MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 02-22-13, 22:09
YoMTVRaps YoMTVRaps is offline
Private E-2
 
Join Date: Feb 2013
Posts: 5
Thanks: 5
Thanked 0 Times in 0 Posts
Default Not sure. Please help!

I've recently been having issues with my computer. AVG Firewalls pops up all the time informing me about applications trying to access the internet. Applications which I have no idea, and when I go to search, don't exist. I went through all the steps for Malware removal.

MalWare found nothing
TDSKiller found nothing
HitManPro found Ad-Aware(Lavasoft)


The AVG Firewall pop up says this

Application 'Setup/Uninstall' is trying to open a connection to the internet.

and asks what I would like to do

"Allow for all networks(recommended)"
"Allow for safe networks"
"Block" I always chose this option with the "Save my answer as a permanent answer check box. However it continuall pops up

Under "Show Details" It says this


Application: Setup/Uninstall
Full path: C:\WINDOWS\TEMP\IS-1LLRI.TMP\TSASETUP.TMP
Company: Unkown
Local Address: Local Computer : 50628
Remote Address: 66.39.64.146 : 80
Connection: TCP
Direction: Outgoing
Process ID: 2088

Show Certificate:
Serial number: 1d:a7:00:76:08:c3:24:c6:40:ce:3f:bc:c9:41:87:35
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Object
Subject: C=DK/postalcode=4300, ST=n/a, L=Holbaek/street=Blomsterhaven 42, O=Trusted Software ApS, CN=Trusted Software ApS



Any/All help would be appreciated. I found more logs/applications for "Coupon Companion" and a bunch of text files with "Log" under AppData\Local\Temp

That I can upload if needed

Any & All help is GREATLY appreciated.

Thanks
Attached Images
File Type: jpg SetupUninstall.jpg (92.8 KB, 2 views)
Attached Files
File Type: log HitmanPro_20130222_2224.log (1.8 KB, 2 views)
File Type: txt RKreport[2]_S_02222013_02d2157.txt (1.7 KB, 2 views)
File Type: txt mbam-log-2013-02-22 (22-00-56).txt (1.8 KB, 1 views)
File Type: zip MGlogs.zip (220.4 KB, 6 views)
Reply With Quote
Sponsored links
  #2  
Old 02-22-13, 22:54
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,160
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Not sure. Please help!

Welcome to Major Geeks!

Quote:
Originally Posted by YoMTVRaps View Post
I've recently been having issues with my computer. AVG Firewalls pops up all the time informing me about applications trying to access the internet. Applications which I have no idea, and when I go to search, don't exist. I went through all the steps for Malware removal.
You skipped an important first part of the READ & RUN ME FIRST that warned you about having multiple antivius programs installed. Since you have AVG and its firewall, you need to uninstall Ad-Aware immediately.


Quote:
Originally Posted by YoMTVRaps View Post
HitManPro found Ad-Aware(Lavasoft)
More specifically it found the Blekko junkware installed by Ad-Aware and most people consider this something to remove.


Quote:
Originally Posted by YoMTVRaps View Post
Application: Setup/Uninstall
Full path: C:\WINDOWS\TEMP\IS-1LLRI.TMP\TSASETUP.TMP
This is just from the File Type Assistant software you installed. The company name is Trusted Software hence the TS.


Uninstall the below old version of software:
Java 7 Update 9

Now install the current version of Sun Java from: Sun Java Runtime Environment

Please download OTM by Old Timer and save it to your Desktop.
  • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
  • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
    (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
    the code box
Code:
:Processes
explorer.exe

:Files
C:\Users\Jeff\AppData\Local\Conduit
C:\Users\Jeff\AppData\Local\Coupon Companion Plugin
C:\ProgramData\blekko toolbars
C:\ProgramData\Search Protection
C:\Program Files\Conduit
C:\Program Files\Coupon Companion Plugin
C:\WINDOWS\TEMP\*.*
C:\Users\Jeff\AppData\Local\Temp\*.*

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SearchProtection"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C3BA3EB1-8E91-4A82-8776-B001BE2E7C56}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
    ) and choose Paste.
  • Now click the large button.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • the C:\_OTM\MovedFiles log
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
YoMTVRaps (02-22-13)
  #3  
Old 02-22-13, 23:41
YoMTVRaps YoMTVRaps is offline
Private E-2
 
Join Date: Feb 2013
Posts: 5
Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: Not sure. Please help!

Yeah, sorry about the Ad-Aware! As I was reading through the READ & RUN ME FIRST section. I noticed the part about multiple AV's, however my mind left me, & I forgot Ad-Aware was also an AV! It's long gone, I removed it shortly after my original post.

The New Java install is all set

I had already removed MGTools, I'll admit I got ahead of myself in the instructions! So I re DL'd it, and ran it again. I attached both logs, just incase.

MGlogs1.zip is the original scan with
MGlogs.zip being the follow up.

I noticed for the short while I had Ad-Aware installed, at windows start-up the dos promp(cmd) window would open for a split second. but not do anything(that I could tell) Is that usual for Ad-Aware? Or should I be on the lookout for something else?
Attached Files
File Type: log 02232013_002337.log (13.4 KB, 2 views)
File Type: zip MGlogs1.zip (31.3 KB, 3 views)
File Type: zip MGlogs.zip (166.6 KB, 5 views)
Reply With Quote
  #4  
Old 02-23-13, 17:44
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,160
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Not sure. Please help!

Quote:
Originally Posted by YoMTVRaps View Post
I noticed for the short while I had Ad-Aware installed, at windows start-up the dos promp(cmd) window would open for a split second. but not do anything(that I could tell) Is that usual for Ad-Aware? Or should I be on the lookout for something else?
Don't know what Ad-Aware is doing exactly as we don't use it or recommend it. Have not recommended it for more than 8 yrs now.

You still have Ad-Aware Security Add-on installed. You need to uninstall this. Then run the below to make sure everything was removed.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still remain but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
O2 - BHO: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O3 - Toolbar: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"


After clicking Fix, exit HJT.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
YoMTVRaps (02-23-13)
  #5  
Old 02-23-13, 20:59
YoMTVRaps YoMTVRaps is offline
Private E-2
 
Join Date: Feb 2013
Posts: 5
Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: Not sure. Please help!

Quote:
Originally Posted by chaslang View Post
Don't know what Ad-Aware is doing exactly as we don't use it or recommend it. Have not recommended it for more than 8 yrs now.

You still have Ad-Aware Security Add-on installed. You need to uninstall this. Then run the below to make sure everything was removed.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still remain but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
O2 - BHO: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O3 - Toolbar: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"


After clicking Fix, exit HJT.

Ad-Aware Security Add on is Uninstalled. I ran the analyse.exe The only line of the ones you mentioned that was left was

R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)

I clicked only that, closed all browsers & clicked Fix. Thank's.


What's the next step?
Reply With Quote
Sponsored links
  #6  
Old 02-23-13, 21:32
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,160
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Not sure. Please help!

You're welcome.
Quote:
Originally Posted by YoMTVRaps View Post
What's the next step?
If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
  2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
  4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 6 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  8. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
YoMTVRaps (02-25-13)
  #7  
Old 02-25-13, 23:13
YoMTVRaps YoMTVRaps is offline
Private E-2
 
Join Date: Feb 2013
Posts: 5
Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: Not sure. Please help!

Quote:
Originally Posted by chaslang View Post
You're welcome.


If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
  2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
  4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 6 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  8. After doing the above, you should work thru the below link:

Given what's happened over the course of the past week. I completed the scanning process from top to bottom again. Most logs came up empty. All I could attach, are.

Thank you for everything.
Attached Files
File Type: txt mbam-log-2013-02-25 (23-39-55).txt (1.8 KB, 0 views)
File Type: txt RKreport[1]_S_02252013_02d2336.txt (1.7 KB, 1 views)
File Type: zip MGlogs.zip (219.3 KB, 1 views)
Reply With Quote
  #8  
Old 02-27-13, 00:19
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,160
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Not sure. Please help!

I'm sorry but I don't understand why you are running the cleaning process again. I did not request this. I gave you final instrustions to remove what we have done because we were finished.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
YoMTVRaps (02-27-13)
  #9  
Old 02-27-13, 09:24
YoMTVRaps YoMTVRaps is offline
Private E-2
 
Join Date: Feb 2013
Posts: 5
Thanks: 5
Thanked 0 Times in 0 Posts
Thumbs up Re: Not sure. Please help!

Quote:
Originally Posted by chaslang View Post
I'm sorry but I don't understand why you are running the cleaning process again. I did not request this. I gave you final instrustions to remove what we have done because we were finished.

I appologize, I realized after I posted that reply it was unnecessary, and not really imformative.

You did help me with everything, which is greatly appreciated. It's more that I still feel unsafe, which is my issue, not yours.

I don't think anything I do will make me feel safe on my computer(or any) for quite some time. Even though that may have nothing to do with what happened.

Again, thanks a bunch for all your help, it was greatly appreciated!
Reply With Quote
  #10  
Old 02-28-13, 02:07
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,160
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Not sure. Please help!

You're welcome.
Quote:
Originally Posted by YoMTVRaps View Post
I don't think anything I do will make me feel safe on my computer(or any) for quite some time. Even though that may have nothing to do with what happened.
Okay it may take a while to work thru the paranoia that this could have cause. But following the How to Protect yourself from malware! link closely can help protect you. As noted there, protection begins and ends with the end user and their education. There is no one stop perfect solution, but the info their does help.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 09:24.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger