Not sure. Please help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by YoMTVRaps, Feb 22, 2013.

  1. YoMTVRaps

    YoMTVRaps Private E-2

    I've recently been having issues with my computer. AVG Firewalls pops up all the time informing me about applications trying to access the internet. Applications which I have no idea, and when I go to search, don't exist. I went through all the steps for Malware removal.

    MalWare found nothing
    TDSKiller found nothing
    HitManPro found Ad-Aware(Lavasoft)


    The AVG Firewall pop up says this

    Application 'Setup/Uninstall' is trying to open a connection to the internet.

    and asks what I would like to do

    "Allow for all networks(recommended)"
    "Allow for safe networks"
    "Block" I always chose this option with the "Save my answer as a permanent answer check box. However it continuall pops up

    Under "Show Details" It says this


    Application: Setup/Uninstall
    Full path: C:\WINDOWS\TEMP\IS-1LLRI.TMP\TSASETUP.TMP
    Company: Unkown
    Local Address: Local Computer : 50628
    Remote Address: 66.39.64.146 : 80
    Connection: TCP
    Direction: Outgoing
    Process ID: 2088

    Show Certificate:
    Serial number: 1d:a7:00:76:08:c3:24:c6:40:ce:3f:bc:c9:41:87:35
    Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Object
    Subject: C=DK/postalcode=4300, ST=n/a, L=Holbaek/street=Blomsterhaven 42, O=Trusted Software ApS, CN=Trusted Software ApS



    Any/All help would be appreciated. I found more logs/applications for "Coupon Companion" and a bunch of text files with "Log" under AppData\Local\Temp

    That I can upload if needed

    Any & All help is GREATLY appreciated.

    Thanks
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You skipped an important first part of the READ & RUN ME FIRST that warned you about having multiple antivius programs installed. Since you have AVG and its firewall, you need to uninstall Ad-Aware immediately.


    More specifically it found the Blekko junkware installed by Ad-Aware and most people consider this something to remove.


    This is just from the File Type Assistant software you installed. The company name is Trusted Software hence the TS.


    Uninstall the below old version of software:
    Java 7 Update 9

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
    
    :Files
    C:\Users\Jeff\AppData\Local\Conduit
    C:\Users\Jeff\AppData\Local\Coupon Companion Plugin
    C:\ProgramData\blekko toolbars
    C:\ProgramData\Search Protection
    C:\Program Files\Conduit
    C:\Program Files\Coupon Companion Plugin
    C:\WINDOWS\TEMP\*.*
    C:\Users\Jeff\AppData\Local\Temp\*.*
    
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "SearchProtection"=-
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C3BA3EB1-8E91-4A82-8776-B001BE2E7C56}]
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. YoMTVRaps

    YoMTVRaps Private E-2

    Yeah, sorry about the Ad-Aware! As I was reading through the READ & RUN ME FIRST section. I noticed the part about multiple AV's, however my mind left me, & I forgot Ad-Aware was also an AV! It's long gone, I removed it shortly after my original post.

    The New Java install is all set

    I had already removed MGTools, I'll admit I got ahead of myself in the instructions! So I re DL'd it, and ran it again. I attached both logs, just incase.

    MGlogs1.zip is the original scan with
    MGlogs.zip being the follow up.

    I noticed for the short while I had Ad-Aware installed, at windows start-up the dos promp(cmd) window would open for a split second. but not do anything(that I could tell) Is that usual for Ad-Aware? Or should I be on the lookout for something else?
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't know what Ad-Aware is doing exactly as we don't use it or recommend it. Have not recommended it for more than 8 yrs now.

    You still have Ad-Aware Security Add-on installed. You need to uninstall this. Then run the below to make sure everything was removed.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still remain but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    O2 - BHO: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O3 - Toolbar: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"


    After clicking Fix, exit HJT.
     
  5. YoMTVRaps

    YoMTVRaps Private E-2


    Ad-Aware Security Add on is Uninstalled. I ran the analyse.exe The only line of the ones you mentioned that was left was

    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)

    I clicked only that, closed all browsers & clicked Fix. Thank's.


    What's the next step?
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  7. YoMTVRaps

    YoMTVRaps Private E-2


    Given what's happened over the course of the past week. I completed the scanning process from top to bottom again. Most logs came up empty. All I could attach, are.

    Thank you for everything.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm sorry but I don't understand why you are running the cleaning process again. I did not request this. I gave you final instrustions to remove what we have done because we were finished.
     
  9. YoMTVRaps

    YoMTVRaps Private E-2


    I appologize, I realized after I posted that reply it was unnecessary, and not really imformative.

    You did help me with everything, which is greatly appreciated. It's more that I still feel unsafe, which is my issue, not yours.

    I don't think anything I do will make me feel safe on my computer(or any) for quite some time. Even though that may have nothing to do with what happened.

    Again, thanks a bunch for all your help, it was greatly appreciated!
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Okay it may take a while to work thru the paranoia that this could have cause. ;) But following the How to Protect yourself from malware! link closely can help protect you. As noted there, protection begins and ends with the end user and their education. There is no one stop perfect solution, but the info their does help.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds