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FB211F2C-15DB-3945-AD45-1E6AD697DD95}\1.0.0.0\\CodeBase deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e880532-7028-48e9-8795-c197ff2ab411}\\@|"" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Trolltech\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Trolltech\ deleted successfully.
Registry key HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech\ not found.
Registry key HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001\Software\Trolltech\ not found.
Registry key HKEY_USERS\S-1-5-21-3511597724-2799826871-2226428781-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Trolltech\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Trolltech\ not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Greville

User: LogMeInRemoteUser

User: Public

User: TEMP

User: User 1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Greville

User: LogMeInRemoteUser

User: Public

User: TEMP

User: User 1
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Greville
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: TEMP

User: User 1
->Temp folder emptied: 46068277 bytes
->Temporary Internet Files folder emptied: 66440289 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 17342298 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3706092 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 12625682 bytes

Total Files Cleaned = 139.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 07072015_203048

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\Windows\temp\CR_C9530.tmp\setup.exe moved successfully.
C:\Windows\temp\chrome_installer.log moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
maranatha-lord
Regular Member
 
Posts: 27
Joined: June 28th, 2015, 12:17 pm

Re: Malware/Virus suspected

Unread postby maranatha-lord » July 7th, 2015, 5:07 pm

C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSS.exe a variant of Win32/Systweak.L potentially unwanted application
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll a variant of Win32/Systweak.N potentially unwanted application
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe a variant of Win32/Systweak.L potentially unwanted application
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe a variant of Win32/Systweak potentially unwanted application
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe a variant of Win32/Systweak.L potentially unwanted application
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe a variant of Win32/Systweak.L potentially unwanted application
D:\_OTL\MovedFiles\06302015_204939\C_Users\User 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlmphiokjnpmaihbjjkobajiehmblogi\1.5.2_0\background.js JS/ExtenBro.FBook.FA trojan
maranatha-lord
Regular Member
 
Posts: 27
Joined: June 28th, 2015, 12:17 pm

Re: Malware/Virus suspected

Unread postby maranatha-lord » July 7th, 2015, 5:09 pm

Computer definitely seems a lot more responsive and quicker to perform tasks.

This is not used for business purposes nor is it connected to any other networks other than my home network.
maranatha-lord
Regular Member
 
Posts: 27
Joined: June 28th, 2015, 12:17 pm

Re: Malware/Virus suspected

Unread postby pgmigg » July 7th, 2015, 5:15 pm

Hello maranatha-lord,

Step 1.
Show Hidden and System files
  1. Close all programs so that you are at your desktop.
  2. Press Image.
  3. Click the Start Search box on the Start Menu
  4. Copy and paste the following value, in the open text entry box:
    control folders
  5. Click on the View tab, then under the "Hidden files and folders" section
    • SELECT "Show hidden files and folders"
    • Remove check mark from check box "Hide extensions for known file types"
    • Remove check mark from check box "Hide protected operating system files"
  6. Press the Apply, then the OK buttons.

Step 2.
Online Multi Antivirus file scan
Please go to either: Jotti or Virus Total and upload -only one file per scan- the following file(s) for scanning:

C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSS.exe
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe


Using Jotti
  1. Choose the appropriate language (if needed)... once a language is selected, you'll see a message "Ready to receive files"
  2. Press the Browse button and navigate to -one- of the files in the list.
  3. Double click the located file name...The file name should now appear in the online scanner's "File to scan:" box.
  4. Click on Submit..button.
      If you receive the message: This file has been scanned before. The results for this previous scan are listed below.
      Please press the Scan again button, so your file will be scanned.
  5. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
  6. When all scans have completed... the results page is displayed
  7. Please highlight and copy the page web address link from your browser window.
    Example of web address :
    Image
  8. Please repeat this procedure for each file listed above.
  9. Paste the Web address link(s) for the scan results in your next reply.

Using Virus Total
  1. Press the Browse button and navigate to -one- of the files in the list.
  2. Double click the located file name... The file name should now appear in the online scanner's text entry box.
  3. Click on Send File...button.
  4. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
      If you receive the message: File has already been analysed:
      Please press the Reanalyse file now button, so your file will be scanned.
  5. When all scans have completed... the results page is displayed
  6. Please highlight and copy the page web address link from your browser window.
    Example of web address:
    Image
  7. Please repeat this procedure for each file listed above.
  8. Paste the Web address link(s) for the scan results in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. The resulting web links after online file scan by Virus Total or Jotti.
  3. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00


Re: Malware/Virus suspected

Unread postby pgmigg » July 8th, 2015, 5:25 pm

Hello maranatha-lord,

Your latest set of logs appear to be clean! :cheers:
This is my general post for when your logs show no more signs of malware.
Before I give you instructions how to keep your computer clean and secure, you need to make a few additional steps.

Step 1.
OTL - Run Script
You should still have OTL on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Copy and Paste the following code into the Image text box.
    (Do not include the words Code: Select all - instead of it please click the Select all button
    next to Code: to select the entire script.)
    Code: Select all
    :Commands
    [CREATERESTOREPOINT]
    
    :Commands
    [EMPTYTEMP]
    [CLEARALLRESTOREPOINTS]
    
  3. Click under the Custom Scan/Fixes box and paste the copied text.
  4. Click the Run Fix button. If prompted... click OK.
  5. OTL may ask to reboot the machine. Please do so if asked.

Step 2.
OTL-Cleanup
You should still have OTL on your desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Press the CleanUp button.
  3. When done, you will be prompted to reboot your system to finish file removal, please select OK to reboot your computer.

Step 3.
Hide Hidden and System files
  1. Close all programs so that you are at your desktop.
  2. Press Image.
  3. Click the Start Search box on the Start Menu
  4. Copy and paste the following value, in the open text entry box:
    control folders
  5. Click on the View tab, then under the "Hidden files and folders" section
    • UNSELECT "Show hidden files and folders"
    • Place check mark in check box "Hide extensions for known file types"
    • Place check mark in check box "Hide protected operating system files"
  6. Press the Apply, then the OK buttons.

Step 4.
Please download delfix and save
it to your desktop.
  1. Right-click on delfix.exe and select "Run as administrator"to run it.
  2. Check the following boxes then click on Run.
    1. Activate UAC
    2. Remove disinfection tools
    3. Create registry backup
    4. Reset system settings
  3. All tools we used to clean your computer should be gone now.
  4. You can now delete any tools/logs we used if they remain on your computer.

Then:
  • Please don't forget to enable and update all your defense software!

Finally:
Please click HERE to find
a short guide to staying safer online.


Please don't hesitate to ask any additional questions.

Stay Safe! ;)
pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Virus suspected

Unread postby maranatha-lord » July 9th, 2015, 5:30 pm

Thank you so much for your help. God Bless.
maranatha-lord
Regular Member
 
Posts: 27
Joined: June 28th, 2015, 12:17 pm

Re: Malware/Virus suspected

Unread postby pgmigg » July 9th, 2015, 5:35 pm

You are very welcome, maranatha-lord!

Stay Safe! ;)
pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Virus suspected

Unread postby Cypher » July 10th, 2015, 5:27 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 269 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware