Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Bitdefender keeps finding Kazy infected .tmp files

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 18th, 2018, 6:58 pm

Bitdefender keeps popping up with 'Threat Detected' notifications followed by 'Detected threats are being disinfected' Example of notification is:

"Successfully blocked infected file
4 minutes ago
Feature:
Antivirus
The file C:\Windows\temp\tmp00000431\tmp0000295b is infected with Gen:Variant.Kazy.129450.The threat has been successfully blocked, your device is safe."

Each time this pops up it's a different .tmp file.

After running Bitdefender scan this is the resulting message: "The file C:\Windows\temp\tmp000000c6\tmp001995d1 has been detected as infected. Bitdefender could not clean this item. A reboot is required to complete the cleaning process. Threat name: Gen:Variant.Kazy.129450"

However a reboot does not solve the problem and the popups continue. Grateful for any help.... FRST logs attached
You do not have the required permissions to view the files attached to this post.
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am
Advertisement
Register to Remove

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 19th, 2018, 3:07 am

Looking over your logs, back as soon as I've finished analysing them.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 19th, 2018, 3:55 am

Questions ....

Are you using the Free or the paid for versions of Malwarebytes and BitDefender ?

Have you previously used AVG as your anti-virus ?

Do you recognise any of the following files and/or folders, and/or know why they may be present on your computer ?

2018-08-18 07:27 - 2018-08-18 07:27 - 000528708 ____N C:\Users\Ac8hj5\border duration stations.xlsx
2018-08-18 07:27 - 2018-08-18 07:27 - 000527719 ____N C:\Users\Qj1t5zg\wit.poems.xlsx
2018-08-18 07:27 - 2018-08-18 07:27 - 000212077 ____N C:\Users\Ac8hj5\bet flower.mdb
2018-08-18 07:27 - 2018-08-18 07:27 - 000209341 ____N C:\Users\Qj1t5zg\consciousness-lungs.mdb
2018-08-18 07:27 - 2018-08-18 07:27 - 000071437 ____N C:\Users\Qj1t5zg\access_amounts.xls
2018-08-18 07:27 - 2018-08-18 07:27 - 000060345 ____N C:\Users\Ac8hj5\nothing_church_obey.xls
2018-08-18 07:27 - 2018-08-18 07:27 - 000059857 ____N C:\Users\Ac8hj5\diffusion-compound.pem
2018-08-18 07:27 - 2018-08-18 07:27 - 000051183 ____N C:\Users\Qj1t5zg\devil.dictionary.pem
2018-08-18 07:27 - 2018-08-18 07:27 - 000027243 ____N C:\Users\Ac8hj5\mistake.thousands.gear.angle.txt
2018-08-18 07:27 - 2018-08-18 07:27 - 000020160 ____N C:\Users\Qj1t5zg\consideration.suffer.sql
2018-08-18 07:27 - 2018-08-18 07:27 - 000018364 ____N C:\Users\Qj1t5zg\maybe improve distant.txt
2018-08-18 07:27 - 2018-08-18 07:27 - 000017989 ____N C:\Users\Ac8hj5\realizemean.sql
2018-08-18 07:27 - 2018-08-18 07:27 - 000000000 ___HD C:\Users\Qj1t5zg
2018-08-18 07:27 - 2018-08-18 07:27 - 000000000 ___HD C:\Users\Ac8hj5
2018-08-18 07:27 - 2018-08-18 07:27 - 000000000 ___DC C:\Xpackage238
2018-08-18 07:27 - 2018-08-18 07:27 - 000000000 ___DC C:\833650065972511557 package234
2018-08-17 23:30 - 2018-08-17 23:32 - 000000000 ____D C:\Users\Andy\Desktop\BStALBCRP items


There are a number of matters that need addressing on your machine, but I need you to answer my questions first before we proceed with dealing with them.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 19th, 2018, 5:41 am

Hello Gary - thanks for responding so promptly

In reply to your Questions ....

Are you using the Free or the paid for versions of Malwarebytes and BitDefender ? Paid BitDefender and Free Malwarebytes - although this may still be in the 21 day trial period for the full programme. Malwarebytes had reported it had cleaned out the offending file but it came back on next startup....

Have you previously used AVG as your anti-virus ? Yes - had a subscription a while ago which ran out - Bit defender required that this be uninstalled before it would load up

Do you recognise any of the following files and/or folders, and/or know why they may be present on your computer ? I'd spotted those and Googling revealed that they may be comparison files connected with the ransomware software I installed a while ago (CyberReasonRansomfree). The last file folder (BStALBCRP) I can confirm is mine.
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 19th, 2018, 6:26 am

OK, that's pretty much what I thought.

If Malwarebytes is still in the "trial period" then it will have its real-time-protection active, and this may interfere with the real-time-protection offered by BitDefender, so if you're going to use BitDefender as your main protection program, then I would advise you to disable the RTP for Malwarebytes.

To do that ....

  • Open Malwarebytes.
  • Click on Settings > Protection
  • Uncheck all the Real Time Protection options.
  • Exit Malwarebytes

Next ....

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Next ....

Please Uninstall the following programs ....

  • FlvPlayer
  • Java 8 Update 40 (64-bit)
  • Java 8 Update 40

FLV has been flagged by FRST as a suspect version, and may therefore well have come with "fellow travellers".
Old out of date versions of Java can be, and usually are exploited.

Most people do not need to have Java installed on their computers. Java is not the same as Javascript, which pretty much all websites use. Javascript interpretation is already built into all mainline browsers.

If you do have a specific need for Java, then when we've finished cleaning your machine you need to install the latest version .... https://java.com/en/download/

Please reboot your computer once you have uninstalled these programs.

Next ...

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it (don't include Code: Select all) ....
Code: Select all
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://search.conduit.com/Results.aspx?ctid=CT3324328&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPAE492A57-3D69-483E-A711-A1A614198A73&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={0DDCE928-A284-4C33-9227-568D206F0132}&mid=a734080af82847d0a6c93909b407b0ca-a003bb232cc8640b52a2a8d277a0dc13de7ba3e0&lang=en&ds=AVG&coid=avgtbavg&cmpid=0116avz&pr=fr&d=2016-01-26 13:34:18&v=4.2.4.155&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://search.conduit.com/Results.aspx?ctid=CT3324328&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPAE492A57-3D69-483E-A711-A1A614198A73&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={0DDCE928-A284-4C33-9227-568D206F0132}&mid=a734080af82847d0a6c93909b407b0ca-a003bb232cc8640b52a2a8d277a0dc13de7ba3e0&lang=en&ds=AVG&coid=avgtbavg&cmpid=0116avz&pr=fr&d=2016-01-26 13:34:18&v=4.2.4.155&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021844803 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021844803 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://search.conduit.com/Results.aspx?ctid=CT3324328&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPAE492A57-3D69-483E-A711-A1A614198A73&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021844803 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021844803 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={0DDCE928-A284-4C33-9227-568D206F0132}&mid=a734080af82847d0a6c93909b407b0ca-a003bb232cc8640b52a2a8d277a0dc13de7ba3e0&lang=en&ds=AVG&coid=avgtbavg&cmpid=0116avz&pr=fr&d=2016-01-26 13:34:18&v=4.2.4.155&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021848422 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021848422 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://search.conduit.com/Results.aspx?ctid=CT3324328&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPAE492A57-3D69-483E-A711-A1A614198A73&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021848422 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021848422 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={0DDCE928-A284-4C33-9227-568D206F0132}&mid=a734080af82847d0a6c93909b407b0ca-a003bb232cc8640b52a2a8d277a0dc13de7ba3e0&lang=en&ds=AVG&coid=avgtbavg&cmpid=0116avz&pr=fr&d=2016-01-26 13:34:18&v=4.2.4.155&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021846129 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021846129 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021849826 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021849826 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1Qzu0EzzyEtD0FtB0EtAyDzytAzy0AyEtCyCtN0D0Tzu0SyByDtBtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=732785863&ir=
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021846269 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1067577084-1865836317-3027311478-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021849935 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021844709 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021848344 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021846019 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021849748 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021846129 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021849826 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021846191 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1067577084-1865836317-3027311478-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-08182018021849873 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Extension: (AVG Do Not Track) - C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\e82nx50n.default-1428330935139\Extensions\{F53C93F1-07D5-430c-86D4-C9531B27DFAF} [2016-04-28] [Legacy]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\ComboFix
2018-07-23 22:51 - 2015-06-02 09:41 - 000000000 ____D C:\Users\Guest\AppData\Local\Avg
2018-07-23 22:51 - 2015-06-02 09:41 - 000000000 ____D C:\Users\Charlotte\AppData\Local\Avg
2018-07-23 22:51 - 2015-03-30 20:40 - 000000000 ____D C:\Users\Julie\AppData\Roaming\AVG
2018-07-23 22:51 - 2015-03-30 19:41 - 000000000 ____D C:\Users\Julie\AppData\Local\Avg
2018-07-23 22:51 - 2015-03-27 21:45 - 000000000 ____D C:\Users\Alex\AppData\Roaming\AVG
2018-07-23 22:51 - 2015-03-27 20:05 - 000000000 ____D C:\Users\Alex\AppData\Local\Avg
2018-07-23 22:51 - 2015-03-27 12:43 - 000000000 ____D C:\Users\Andy\AppData\Local\Avg
2018-07-23 22:51 - 2015-03-27 07:45 - 000000000 ____D C:\Users\Admin\AppData\Local\Avg
Task: {49230476-A3F3-482E-BA9E-FE03748B8DA1} - System32\Tasks\Digital Sites => C:\Users\Andy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {AEE38D03-1941-4B0D-BA4F-7F78B0C595DD} - \RealPlayer Cloud (32-bit)  -> No File <==== ATTENTION
EmptyTemp:
Hosts:
cmd: ipconfig /flushdns

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Next ...

Please download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan.
  • A logfile will automatically open after the scan has finished.
  • Close the adwCleaner window, click ok to the prompt.
  • Please post the contents of that logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[R1].txt.

AT THIS POINT, DO NOT ATTEMPT TO CLEAN ANYTHING THAT MAY BE FOUND
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 19th, 2018, 7:08 pm

Ok Gary - sorry not to have replied earlier - lost internet access for a while this afternoon but have carried out all the tasks you specified.

Logfiles are attached

Over to you...

Andy
You do not have the required permissions to view the files attached to this post.
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 20th, 2018, 1:05 am

OK, looks like we've still got things to do.

First ....

  • Double click AdwCleaner.exe to run it.
  • Click Scan and allow the scan to finish.
  • Now click Clean to remove the items found.
  • Click OK to the prompt.
  • The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.
  • Post the contents of the logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[s1].txt.



Next .... looks like some of the things I scripted for removal were not removed, so we need to check whether they're still there. Please run a new scan for me with FRST, and post me the new FRST.txt and Addition.txt logs.



Next .... I'd like you to run a search for me using FRST ....

  • Double click Frst64.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Copy/Paste or Type the following line into the Search: box.
    Fun4IM;Bandoo;Searchnu;Searchqu;iLivid;whitesmoke;datamngr;kelkoopartners;trolltech;babylon;conduit;trovi;clientconnect

    • Press the Search Registry button.
    • When finished searching a log will open on your Desktop ... Search.txt
    • Please post it in your next reply.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 20th, 2018, 3:20 am

Just a quicky then I'll have to catch the bus - back this evening

I get a notification that a new version of AdwCleaner (7.2.2) is available - should I use the newer version or the one you previously linked?
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 20th, 2018, 3:44 am

Yes, if there's a newer version then please use that.

PS. We only ever close topics if they've gone 3 days without a reply, so don't worry if you can't always reply as quickly as you'd like to.

PPS. I will usually always reply to one of your posts within 24 hours, if I ever fail to do so, then it's because I haven't got an auto notification from the forum software, in which case please feel free to send me a reminder by Personal Message.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 21st, 2018, 4:48 am

Sorry Gary Only had time to run adwcleaner

Here's the log

Will run frst later

# -------------------------------
# Malwarebytes AdwCleaner 7.2.2.0
# -------------------------------
# Build: 07-17-2018
# Database: 2018-08-20.1
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 08-21-2018
# Duration: 00:00:01
# OS: Windows 7 Professional
# Cleaned: 36
# Failed: 1


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\ProgramData\Auslogics
Deleted C:\Users\Andy\AppData\Roaming\DigitalSites
Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLVPlayer
Deleted C:\Users\Admin\Documents\TotalAV
Deleted C:\Users\Andy\AppData\Local\SwvUpdater

***** [ Files ] *****

Deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TotalAV.lnk

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKU\S-1-5-18\Software\Auslogics
Deleted HKU\.DEFAULT\Software\Auslogics
Deleted HKLM\Software\Wow6432Node\Auslogics
Deleted HKCU\Software\dsiteproducts
Deleted HKLM\Software\DomaIQ
Deleted HKCU\Software\InstallCore
Deleted HKLM\Software\Wow6432Node\FlvPlayer
Deleted HKLM\Software\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Deleted HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
Deleted HKLM\Software\Wow6432Node\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Deleted HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Deleted HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Deleted HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Deleted HKLM\SOFTWARE\Mozilla\NativeMessagingHosts\com.totalav.passwordvaultassistant
Deleted HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.totalav.passwordvaultassistant

***** [ Chromium (and derivatives) ] *****

Deleted Bing Search Engine
Deleted FromDocToPDF

***** [ Chromium URLs ] *****

Deleted Mysearchdial
Deleted AVG Secure Search
Deleted Ask Jeeves
Deleted Ask Jeeves
Deleted Ask Jeeves
Deleted Ask Jeeves
Deleted Ask Jeeves
Deleted Ask Jeeves
Deleted delta-homes
Deleted delta-homes

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

Not Deleted mysearch.avg.com


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [3770 octets] - [20/08/2018 00:01:17]
AdwCleaner[S01].txt - [3831 octets] - [21/08/2018 09:45:19]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 21st, 2018, 5:36 am

No problem. Please post me the other logs as soon as you're able to.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 22nd, 2018, 2:54 am

latest Frst files attached

Search results below:

Farbar Recovery Scan Tool (x64) Version: 19.08.2018 02
Ran by Andy (22-08-2018 07:47:39)
Running from E:\Downloads
Boot Mode: Normal

================== Search Registry: "Fun4IM;Bandoo;Searchnu;Searchqu;iLivid;whitesmoke;datamngr;kelkoopartners;trolltech;babylon;conduit;trovi;clientconnect" ===========


===================== Search result for "Fun4IM" ==========


===================== Search result for "Bandoo" ==========


===================== Search result for "Searchnu" ==========


===================== Search result for "Searchqu" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"


===================== Search result for "iLivid" ==========


===================== Search result for "whitesmoke" ==========


===================== Search result for "datamngr" ==========


===================== Search result for "kelkoopartners" ==========


===================== Search result for "trolltech" ==========

[HKEY_USERS\S-1-5-21-1067577084-1865836317-3027311478-1003\Software\Trolltech]

[HKEY_USERS\S-1-5-21-1067577084-1865836317-3027311478-1003\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

[HKEY_USERS\S-1-5-21-1067577084-1865836317-3027311478-1003\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]


===================== Search result for "babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"


===================== Search result for "conduit" ==========


===================== Search result for "trovi" ==========


===================== Search result for "clientconnect" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DD5142F-7E23-4c44-9DD7-98B9C7032535}]
""="INapEnforcementClientConnectionPrivate"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BD244906-70DD-4690-BEEA-648653393500}]
""="INapEnforcementClientConnection2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FB3A3505-DDB1-468A-B307-F328A57419D8}]
""="INapEnforcementClientConnection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DD5142F-7E23-4c44-9DD7-98B9C7032535}]
""="INapEnforcementClientConnectionPrivate"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD244906-70DD-4690-BEEA-648653393500}]
""="INapEnforcementClientConnection2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB3A3505-DDB1-468A-B307-F328A57419D8}]
""="INapEnforcementClientConnection"

====== End of Search ======
You do not have the required permissions to view the files attached to this post.
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 22nd, 2018, 7:01 am

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it (don't include Code: Select all) ....
Code: Select all
[-HKEY_USERS\S-1-5-21-1067577084-1865836317-3027311478-1003\Software\Trolltech]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
DeleteValue: HKU\S-1-5-21-1067577084-1865836317-3027311478-1006\Software\Microsoft\Internet Explorer\Toolbar|{47833539-D0C5-4125-9FA8-0819E2EAAC93}
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers|{472083B0-C522-11CF-8763-00608CC02F24}
EmptyTemp:

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Next ....

Please uinstall the extensions listed below from Google Chrome ... https://support.google.com/chrome_webst ... 4769?hl=en

Mysearchdial-speeddial


... and any others that you do not recognise and/or did not intentionally install.

Next ....

Please run a scan with ESET Online Scanner (please note that this can sometimes take hours to complete)

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Scan Now
  • You will need to download esetsmartinstaller_enu.exe when prompted, and then double click on it to install.
  • Select the option Accept to accept the terms and conditions, and when prompted by UAC, allow E-Set to make changes.
  • Select the following option.
    • Enable detection of potentially unwanted applications
  • Now click on Scan
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When complete the scan will begin.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Do not clean any of the found threats
    • Click on Save to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby andy__b » August 26th, 2018, 7:41 am

Hi Gary - apologies - have been away - will come back as soon as I can
andy__b
Active Member
 
Posts: 7
Joined: August 18th, 2018, 4:21 am

Re: Bitdefender keeps finding Kazy infected .tmp files

Unread postby Gary R » August 28th, 2018, 5:07 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 23504
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 81 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware