Cannot Remove This Virus "safe Browser" - Mglogs.txt Enclosed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lensman19067, Nov 25, 2015.

  1. lensman19067

    lensman19067 Private E-2

    Hi all,

    On October 29, my machine (a Sager laptop, 8GB RAM, 700 GB HD, i7-3470QM, Nvidia GTX 670MX graphics) became infected with a really resistant-to-detection piece of malware. The symptoms are:

    -upon login, the screen goes black, and only the cursor shows.
    ----workaround; ctrl-alt-delete, select "switch user"
    -any open browser tries to reach www.browserwarning.net/lots-of-random-garbage
    ----the domain does not appear in the open web. A sample URL:http://www.browserwarning.net/EC781AC7-26B4-4C9D-995D-E72236CE12B7/virus-alert/
    -This page opens every 4 minutes
    -There are 3-5 dozen reg.exe, conhost.exe, and cmd.exe.
    -It erases the noscript database upon reboot
    -It puts up a red box on the screen saying the machine is infected with malware, with a list. It also says the say information out loud, as if speech-to-text was turned on.

    This malware appears to be annoying, probably because it can't phone home. It is not detected by:
    ----- Malware antibytes home premium 2.2.0.1024
    ----- Avast Pro Antivirus 2015 (all scans on, no rule for browserwarning.net)
    ----- Eset online malware scanner
    -----Windows Firewall (no rule for browerwarning.net, though)

    Again, this malware is NOT detected by any of these programs.

    Other items of interest:
    -runs a file "startup.bat" which goes into the registry and starts up the reg.exe, conhost.exe and cmd.exe. It is not found by any search of the boot disk, suggesting ACL manipulation.
    -cannot kill those processes,
    -nor delete the C:\Program Files\Safe Browsing directory or any contents, including directories.
    -Process Explorer says it cannot access the path of those programs, the Properties sheet is empty.
    -It appears the malware is manipulating the ACLs of the programs and directories.

    I am used to working on low-level OS things in Unix (since 1984) so I have also investigated more through Cygwin tools (Unix for Windows, cygwin.com, NOT recommended for beginners). Every file that cannot be deleted has additional information attached. I haven't investigated what the extra info is - it could be the Microsoft Additional Data Stream (ADS) package, or access control lists, or bad stuff. I'll try cracking those open if directed. I had a program that read ADS but I haven't been able to locate it.

    Any suggestion as to how to get rid of this malware would be appreciated.

    dan davison
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the other logs that were requested from RogueKiller, Hitman Pro, and Malwarebytes

    Also run the below to get started with a fix.

    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Safe Browsing version 1.0


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://browserwarning.net/EC781AC7-26B4-4C9D-995D-E72236CE12B7/virus-alert/
    O2 - BHO: (no name) - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - (no file)
    O4 - HKUS\S-1-5-18\..\Run: [Safe Browsere] C:\\Program Files (x86)\\Safe Browsing\\Safe_Browsing.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Safe Browsere] C:\\Program Files (x86)\\Safe Browsing\\Safe_Browsing.exe (User 'Default user')
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
    
    :Files
    C:\WINDOWS\system32\tasks\Safe Browsing
    C:\Program Files (x86)\Safe Browsing
    C:\Program Files\OutfoxTV
    C:\Program Files (x86)\AskPartnerNetwork
    C:\WINDOWS\TEMP\*.*
    C:\Users\dan\AppData\Local\Temp\*.*
    
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
    "OutfoxTV"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\AutorunsDisabled]
    "ApnTBMon"=-
    
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run\AutorunsDisabled]
    "ApnTBMon"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Safe Browsere"=-
    
    [HKEY_USERS\S-1-5-21-3556913529-3786459313-2699375271-1000\Software\Microsoft\Windows\CurrentVersion\run\AutorunsDisabled]
    "OutfoxTV"=-
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. lensman19067

    lensman19067 Private E-2

    Hi,

    Goodness, I apologize for not including all the logs. I mistakenly thought MGlogs.txt included all. Four are attached, then one in the next message (there's a limit of 4attachments, apparently).

    More next...

    dan davison
     

    Attached Files:

  4. lensman19067

    lensman19067 Private E-2

    Hi,

    Logfiles continued, then I've got to get to bed. Attached is JRT, and MGlogs. I have not done a final reboot, but so far nothing has changed. Logins still need a workaround, data is changed in Firefox, something is still trying to phone home, there are dozens of reg.exe, conhost.exe, and cmd.exe processes, and it's still a black screen upon completion of login. I'll let you know in the AM about the last reboot. Oh, NoScript is still erased, and the on-screen warning still pops up.

    Thanks very much for your help, and Happy Thanksgiving!

    dan davison
     

    Attached Files:

  5. lensman19067

    lensman19067 Private E-2

    Hi,

    Thanks again very much for your help. After the reboot, everything reappeared. Mozilla options wiped, Safe_Browsing.exe is running, the splash warning is still popping up. The only change is there are not dozens of copies of reg.exe, conhost.exe, and cmd.exe running (yet). I assume they will eventually.

    Malware Antibytes Professional (or whatever the name is) found five copies of something called Rogue.VirusMelt in five locations, but I don't remember them. (I broke my humerus & tore several muscles in my left arm a few months ago and I'm still on painkillers). I will see if there's a log file.

    Is there any way to proceed other than reformatting the disk?

    Thanks again, and happy Thanksgiving!

    dan davison
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's try a few additional steps now that I have your other logs.

    First please follow the intsructions in the below to reset Firefox back to defaults since your infection is hooked into Firefox:

    Reset Firefox to Defaults

    Now run RogueKiller again and perform a scan, look for any of the below items to remain in the Registry tab and if found, select them and delete them. Only select the items shown and nothing else.

    ¤¤¤ Registry : 10 ¤¤¤
    [PUP] (X64) HKEY_USERS\S-1-5-21-3556913529-3786459313-2699375271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} : -> Found
    [PUP] (X86) HKEY_USERS\S-1-5-21-3556913529-3786459313-2699375271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} : -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3556913529-3786459313-2699375271-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
    http://browserwarning.net/EC781AC7-26B4-4C9D-995D-E72236CE12B7/virus-alert/ -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3556913529-3786459313-2699375271-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
    http://browserwarning.net/EC781AC7-26B4-4C9D-995D-E72236CE12B7/virus-alert/ -> Found

    Now run Hitman Pro again and this time enable the free 30 day Trial license and then have it cleanup all the Potential Unwanted Programs it finds. Afterwards immediately reboot your PC.

    After reboot continue with the below instructions.

    Run C:\MGtools\analyse.exe Don't double click, use right click and select Run As Administrator. This is really HijackThis (select Do a system scan only) and select any of the following lines ( if they still exist ) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://browserwarning.net/EC781AC7-26B4-4C9D-995D-E72236CE12B7/virus-alert/
    O4 - HKCU\..\Run: [Safe Browsere] C:\\Program Files (x86)\\Safe Browsing\\Safe_Browsing.exe

    After clicking Fix, exit HJT. If the lines were not found, just exit HijackThis.


    Please download the latest version of FRST the below link.

    Farbar Recovery Scan Tool and save it to your Desktop.

    Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

    Also please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  7. lensman19067

    lensman19067 Private E-2

    Hi,

    Right after running RogueKiller (the two entries were there & deleted) I right-clicked on HitMan Pro, and the machine more or lesss froze. Can't open any program that wasn't already on the screen (e.g. process explorer, task manager). All I get is the cursor and the hourglass. Doing control-alt-delete and clicking on Task Manager results in nothing happening, it just takes me back to the desktop.

    The warning splash screen and the warning web page came back immediately after I reset Firefox. I'm pretty sure it comes up in Chrome, too.

    I'm going to do a cold restart on the computer to try to get it back.

    Thanks,
    dan davison
     
  8. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    Here are the logfiles requested. All program were 'Run as Administrator". I did see "Safe Browsing" (or variant spellings) on a quick look in the OTL.TXT logfile.

    The warning splash screen and the web page trying to reach browserwarning.net still continue. I did notice that the default web page in Firefox had been changed to the URL for browserwarning.net.

    HitMan Pro did find the two entries you included, and I did delete them. It won't re-open, but there is a HMPScheduler process running from its install location.

    Thanks again for the continuing help!

    dan davison
     

    Attached Files:

    Last edited by a moderator: Nov 30, 2015
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I assume you meant to say HijackThis because that is what I showed had two entries to remove.

    You did not enable the free 30 day trial for Hitman and then remove what I requested!! You need to do this now and then reboot as stated. After reboot, run a new scan with Hitman and attach the new log.

    ALso you did not attach the requested FRST.txt log. You attached the program file for FRST64.exe. Please follow instructions slowly and accurately so we can get things fixed up.
     
    Last edited: Nov 27, 2015
  10. lensman19067

    lensman19067 Private E-2

    Argggh,

    I did try to attach FRST.txt and Addition.txt. They are attached below.

    Yes, I meant RogueKiller.

    I apologize for the confusion. I had a stroke a few years ago and it affected my speech and my ability to organize (even with checklists).

    Programs running now.

    dan
     

    Attached Files:

  11. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    I ran Hitman Pro again with it activated. The log file is attached. I then ran FRST and the log file is attached. Rebooted as instructed in the previous directions (the program actually rebooted the machine by itself, I didn't have to reboot).

    I believe we're up to the "run HiJack Pro."

    thanks,
    dan davison
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I understand about the stroke. Sorry! We will try to go a little slower with fewer steps and see if it helps.
    Ah yes but I see it is activated now, but it does not look lik you chose to fix all the Potential Unwanted Programs that it reports. At least not based on the log you attached. Please run it again and select these Potential Unwanted Programs and have them deleted/quarantine. Do not have it remove FRST64.exe which we have knowingly put on your Desktop as we need it for the below instructions.

    Download this attached fixlist.txt file found at the bottom of this message and save fixlist.txt on your Desktop. Make sure you save it as a txt file.
    • You should now have both fixlist.txt and FRST64.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Please attach the above two log first before you continue with the below.

    I will stop here and wait for this info before taking any other steps.
     

    Attached Files:

  13. lensman19067

    lensman19067 Private E-2

    Hi,

    There were PUPs deleted, but I don't know when. There are a series of screenshots (pup1.jpg....pup5.jpg) made from HitmanPro's History. Sorry they're so awful-I don't know how to screenshot on a PC. I have also attached MGlogs.zip and the results from HitMan Pro, which I named Hitman Pro No PUPs_dateandtime.log.

    I could not find a fixlog.txt, but maybe that's because the only thing to "Fix" was FRST64.exe. I will probably have to put some of the attachments in the next message as this bboard has a limit of 5 attachments.

    More in the next msg....


    dan

    pup1.png pup2.png pup3.png
     

    Attached Files:

  14. lensman19067

    lensman19067 Private E-2

    Here are the remaining PUP screenshots....

    dan davison
     

    Attached Files:

  15. lensman19067

    lensman19067 Private E-2

    Apparently there is something called "snipping tool" in Win10. I'll give that a try to get a higher resolution screenshots of the PUPs removed in a previous step.

    dan
     
  16. lensman19067

    lensman19067 Private E-2

    Here is the "list" of potentially unwanted programs, cut off with Snipping Tools, apparently part of win10. There are six, so five will be in this post and one in the next.
    PUPA1.png PUPA2.png PUPA3.png PUPA4.png PUPA5.png
     
  17. lensman19067

    lensman19067 Private E-2

    And the last part of the list.

    dan davison
    PUPA6.png
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to run the Fix with FRST to get the fixlog.txt file. This has nothing to do with what Hitman Pro is showing/fixing. I don't need any more snapshots from Hitman Pro windows. You last Hitman Pro log does not show any remaining problems.
     
  19. lensman19067

    lensman19067 Private E-2

    Here's what malware bytes standard once-a-day scan finds every morning: I''ll get to your instructions right now. ---thanks, dan

    Malware-Capture.PNG
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do no run what is not being requested!!!! Also do not post snapshots. I just need the text logs we request.

    I need you to complete previous instructions. You still have not run the FRST fix I posted yesterday.
     
  21. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    Here is the logfile. One thing I noted is that it says (near the bottom, among other places) that C:\Program Files (x86)\Safe Browsing was removed, but it's still there. The timestamp is the time of the reboot after running FRST with the "fix" button.

    The whatever-this-is is still trying to phone home (www.browserwarning.net) and the splash screen is still appearing. I was able to go into the Safe Browsing directory and delete the .wav file so that annoyance is gone. If it would just stop erasing all browser configuration (Opera, Chrome, Firefox) I could probably use the machine.

    So, many thanks to you. Lots of cruft has been cleaned off the machine. The Safe Browsing stuff keeps reappearing - there must be a dropper somewhere. I will of course make a contribution if I can figure out where to do so.
    Thanks again, and as you have the time please let me know how to proceed.

    dan davison
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Okay let's continue now with the next steps.

    First do the below to clear Internet Explorer, Chrome and Firefox settings to get rid of addons and other junk:

    Reset Internet Explorer 9, 10, and 11 to Defaults

    Reset Chrome to Defaults

    Reset Firefox to Defaults


    Now please run new scans with FRST and then RogueKiller and attach those new logs so I can see what else may be showing up.

    There is a possibility that Avast may be getting in the way of our cleanup and we may have to uninstall it to fix this.
     
  23. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    Dare I say it? It appears we're getting somewhere. There have been no popups or new pages in every brower (IE, Opera, Chrome, FireFox) for hours. I have NOT yet tried a reboot. Something called Microsoft Edge, which may be their new browser, I also completely reset.

    All resetting and running of programs was done with Avast disabled. This resulted in a message I've never seen before from Malware, attached below. Sorry that it's a .png. It sounds ominous.


    We'll see after a reboot. Oh, the disk has three partitons, 100 MB, 627 GB, and 50(?) GB "Recovery Partition". This machine was running Win7 until it suddenly upgraded itself to win10 in mid-September when I left the machine on overnight.

    I will now reboot (21:04 US Eastern Standard Time, GMT-5, I think) and report back.
    Important:
    I made one "system" change: in the hosts file I added a line "127.0.0.1 browserwarning.net www.browserwarning.net". In 1987, I was working at a three-letter agency when the Internet worm attached. I was the sysadmin for four Sun 3 servers and 20 sun clients. The worm kept popping up so I finally had the machines talk only to "themselves" (their loopback interfaces) and this allowed me to find out which machine was reinfecting the others (sort of, it's more complicated than that). If my computer tries to reach browserwarning.net, it will get a "no answer". This would only be effective for that name, thought. (I mostly wrote code for Crays and drivers for Sun Microsystems and variouis DEC VAX/LSI /PDP-10/etc machines.

    The logfiles from FRST64 and RogueKiller are attached.

    Again, thank you very much.

    dan davison




    mbam-warning.png
     

    Attached Files:

  24. lensman19067

    lensman19067 Private E-2

    Hi,

    It appears to have almost worked. Upon login, it takes about the usual time, but with a black screen. The previous fix, "ctrl=alt=del" followed by "switch user" did not work. It returned (after login) to he black screen. No right-clicking or left-clicking brings up a menu. Logging in with "shut down" once or twice results in a successful login.

    Do you know if there is any way to avoid the BLSoD (black screen of darth?).

    Thanks very much,
    dan
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This would be a topic for our Software Forum where you can address issues with Windows.

    The only item I see remaining for us to do is the below folder is still present. See if you can delete it now.

    C:\Program Files (x86)\Safe Browsing
     
  26. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    After rebooting, the Safe Browsing director and contents finally did NOT reappear. It would appear that we (well, really, *you*) have successfully killed off the virus. As you noted above, I'll ask in the software forum about the weird login issue.

    So, thank you 10e+6for your expertise, help, and especially patience.

    dan davison
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Now let's move on to final instructions.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  28. lensman19067

    lensman19067 Private E-2

    Hi chaslang,


    It'ssss bbbbaaaacccckkkk...I think (apologies if you've never seen Poltergeist)
    I was looking at the avast service process, and look what I found.

    ... well, the system won't let me upload .jpgs. Under the "Performance" tab, tasks trying to reach the internet (Dropbox, THXAudio, a few others. All had attempts to contact browsewarning.net. Some where blocked by my "127.0.0.1" trick (destination listed (aragorn:0) while others had an 9rgin of browserwarning.net:xxx (or xxxx, or xxxxx). That is, three to five digits on the port. (Darn it, when restricted ports were being discussed on the arpanet, I voted for 1-1024 to be reserved. The extras (port numbers over 127) were not reserved for another 15 years. Grrrrrr.

    There is no Safe Browser running, there *IS* a Safe Browser directory in C:\Program Files (x86)\Safe Browsing. It does NOT have the voiceover for the the red warning splash. The date is one of the reboots late last night-that's the timestamp on the **directory*. The timestamps on the contents range from 2013-2015.

    What do we need to do next? Call in a network wizard (software)?

    I can write a tiny Unix shell program which will look for the string in every accessible program on the machine. Every file, all 600K+, and filter the output. I could also use several of the SysInternals programs to do the same thing, possibly easier to filter.

    Thanks again for your help,
    dan
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Had you completed final instructions or not? I need to know this before I continue on to my next instructions. But do run the below anyway.


    Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8/10 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
     
    Last edited: Dec 2, 2015
  30. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    Yes, I had completed all steps.

    Ran adwCleaner, it did not include the Safe Browsing directory but I did not uncheck anything. Logfiles are pasted in-line because the bboard system won't let me attach any files of any type.

    There's nothing on the list I want to keep, but I don't understand how Safe Browsing directory is back and non- deletable.


    Thank you,
    dan davison


    The log file:
    # AdwCleaner v5.023 - Logfile created 02/12/2015 at 13:00:08
    # Updated 30/11/2015 by Xplode
    # Database : 2015-11-30.1 [Server]
    # Operating system : Windows 10 Home (x64)
    # Username : dan - ARAGORN
    # Running from : C:\Users\dan\Desktop\adwcleaner_5.023.exe
    # Option : Scan
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****

    Folder Found : C:\ProgramData\SecTaskMan
    Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\myfree codec
    Folder Found : C:\Users\dan\AppData\Roaming\RHEng
    Folder Found : C:\Users\dan\AppData\Roaming\Mozilla\Firefox\Profiles\h0ldn8x5.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

    ***** [ Files ] *****

    File Found : C:\Users\dan\daemonprocess.txt

    ***** [ DLL ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****

    Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{5C3B5DAA-0AFF-4808-90FB-0F2F2D760E36}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
    Key Found : HKCU\Software\Myfree Codec
    Key Found : HKCU\Software\Appscion
    Key Found : HKLM\SOFTWARE\Myfree Codec
    Key Found : HKLM\SOFTWARE\Uniblue
    Key Found : HKLM\SOFTWARE\Uniblue\DriverScanner
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec
    Key Found : HKU\.DEFAULT\Software\IBUpdaterService
    Key Found : HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\IBUpdaterService
    Key Found : HKU\S-1-5-21-3556913529-3786459313-2699375271-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Myfree Codec
    Key Found : HKU\S-1-5-21-3556913529-3786459313-2699375271-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Appscion
    Key Found : HKU\S-1-5-21-3556913529-3786459313-2699375271-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec

    ***** [ Web browsers ] *****

    [C:\Users\dan\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
    [C:\Users\dan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : nbljechdpodpbchbmjcoamidppmpnmlc

    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4736 bytes] ##########
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay run AdwCleaner again and this time allow it to remove all those items. And then reboot.
    After reboot, reset all your browsers back to default again like you did a couple days ago.

    Then run the below.

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Custom Scans/Fixes text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the Run Scan button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
    Last edited: Dec 3, 2015
  32. lensman19067

    lensman19067 Private E-2

    Hi chaslang, Sorry for the delay, medical problems. Here are the two files. Thanks,

    dan
     

    Attached Files:

  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only issue that I see is the below folder still exists since 11/29/2015

    [2015/11/29 14:10:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Safe Browsing

    but on 12/1/2015 you stated you had been able to delete it. Can you delete this folder? Is it empty?

    Also you said you completed final instructions yet I still see things like MGtools, Hitman...etc.

    What are the below?

    [2015/12/01 21:18:43 | 000,171,250 | ---- | C] () -- C:\Users\dan\Desktop\dropbox-virus.jpg
    [2015/12/01 21:10:42 | 000,036,551 | ---- | C] () -- C:\Users\dan\Desktop\thxaudio-virus.jpg
    [2015/12/01 21:01:52 | 000,058,294 | ---- | C] () -- C:\Users\dan\Desktop\carbonite-virus.jpg
    [2015/12/01 20:27:21 | 000,083,361 | ---- | C] () -- C:\Users\dan\Desktop\browserwarning-back.png
     
  34. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    I don't know how to do quotes and such so my answers will be in italic bold. Any cut-and pasted text of mine will be in italics. (I can't get this bboard editor to indent or color, sorry). Your text is in the regular font.

    The only issue that I see is the below folder still exists since 11/29/2015

    [2015/11/29 14:10:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Safe Browsing

    but on 12/1/2015 you stated you had been able to delete it. Can you delete this folder? Is it empty?


    After a restart (from power off) it appeared again and I cannot now delete it. I was able to delete it before, after we had run the full gamut of programs. The directory is not empty. The only file that did not come back is the .wav file saying that "System has detected a number of viruses and malware" and put up a red splash screen.

    Also you said you completed final instructions yet I still see things like MGtools, Hitman...etc.

    I left those on the desktop in case I had to reuse them.

    Should I now delete them and their logfiles which are on the desktop and in the "New Folder (2)", also on the desktop?


    You noted:
    .
    What are the below?

    [2015/12/01 21:18:43 | 000,171,250 | ---- | C] () -- C:\Users\dan\Desktop\dropbox-virus.jpg
    [2015/12/01 21:10:42 | 000,036,551 | ---- | C] () -- C:\Users\dan\Desktop\thxaudio-virus.jpg
    [2015/12/01 21:01:52 | 000,058,294 | ---- | C] () -- C:\Users\dan\Desktop\carbonite-virus.jpg
    [2015/12/01 20:27:21 | 000,083,361 | ---- | C] () -- C:\Users\dan\Desktop\browserwarning-back.png


    These are my attempts at getting pictures of the return virus, running under the TCP/IP tab of the properties sheet of each of those programs. including the return of the browserwarning coming back after a restart (note it's 1 December 20:27, the others are 30+ minutes later.) I can randomly select processes that talk to the network, look at Properties>TCP/IP and find "browserwarning.net:xxxx" on their page. Perhaps I can insert a small one:
    carbonite-virus.jpg


    The other property sheets under TCP/IP are longer. It appears windows only consults its local host table on booting, and thereafter consults the root name servers. Both nslookup and dig say there is no such domain (browserwarning.net). I haven't tried to be exhaustive about it, but pretty much process that connects to the world has an entry like the above.

    Your next question:
    Regarding deleting the Safe Browsing directory and its contents, I believe the authors are changing the ACLs or something similar. Here's an example of a delete using the Administrator Command Prompt. It won't indent so I made the text italic. It also (on cut-and-paste) lost the tabs between file names. I'll put spaces in instead.



    Microsoft Windows [Version 10.0.10240]
    (c) 2015 Microsoft Corporation. All rights reserved.


    C:\WINDOWS\system32>cd C:\Program Files (x86)\

    C:\Program Files (x86)>dir /d "Safe Browsing"
    Volume in drive C has no label.
    Volume Serial Number is A4F4-54A8

    Directory of C:\Program Files (x86)\Safe Browsing

    [.] Safe_Browsing.exe Safe_Browsing.vshost.exe.manifest
    [..] Safe_Browsing.exe.config unins000.dat
    Interop.SHDocVw.dll Safe_Browsing.pdb unins000.exe
    Microsoft.Win32.TaskScheduler.dll Safe_Browsing.vshost.exe
    NDde.dll Safe_Browsing.vshost.exe.config
    11 File(s) 1,313,540 bytes
    2 Dir(s) 430,055,260,160 bytes free

    There's no particular meaning to the spacing. This browser window doesn't allow tabs. The files say they are deleted:

    C:\Program Files (x86)\Safe Browsing>del *.* /p
    C:\Program Files (x86)\Safe Browsing\Interop.SHDocVw.dll, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Microsoft.Win32.TaskScheduler.dll, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\NDde.dll, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Safe_Browsing.exe, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Safe_Browsing.exe.config, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Safe_Browsing.pdb, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Safe_Browsing.vshost.exe, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Safe_Browsing.vshost.exe.config, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\Safe_Browsing.vshost.exe.manifest, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\unins000.dat, Delete (Y/N)? y
    C:\Program Files (x86)\Safe Browsing\unins000.exe, Delete (Y/N)? y

    C:\Program Files (x86)\Safe Browsing>



    But they are not deleted:

    C:\Program Files (x86)\Safe Browsing>dir
    Volume in drive C has no label.
    Volume Serial Number is A4F4-54A8

    Directory of C:\Program Files (x86)\Safe Browsing

    12/05/2015 08:58 AM <DIR> .
    12/05/2015 08:58 AM <DIR> ..
    09/30/2015 10:22 AM 143,360 Interop.SHDocVw.dll
    06/03/2014 12:08 AM 171,008 Microsoft.Win32.TaskScheduler.dll
    11/17/2014 10:07 PM 110,592 NDde.dll
    10/29/2015 06:03 PM 60,928 Safe_Browsing.exe
    10/08/2015 11:23 AM 959 Safe_Browsing.exe.config
    10/29/2015 06:03 PM 50,688 Safe_Browsing.pdb
    10/29/2015 06:25 PM 24,224 Safe_Browsing.vshost.exe
    10/08/2015 11:23 AM 959 Safe_Browsing.vshost.exe.config
    09/30/2015 09:32 AM 2,661 Safe_Browsing.vshost.exe.manifest
    10/29/2015 07:53 PM 28,128 unins000.dat
    10/29/2015 07:53 PM 720,033 unins000.exe
    11 File(s) 1,313,540 bytes
    2 Dir(s) 430,085,246,976 bytes free

    C:\Program Files (x86)\Safe Browsing>



    So, how should I proceed?
    1) Do you have additional tricks up your sleeve?
    2) Should I delete MGtools.exe, the MGtools directory, the other programs and logfiles?
    3) Is there an ACL smasher to change the permissions on the Safe_Browsing directory and its contents?
    4) Re-run all of your directions from the beginning?
    5) As Safe_Browser appears to be an adware injector, is there any approach from that that direction?
    4) It seems clear that there's a dropper somewhere that keeps "reinfecting" this machine.


    Again, thank you for your patience and your help.

    dan davison

     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Please uninstall Avast now and reboot your PC. After reboot continue with the below instructions.

    Run a scan with AdwCleaner again and attach the new log.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the + Repairs tab.
    • Then click the + Open Repairs button down on the bottom right.
    • This will automatically begin a registry backup, so wait for it to complete and when it finishes, you will see a list of many possible different repairs and they are all selected by default. At the bottom of this form there is a not so obvious Unselect All Repairs check box which is to the right of a check box with a green check mark in it. Please click the Unselect All Repairs box. The green check mark box is to Select All Repairs. The ony way you see what these boxes are is when your mouse hovers over them.
    • Now select the following repair options ( the numbers at the begin are the current repair numbers but this is subject to change.)
      • 01 - Reset Registry Permissions
      • 02 - Reset File Permissions
      • 03 - Reset Service Permissions
      • 04 - Register System Files
      • 05 - Repair WMI
      • 10 - Remove Policies Set By Infections
      • 13 - Network
      • 14 - Repair Proxy Settings
      • 15 - Repair Windows Updates
      • 21 - Repair MSI (Windows Installer)
      • 23 - Repair File Associations (12 )
      • 26 - Restore Important Windows Services
      • 27 - Set Windows Services To Default Startup
    • Now on the right side under the When Repairs Complete title, check the box for Restart/Shutdown System and then make sure the Restart System radio button is enabled not the Shutdown System button.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start Repairs button at the lower right.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished. If it does not then reboot it yourself.

    After this reboot, check to see if anything related to Safe Browsing is running ( like Safe_Browsing.exe ) . If it is, kill it with Task Manager then shutdown all browsers including the one you are reading in now, and then see if you can delete the Safe Browsing folder.

    I'm also wondering if something has located itself in either your Google or Firefox folders that is responsible for brining this back. It may be necessary to fully uninstall the browsers and delete all related folders ( there are multiple folders ). Also some times the shortcut links that are used to run the browsers are the sources of the problem. So it is worth removing them too.
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also look for the below folder and delete it if possible:

    C:\WINDOWS\system32\tasks\Safe Browsing


    And also download and run Autoruns ( you will have to extract the contents from the ZIP file into its a new folder you create for it ( like AutoRuns on your Desktop ) and keep the Everything tab selected in AutoRuns. Then click on the File menu selection and select Save. Save this log file in default format to your Desktop. The default format and filename should be AutoRuns.arn

    Now put the AutoRuns.arn file into a ZIP file and attach this ZIP to your next message. ( you cannot attach the AutoRuns.arn file. It must be ZIP'ed ).
     
    Last edited: Dec 5, 2015
  37. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    I was able to delete .../Tasks/Safe_Browsing.

    I've attached the autoruns file as a zip file, ARAGORN.zip.

    This is depressing. I was able to delete the contents of "C:\Program Files (x86)\Safe Browsing". However, in the time it took for me to do a "cd ..", the files were replaced. Here's the script.

    c:\Program Files (x86)>cd "Safe Browsing"

    c:\Program Files (x86)\Safe Browsing>del /p *.*
    c:\Program Files (x86)\Safe Browsing\Interop.SHDocVw.dll, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Microsoft.Win32.TaskScheduler.dll, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\NDde.dll, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Safe_Browsing.exe, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Safe_Browsing.exe.config, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Safe_Browsing.pdb, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Safe_Browsing.vshost.exe, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Safe_Browsing.vshost.exe.config, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\Safe_Browsing.vshost.exe.manifest, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\unins000.dat, Delete (Y/N)? y
    c:\Program Files (x86)\Safe Browsing\unins000.exe, Delete (Y/N)? y

    c:\Program Files (x86)\Safe Browsing>dir
    Volume in drive C has no label.
    Volume Serial Number is A4F4-54A8

    Directory of c:\Program Files (x86)\Safe Browsing

    12/06/2015 02:31 PM <DIR> .
    12/06/2015 02:31 PM <DIR> ..
    0 File(s) 0 bytes
    2 Dir(s) 429,186,875,392 bytes free <====== Note directory is empty

    c:\Program Files (x86)\Safe Browsing>cd .. <====== change directory

    c:\Program Files (x86)>rmdir "Safe Browsing" <====== try to delete directory
    The directory is not empty. <====== it's not empty!??

    c:\Program Files (x86)>cd "Safe Browsing"

    c:\Program Files (x86)\Safe Browsing>dir <====== check the directory
    Volume in drive C has no label.
    Volume Serial Number is A4F4-54A8

    Directory of c:\Program Files (x86)\Safe Browsing

    12/06/2015 02:31 PM <DIR> .
    12/06/2015 02:31 PM <DIR> ..
    09/30/2015 10:22 AM 143,360 Interop.SHDocVw.dll
    06/03/2014 12:08 AM 171,008 Microsoft.Win32.TaskScheduler.dll
    11/17/2014 10:07 PM 110,592 NDde.dll
    10/29/2015 06:03 PM 60,928 Safe_Browsing.exe
    10/08/2015 11:23 AM 959 Safe_Browsing.exe.config
    10/29/2015 06:03 PM 50,688 Safe_Browsing.pdb
    10/29/2015 06:25 PM 24,224 Safe_Browsing.vshost.exe
    10/08/2015 11:23 AM 959 Safe_Browsing.vshost.exe.config
    09/30/2015 09:32 AM 2,661 Safe_Browsing.vshost.exe.manifest
    10/29/2015 07:53 PM 28,128 unins000.dat
    10/29/2015 07:53 PM 720,033 unins000.exe
    11 File(s) 1,313,540 bytes
    2 Dir(s) 429,185,273,856 bytes free

    c:\Program Files (x86)\Safe Browsing> <===== Everything is back, from where?


    The fact that the files came back so quickly (2 seconds?) means the dropper program must be attached to some other program that was running at the time. I had everything closed but background processes and those started by booting. I will delete all .lnk files for firefox, opera, and chrome. I will also do a "deep uninstall" with Revo Uninstaller of Chrome and Opera (and Safari if I have it, I don't think I do). I can't remove Microsoft Edge or Internet Explorer (at least as far as I know). I stopped using IE in the 1990s. I *really* don't want to completely uninstall Firefox if I can avoid it. My entire computing life is in there.

    Thanks,
    dan
     

    Attached Files:

  38. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    You are not going to believe this (attached). I use a program called "Search Everything" and finds files, no matter what the ACL or the permissions say. I used it to identify Google Chrome files (and deleted them). Ditto for Opera files. Then I thought was searching for safari files, but I goofed. I asked it to find "saf*.*". I didn't notice that this included "Safe Browser" and related things. There are hidden, undeleteable directories all over the place (C:\, C:\Windows, C:\ProgramData, etc.).

    None of them (files or directories) are delete-able. I don't know if you speak Unix permissions, but it's read-write-execute for user and group and no permissions for everyone (rwxrwx---+). The "+" is Cygwin's way of saying there is either ADS on the file or an ACL.

    When I look at the ACLs, it has given all the high-authority "users" full authority AND made that authority inheritable to anything it writes as that user. Take a look at one example:

    c:\ProgramData\Browser Data>icacls Safe_Browsing.pdb
    Safe_Browsing.pdb NT SERVICE\TrustedInstaller:(F)
    BUILTIN\Administrators:(F)
    NT AUTHORITY\SYSTEM:(F)
    BUILTIN\Users:(F)
    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
    NT SERVICE\TrustedInstaller:(I)(F)
    BUILTIN\Administrators:(I)(F)
    NT AUTHORITY\SYSTEM:(I)(F)
    BUILTIN\Users:(I)(F)
    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)​

    The problem is, of course, we don't know what program is copying these files back after they are removed. Whatever it is, it has to have all these permissions (actually more) itself.

    In The Elder Days, we called programs with super-super-user permissions "nutcrackers", as you could remove any file anywhere in the system. On big iron (PDP-10s, IBM 370s) things would get wedged in printer, tape, and punch card reader queues. Nutcrackers prevented you from having to reboot the machine, an act which made dozens to hundreds of people and administrators really, really annoyed.

    Do you know of any nutcracker programs? There must be something that removes permissions because we've been able to delete c:\program files (x86)\Safe Browser at least twice.

    Thanks,
    dan
     

    Attached Files:

  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    AutoRuns is not showing anything loading Safe Browser so it must be loading with one of your browsers as an addon or extension.

    The Windows Repair program should have addressed any permissions issues!

    Back a few messages ago ( msg # 35 ) my first instructions were to uninstall Avast. It is not uninstalled! You need to uninstall it so we can be sure that it is not getting in the way of cleanup.

    Now let's address the possibility that one or more of your browsers are causing the problem. First backup and bookmarks/favorites you may want to keep. Uninstall Firefox, Opera, and Google Chrome. Do not reinstall any of them yet. Just use Internet Explorer. Then delete all of the below folders.

    C:\Users\Public\Desktop\Google Chrome.lnk
    C:\Program Files (x86)\Google\Chrome
    C:\Program Files (x86)\Mozilla Firefox
    C:\Program Files (x86)\Mozilla Maintenance Service
    C:\Program Files (x86)\Opera
    C:\Users\dan\AppData\Local\Google\Chrome
    C:\Users\dan\AppData\Roaming\Mozilla\Firefox
    C:\Users\dan\AppData\Roaming\mozilla\Extensions
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk

    Also notice that you have Carbonite backups with Safe Browser in them which you therefore cannot use:
    C:\Users\dan\Carbonite Restored OLD User Settings\2013-05-16 11-03-36AM\AppData\Local\Mozilla\Firefox\Profiles\wm55ypwj.default\safebrowsing
    C:\Users\dan\Carbonite Restored OLD User Settings\2013-05-17 09-13-22PM\AppData\Local\Mozilla\Firefox\Profiles\wm55ypwj.default\safebrowsing
    C:\Users\dan\Carbonite Restored OLD User Settings\2013-05-16 11-03-36AM\AppData\Local\Mozilla\Firefox\Profiles\wm55ypwj.default\safebrowsing-backup
    C:\Users\dan\Carbonite Restored OLD User Settings\2013-05-17 09-13-22PM\AppData\Local\Mozilla\Firefox\Profiles\wm55ypwj.default\safebrowsing-backup

    Reboot your PC after uninstalling Avast and all those browsers and deleting all those folders. The see if you can delete the below folders ( I suggest shutting down Internet Explorer before trying to delete them so copy and past the folder names locally to a file ):

    C:\Program Files (x86)\Safe Browsing
    C:\ProgramData\Browser Data
    C:\Windows\Browser Data


    Were you able to delete all of them? If not then try booting in safe mode and deleting them. Once they are deleted, reboot your PC and see if any of them have come back.
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also, please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1

    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      Safe Browsing
      Safe_Browsing
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
  41. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    I'll start on your instructions now. However, I am willing to promise you I uninstalled Avast using Revo Uninstaller, and it took forever. More than 30 minutes. The little icon in the system tray went away after the power off and reboot. But you are right of course, it's still there.

    I do not use IE or Edge, so I may be a little slow on doing things. Opera and Chrome are gone. I hope I can export my history and passwords from Firefox or I am really going to have big problems. Lots of stroke and broken shoulder (did that 3 months ago) and rehab information plus my Mom's funeral service and replies (she passed away suddenly 5 months ago). I'll figure it out.

    FIrst, off to delete Avast.

    Thanks,
    dan davison
     
  42. lensman19067

    lensman19067 Private E-2

    I just found a directory in C:\Program Files (x86)\ called "Akick". In the directory below that was "Akick PC Doctor" and in that directory were four files, two of which keep showing up when any "Safe Browsing" directory is restored. I seem to remember that an offer to buy AKick PC Doctor showed up the first time the problems started. It also has the correct time for when the problems started (October 29, 8:30 PM). It does not appear in the Win 10 "Uninstall files" nor is seen by Revo Uninstaller. I'll leave it alone until you let me know what to do. I have not tried to delete any of those files or folders by OS, program, or by hand.

    thanks,
    dan
     
  43. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    All of the above done. The three directories would not delete in normal mode (they kept coming back) but did *apparently* delete in safe mode. I don't see them now, but Look says some are still there (I think). Here's the log.

    thanks,
    dan
     

    Attached Files:

  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes delete that Akick folder. It is related to the problem.

    The item shown by SystemLook are not files. They are just left over registry keys, but we are going to remove them anyway and then run a new scan using a 64 bit version of System Look which I should have had you run in the first place. ;)

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. Make sure that you click the text that says Click to Expand so that you see the whole registry patch.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now reboot your PC and then continue.

    Please download SystemLook_x64 from one of the links below and save it to your Desktop.

    Download Mirror #1

    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      Safe Browsing
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    Then attach the below logs:
    • the SystemLook.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    Are all those folders ( including the browser folders ) still deleted?
     
    Last edited: Dec 7, 2015
  45. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    Thank you once again. All Akick references files and in the registry were removed. I saved the bolded, expanded text to fixme.reg using "all files" as the file type, When I double-clicked it, a dialog box said "The keys and values contained in C:\Users\dan\Desktop\fixme.reg have been successfully added to the registry" with an "OK" box, which I clicked. I then rebooted as directed.

    Side note here: I have chemo tomorrow and I've taken my pre-meds, so I'm having pretty roughtime.

    SystemLook_x64 run, log attached.

    I noticed that one of the log files said path not found C:\Windows\System32\drivers\etc. That's not right, if I start an administrator command window I can cd into that directory.

    Running MGLogs.zip, file is created, attached.

    Now directory hunting.
    All files but one are quaranteened according to Search Everything:
    C:\Users\dan\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Safe_Browser.exe.log


    (Can I delete those quarantined files and directories?)


    You asked if any of the files or directories had returned. I have check for "Browser Data" and "Safe Browsing" by hand in C:\Program Files (x86), C:\ProgramData, and C:\Windows\Browser Data, as well as C:\Windows\System32|drivers and ...\drivers\etc and the nothing appears to be present in any of them.

    There are two oddities left over:
    1) I still have to log in twice to get my desktop (log in, ctrl-alt-del, logout user, re-login)
    2) Various programs still have TCP/IP "hooks" trying to use specific ports to contact browserwarning.net. For example Carbonite Service is always using port 668 to phone home: other *services* are using different ports. However, each service (AppleiTunesHelper, iTunes, Motorola Mobile Device Helper, etc) always use the same port numbers, and the port numbers never conflict.

    I've asked the Carbonite Tech support folks if I can just delelte carbonite service and carboinite UI completely, but not heard back yet.

    I have rebooted multiple times and this situation as described seems to remain stable.

    If I get a reply during or immediately after the infusion I will be back in touch, otherwise late Wednesday or Thursday.


    Thank you again!

    dan "you're putting 400 ml of what in my veins?" davison
     

    Attached Files:

  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry to hear your not feeling well. Hope the procedure tomorrow goes well and does make you feel even worse.

    The issue with having to login twice will be something you need to discuss in the Software Forum.

