Free Malware Removal Forum

[Jag141075]

Hi Team

when I boot up the laptop and double click on firefox/waterfox I get this warning pop up for account user asking if I want to run
Z1.exe. i always click no its located in my C:\Users\JOHN\AppData\Local\Temp directory.
I have deleted my temp files but it keeps popping back up. I have done a google search some say it a virus / malware.
I have runs a full systems scan with my AV and a scan on spybot nothing is flagged as an issue.
I have attached the first. txt and addition.txt
any advice is appreciated.

[pgmigg]

Hello Jag141075,

Welcome to the forum!

I am pgmigg and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.

1. The instructions being given are for YOUR computer and system only!
   Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
2. You must have Administrator rights, permissions for this computer.
3. DO NOT run any other fix or removal tools unless instructed to do so!
4. DO NOT install any other software (or hardware) during the cleaning process until we are done as well as
   DO NOT Remove, or Scan with anything on your system unless I ask. This adds more items to be researched.
   Extra Additions and Removals of files make the analysis more difficult.
5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!"
   Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Failure to post replies within 72 hours will result in this thread being closed

[pgmigg]

Hello Jag141075,

Step 1.
Create a System Restore Point

1. Right-click on the Start button and select System.
2. In the left pane, click System protection. If UAC prompts, allow it. The separate window System Properties will be opened on System Protection tab.
3. Under Protection Settings select disk C:, then click on Configure... button below.
4. Click on Turn on system protection.
5. Under Disk Space Usage adjust Max Usage to 5%.
6. Click Apply, then OK buttons.
7. Click Create... button.
8. In the System Protection dialog box, type a description, then click Create.
   A Restore Point will be created and you should receive a message: "The restore point was created successfully."
9. Click Close and exit.

< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
Create a Backup With Tweaking.com Registry Backup (TCRB)
There is also a tutorial with pictures available HERE.

1. Please download TCRB from HERE[/color][/u][/b] and save it to your Desktop.
2. Double-click on tweaking.com_registry_backup_setup.exe and follow the prompts to install TCRB.
3. Launch TCRB.
4. Click the Backup Registry tab and make sure all the boxes are checked.
5. Click on Backup Now.
6. Once the backup is finished you can now exit the program.

< STOP > Do not proceed any further if you were not able to create a registry backup. Post back with what happened so we can determine why it was unsuccessful.

Step 3.
Show Hidden Files and Folders

1. Please click Start and then click File Explorer.
2. Click on the File tab and select Change folders and search options.
3. In the Folder Options window click on the View tab.
4. Check Show hidden files, folders and drives
5. Uncheck Hide extensions for known file types and Hide protected operating system files.
6. Click OK.

Step 4.
Upload Files to VirusTotal

1. Please go to VirusTotlal.
2. Click the Choose File button.
3. Navigate to one of the following files:
   

   C:\Windows\system32\ibtsiva.exe
   C:\Users\JOHN\AppData\Local\Temp\z1.exe

   
   Note: The first file ibtsiva may be without extension or with differnet one - if it so, please upload it anyway.
4. Click the Scan it! button.
5. You might see a message saying File already analysed, if you do click Reanalyse.
6. Wait for all the scans to finish then copy and paste the web address from your broswer's address bar.
   Example of web address :
   
7. Include the link in your next reply.
   Note: if you cannot find one or both of the files let do not worry. Finish the rest of the steps and let me know in your reply which file(s) you could not find.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:

1. Do you have any problems executing the instructions?
2. The resulting web links after online file scans by Virus Total.
3. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed

[Jag141075]

HI Pgmigg

I done the scan in reverse order as it took me a while to find the C:\Windows\system32\ibtsiva.exe
but i got there I just done a search for ibtsiva in the Windows\system32 folder.

computer is still working normally

thanks for your assistance


the below link is for the file ;C:\Users\JOHN\AppData\Local\Temp\z1.exe

https://www.virustotal.com/en/file/5616 ... 479375503/

and this link is for ; C:\Windows\system32\ibtsiva.exe
https://www.virustotal.com/en/file/ade3 ... 479375856/

[pgmigg]

Hello Jag141075,

I done the scan in reverse order as it took me a while to find

Good job! Don't worry about the sequence - it does not matter because checking of every file is independent process.

Before we continue please tell me, are you familiar with Private Internet Access Support Files?
Did you install it and subscribe to their service or you have no clue what it is and why it exists on your computer?
If it is you who installed it, how do you use it and for what purposes?

Thank you,
pgmigg

[Jag141075]

HI pgmigg

Yes, I do use PIA (Private Internet Access) there a vpn provider.

[pgmigg]

Hello Jag141075,

Yes, I do use PIA (Private Internet Access) there a vpn provider.

Thank you, let continue...

Step 1.
Uninstall Programs

1. Please press the Windows Key + R.
2. Enter appwiz.cpl into the text box and click OK.
3. Locate the following programs:
   Spybot - Search & Destroy
   Unlocker
   
4. Press the Uninstall or Uninstall/Change button and carefully follow any prompts to uninstall the program.
   
   • Take care to read through any prompts completely! Some uninstallers may attempt to trick you into keeping the program.
   • Do this for every program listed.
   • Don't worry if you can't find one of the programs. Just be sure to let me know about it in your reply.
5. Once finished, please reboot your computer.

Step 2.
FRST Fix

1. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
2. Please press the Windows Key + R.
3. Type notepad.exe into the text box and click OK.
4. A blank Notepad page should open.
   
   • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
   • (Click the Select all button next to Code: to select the entire script).

   Code: Select all

   CreateRestorePoint:
   
   HKLM\...\Run: [up] => wscript.exe //B "C:\Users\JOHN\AppData\Local\Temp\up.vbs" <===== ATTENTION
   HKLM-x32\...\Run: [up] => wscript.exe //B "C:\Users\JOHN\AppData\Local\Temp\up.vbs" <===== ATTENTION
   HKU\S-1-5-21-3634378098-2526221181-1815557863-1001\...\Run: [up] => wscript.exe //B "C:\Users\JOHN\AppData\Local\Temp\up.vbs" <===== ATTENTION
   HKU\S-1-5-21-3634378098-2526221181-1815557863-1001\...\Run: [x11] => wscript.exe //B "C:\Users\JOHN\AppData\Local\Temp\x11.vbs" <===== ATTENTION
   HKU\S-1-5-21-3634378098-2526221181-1815557863-1001\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
   ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
   Startup: C:\Users\JOHN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\up.vbs [2016-01-14] ()
   Startup: C:\Users\JOHN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x11.vbs [2016-11-14] ()
   BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited)
   HKU\S-1-5-21-3634378098-2526221181-1815557863-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.officialcerts.com
   CHR HKU\S-1-5-21-3634378098-2526221181-1815557863-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
   Task: {0B1B0048-6823-4826-8CE7-8DED040FA6E6} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
   Task: {17314671-B9A7-4A45-8307-126F5C013ACD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
   Task: {227ABF02-6587-4A09-8472-C1B4643EAB83} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
   Task: {6DF39014-EF99-4995-9C33-E406E70AE35D} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION
   Task: {7FD70A5C-5653-4502-A6CC-9EDC689BCF4C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
   Task: {D47D7F47-79C9-4573-B9D9-9AC9D95FC6C1} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
   Task: {D47D7F47-79C9-4573-B9D9-9AC9D95FC6C1} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
   C:\Users\JOHN\AppData\Local\Temp\z1.exe
   
   Folder: C:\Users\JOHN\AppData\Local\Temp\ocr71DD.tmp
   Folder: C:\Users\JOHN\AppData\Local\Temp\ocrBC63.tmp
   
   Hosts:
   EmptyTemp:
   CMD: ipconfig /flushdns

5. Save it next to FRST64.exe as fixlist.txt.
   Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
6. Right click on FRST64.exe and select Run as administrator.
7. Press the Fix button one time only and wait.
8. When FRST finishes you will be prompted to reboot your computer. Click OK.
9. Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step 3.
AdwCleaner - Scan Only

1. Please download AdwCleaner by Xplode save it to your Desktop.
2. Close all open programs and windows so that you are at your Desktop.
3. Right click on adwcleaner.exe and click Run as administrator...
4. Click on the Scan button.
5. When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep." Do not attempt to clean anything at this point.
6. Click on the Logfile button. This will open a file, AdwCleaner[S1].txt. Copy and paste the contents of that log file in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:

1. Do you have any problems executing the instructions?
2. Contents of the fixlog.txt log file
3. Contents of the AdwCleaner[Sn].txt log file
4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed

[Jag141075]

HI pgmigg

# AdwCleaner v6.030 - Logfile created 19/11/2016 at 15:16:14
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-18.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : JOHN - ASUS
# Running from : C:\Users\JOHN\Downloads\adwcleaner_6.030.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found: C:\Users\JOHN\AppData\Roaming\Tencent
Folder Found: C:\Users\JOHN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
Folder Found: C:\Program Files\Common Files\Tencent
Folder Found: C:\Users\JOHN\AppData\Local\VirtualStore\Program Files (x86)\Tencent
Folder Found: C:\ProgramData\TXQMPC
Folder Found: C:\ProgramData\Tencent
Folder Found: C:\ProgramData\Application Data\TXQMPC
Folder Found: C:\ProgramData\Application Data\Tencent
Folder Found: C:\Program Files (x86)\Tencent
Folder Found: C:\Program Files (x86)\Common Files\Tencent


***** [ Files ] *****

File Found: C:\Users\JOHN\AppData\Roaming\com3.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
File Found: C:\WINDOWS\SysNative\drivers\TFsFltX64.sys
File Found: C:\WINDOWS\SysNative\drivers\TAOKernelEx64.sys


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

Task Found: com3.{20D04FE0-3AEA-1069-A2D8-08002B30309D}


***** [ Registry ] *****

Key Found: HKCU\Software\df871ce775f0f9b5170e54a857ef9351
Key Found: HKLM\SOFTWARE\Classes\metnsd
Key Found: HKLM\SOFTWARE\Classes\qmgcfiles
Key Found: [x64] HKLM\SOFTWARE\Classes\metnsd
Key Found: [x64] HKLM\SOFTWARE\Classes\qmgcfiles
Key Found: HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
Key Found: HKLM\SOFTWARE\Classes\AppID\{7A30415C-ABEE-4674-B64B-4CA145EEB0CA}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
Key Found: HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}
Value Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved [{63332668-8CE1-445D-A5EE-25929176714E}]
Value Found: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Application Restart #1]
Value Found: [x64] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Application Restart #1]
Key Found: HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
Key Found: HKLM\SOFTWARE\Classes\AppID\QMContextScan.DLL
Value Found: HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION [AndroidServer.exe]
Key Found: HKEY_CLASSES_ROOT\.qmgc


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [2985 Bytes] - [19/11/2016 15:16:14]

[Jag141075]

HI pgmigg
please see the attachments. looks like that fixed it I didn't get the pop up when I rebooted for the z1.exe file

[pgmigg]

Hello Jag141075,

looks like that fixed it I didn't get the pop up when I rebooted for the z1.exe file

I glad to read it but we are not finished yet!

Please be more careful and follow my instructions exactly. For example, if I ask you to download file and save it on your Desktop but it saved automatically to your Downloads directory, you need to copy/move that file from Downloads to Desktop.

Let's continue our treatment...

Step 1.
AdwCleaner - Scan and Clean

1. You should still have adwcleaner_6.030.exe in your Downloads folder. If not please download it from HERE.
2. Please copy/move that file from Downloads to Desktop.
3. Close all open programs and windows.
4. Right click on adwcleaner_6.030.exe and click Run as administrator.
5. Click on the Scan button.
6. When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
7. Click on Cleaning.
8. Once finished AdwCleaner will prompt you to reboot. Please allow it to do so.
9. On reboot a log will open AdwCleaner[C1].txt. Copy and paste the contents of that log file in your reply.

Step 2.
Fresh FRST64 Scan
You should still have FRST64.exe on your Desktop.

1. Right-click FRST64.exe and select "Run as administrator..." to run it.
2. When the tool opens click Yes to the disclaimer if it is occurred.
3. Please be sure that 90 Days Files check box under Optional Scan section is unchecked.
4. Please be sure that Addition.txt check box under Optional Scan section is checked.
5. Press Scan button. When finished a log will be created, FRST.txt.
6. Please post the content of the FRST.txt in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please don't post your logs as attached files unless I ask for it!

Please include in your next reply:

1. Do you have any problems executing the instructions?
2. Contents of the AdwCleaner[C1].txt log file after fresh FRST scan
3. Contents of the FRST.txt log file after fresh FRST scan
4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed

[pgmigg]

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.