    You said that it appears like browserwarning may be hooked into a few programs that you run. What happens if you uninstall one of them and then reboot and delete related folders for that program and then reinstall? Does it clear up the issue for that one program?

    What is in the below two files?
    ----a-w 144 2015-12-07 00:36:12 C:\WINDOWS\SysNative\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
    ----a-w 451 2015-10-24 20:33:23 C:\WINDOWS\SysNative\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat

    The below folder still exists. See if you can delete it.
    C:\Program Files (x86)\Akick

    Let's run a new scan of the registry using SystemLook again but this time we will look for browserwarning.
    • Double-click SystemLook_x64.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      browserwarning
      spwj.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
  47. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    My head is spinning. If I delete the Akick directory, it is replaced within 2 minutes. It does not appear in Revo Unistaller or Windows uninstaller. SystemLook.txt attached.

    Those files
    What is in the below two files?
    ----a-w 144 2015-12-07 00:36:12 C:\WINDOWS\SysNative\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
    ----a-w 451 2015-10-24 20:33:23 C:\WINDOWS\SysNative\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat


    The SysNative directory does not exist. Even if I use the administrator CMD window, when I try to cd into SysNative, it says the directory does not exist.

    I will delete carbonite and reinstall it and see what happens. More in 30-ish minutes.

    thanks,
    dan
     

    Attached Files:

  48. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    You said that it appears like browserwarning may be hooked into a few programs that you run. What happens if you uninstall one of them and then reboot and delete related folders for that program and then reinstall? Does it clear up the issue for that one program?​
    No, it did not. Still can't delete the Akick directory or find that SysNative directory.

    thanks,
    dan
     
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstalling one of the applications really was not related to seeing if you could delete the Akick folder. Uninstalling the application was meant to see if the TCP connections to browserwarning disappeared for that application after uninstalling/reinstalling.

    NOTE: The Akick folder appears to be related to some antivirus program you may have had installed at some point in time. Or their PC Doctor program or some related internet speed booster. Whether it is good/bad, I don't know for sure but I expect that some of it for sure is what we would consider junkware. See the below:

    https://www.akick.com
    http://www.akickpcbooster.com
    http://downloads.zdnet.com/publisher/10436256/

    Ah I should have renamed that for you as the SysNative folder is a virtual folder name used for when 32 bit applications need to truly access the 64 bit file system. Take a look in the C:\windows\system32 folder using Windows Explorer.

    Let's now use SystemLook to see what we can locate related to Akick.
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      Akick
      :filefind
      Akick
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.

    And one more thing, what do you see in the below folder?
    C:\WINDOWS\Win Services

    I'm guessing that at least the below will be there:
    C:\Windows\Win Services\winevent.exe
     
    Last edited: Dec 9, 2015
  50. lensman19067

    lensman19067 Private E-2

    Hi chaslang,

    I gather I'm a royal pain the backside as I had an alert about winning some kind of award about coming back too much. I apologize profusely.

    (A) The Syslook found another Akick, text file attached. What should I do with it? Can I delete the registry items directly, and how far up the tree would I go?

    (B) Yes, win event is there:

    C:\Windows\Win Services>dir
    Volume in drive C has no label.
    Volume Serial Number is A4F4-54A8

    Directory of C:\Windows\Win Services

    11/25/2015 11:20 PM <DIR> .
    11/25/2015 11:20 PM <DIR> ..
    10/29/2015 07:53 PM 596 InstallUtil.InstallLog
    10/29/2015 03:16 PM 16,896 winevent.exe
    10/29/2015 07:53 PM 633 winevent.InstallLog
    10/29/2015 07:53 PM 7,466 winevent.InstallState

    12/09/2015 09:37 PM 7,539,669 WinLogFile.txt
    5 File(s) 7,565,260 bytes
    2 Dir(s) 437,386,096,640 bytes free​
    Note that the date 10/29 was the original infection (in italic). Should I delete these?

    (C) There are a billion and a half files in the C:\Windows\System32. Sheesh.
    Here's what's in the first file.

    12/06/2015 07:36 PM 144 {A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
    10/24/2015 03:33 PM 451 {F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
    3914 File(s) 2,040,254,343 bytes
    123 Dir(s) 437,383,221,248 bytes free

    C:\Windows\System32>type "{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"
    @echo off
    start igfxEM.exe
    start igfxHK.exe
    start igfxTray.exe
    attrib +R +H +S +A *.cui
    del /Q {A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat​

    It looks like something starting an Intel graphics driver of some kind.
    (D) The second file:

    C:\Windows\System32>type "{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat"
    @echo off
    regsvr32 /s igfxDH.dll
    regsvr32 /s igfxDI.dll
    regsvr32 /s igfxLHM.dll
    regsvr32 /s igfxCPL.cpl
    regsvr32 /s igfxOSP.dll
    regsvr32 /s igfxDTCM.dll
    regsvr32 /s igfxexps.dll
    igfxext.exe /regserver
    igfxTray.exe /regserver
    igfxHK.exe /regserver
    start igfxEM.exe /RegServerPerUser
    GfxUIEx.exe /regserver
    attrib +R +H +S +A *.cui
    start igfxEM.exe
    start igfxTray.exe
    start igfxHK.exe
    del /Q {F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat​
    which appears to be more of the same (loading Intel Graphics drivers).

    At the moment, as best I can tell there are no:

    Akick remnants other than in the SystemLook.txt
    No Safe_Browsing other than in _OTM and FRST quarantine
    No "Browser Data" directories.
    Should I empty the quarantines?



    I did have to reset Internet Exploder because there were some traces I found with FRST. What I found was in the Registry, those HKLM\.....\Internet Explorer\Restrictions and HKU\........Restrictions, same as before. I didn't delete the Registry items because one of the HKU started with HKU\.default\,,,,, and I couldn't find it. Let me check it they are still there.

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-3556913529-3786459313-2699375271-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

    Yes, they are still in the registry.

    I think if we (i.e. you) can clear this last cruft in the registry and 48 hours later there are no new directories or other friends appearing, we declare victory.

    Thanks,
    dan
     

    Attached Files:


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds