crossword Posted November 15, 2014 Author Share Posted November 15, 2014 SystemLook 30.07.11 by jpshortstuff Log created at 07:00 on 15/11/2014 by Vidya Samson Administrator - Elevation successful ========== folderfind ========== Searching for "skype" No folders found. ========== filefind ========== Searching for "skype" No files found. ========== regfind ========== Searching for "skype" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{22BF413B-C6D2-4D91-82A9-A0F997BA588C}] "DllName"="SkypeIEPlugin.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}] "DllName"="SkypeIEPlugin.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] "DllName"="SkypeIEPlugin.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] "DllName"="SkypeIEPlugin.dll" -= EOF =- Heres the ESET scan. You told me to run Emsisoft but I saw it was a huge download, and I have limited bandwidth a month. if I exceed it I have to pay extra. So I tried ESEt though it took so long I suppose I might anyway have exceeded bandwidth for this month. C:\FRST\Quarantine\C\Users\Vidya Samson\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\aaaalipaokhkccgmgkdglfinfnfhflko\30.10_0\background\ChromeUtilPlugin.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application C:\FRST\Quarantine\C\Users\Vidya Samson\Desktop\ccsetup410.exe.xBAD Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\FRST\Quarantine\D\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe.xBAD Win32/Bundled.Toolbar.Google.E potentially unsafe application H:\Local Disk ©\Users\Vidya Samson\Downloads\FreeFileViewerSetup [1].exe a variant of Win32/FileTypeAssistant.A potentially unwanted application H:\OTHER (D)\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application I:\Data\Drive D\data 2\software\ccsetup310.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application *** I think we had found Comodo using FARBAR and then we deleted it, so why does it still show? Also, the Win32 Bundled Toolbar that came with CCleaner is still showing in the C drive. We had scripted it out. Is it still showing because I never uninstalled CCleaner and ran it again recently? You gave me an alternative to CCleaner but I thought it would be safe to use CCleaner again once we got rid of the Bundled Toolbar. So many people use CCleaner. If it is not safe to use, I will uninstall it and download the alternative you gave me. should I do that? As for FreeFileViewerSetup, I think I got that when I downloaded some software that was supposed to be able to open various files, but only ended up giving me malware. Link to comment Share on other sites More sharing options...
Juliet Posted November 15, 2014 Share Posted November 15, 2014 Firstly what these scans are showing me is pretty much a clean machine. Everything that would had been considered drastic has been removed. Most of the adware/malware that came onto your computer was bundled with applications you downloaded. You can still use CCleaner or the alternative, all we had to do was remove the bundled items that came with it in the download, that's still up to you. As for FreeFileViewerSetup, I think I got that when I downloaded some software that was supposed to be able to open various files, but only ended up giving me malware. H:\Local Disk ©\Users\Vidya Samson\Downloads\FreeFileViewerSetup [1].exe a variant of Win32/FileTypeAssistant.A potentially unwanted applicationYour decision to remove this, it alerts that it's not well known and potentially unwanted application. Myself, since these are well known scanners we're using and it was not able to identify what this application was, I would delete it. Now below, what Skype files were found are just left overs from a legit program you installed. And are harmless. I can script these out. Open Notepad and copy and paste the items in blue REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5067A26B-1337-4436-8AFE-EE169C2DA79F}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77BF5300-1474-4EC7-9980-D32B190E9B07}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as to All Files" ..Double click on the delete.reg file and choose Yes to merge/add it to the registry. It will look like this .. You may delete the file afterwards. NEXT** Copy all text in the code box (below)...to Notepad. @echo off del /f /s /q "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" del /f /s /q "C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll" del %0Save the Notepad file on your desktop..save type as "All Files" and as delfile.bat... Double click on delfile.bat to execute it. A black CMD window will flash, then disappear...this is normal. The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted. After completing the above please tell me how the computer is now. Link to comment Share on other sites More sharing options...
crossword Posted November 16, 2014 Author Share Posted November 16, 2014 I'm not worried about skpe since you explained to me before it was harmless and an FP. My worry is, we had found Comodo using FABAR and then we deleted it, so why does it still show? And the Win32 Bundled Toolbar that came with CCleaner is still showing in the C drive. We had scripted it out. If we delete stuff, then why does it still show? Is there no way to get rid of them for good? Perhaps the stuff you wrote in blue in your last post is meant to do just that? Before I run those, yes I want to delete FreeFileViewerSetup. I manually deleted it from my folder yesterday when I saw ESET list it, but I'm still unsure its totally gone. Can you please write some code I can use with the other stuff to ensure its gone? Maybe something I can include in the REGEDIT4 you wrote for me? After we have got the computer and ext drive clean, yes I would love it if you could advise me on how to keep them free from malware. I have wasted a lot of time dealing with malware got from supposedly legit programs I download. And yes I do download them as far as possible from the original site, eg I downloaded Cute pdf from its site and only after I had read a lot of praise on it in a forum. After it installed the malware and bloatware [the commodo browser that was a full 70 MB that I could ill afford to download thanks to my limited bandwidth], I googled and only then did I read complaints about how Cute pdf installs malware and bloatware. I don’t know why supposedly legit companies like CCleaner too do this kind of thing. I get that they're paid to force upon us things we don’t want so these other programs can market themselves to us, but if they give us malware, who will trust them in the future? Link to comment Share on other sites More sharing options...
Juliet Posted November 16, 2014 Share Posted November 16, 2014 OK, let me see if I can answer all the questions. we had found Comodo using FABAR and then we deleted it, so why does it still show? It is showing in the FRST quarantine folder and will remain there till we remove the tool and all it's folders. The file is not open or active. C:\FRST\Quarantine\C\Users\Vidya Samson\AppData\Local\Comodo\ ccsetup310.exe was found in your backup data drives H:\OTHER (D)\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe I:\Data\Drive D\data 2\software\ccsetup310.exe I will write another script to remove these. please make sure your extra drives are plugged in, Copy all text in the code box (below)...to Notepad. @echo off del /f /s /q "H:\OTHER (D)\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe" del /f /s /q "I:\Data\Drive D\data 2\software\ccsetup310.exe" del %0Save the Notepad file on your desktop..save type as "All Files" and as delfile.bat... Double click on delfile.bat to execute it. A black CMD window will flash, then disappear...this is normal. The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted. ~~~~~~~~~~~~~` Open SystemLook Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :folderfind FreeFileViewer :filefind FreeFileViewer :regfind FreeFileViewer Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Link to comment Share on other sites More sharing options...
crossword Posted November 17, 2014 Author Share Posted November 17, 2014 I did everything you told me to in your last two posts: SystemLook 30.07.11 by jpshortstuffLog created at 13:49 on 17/11/2014 by Vidya SamsonAdministrator - Elevation successful========== folderfind ==========Searching for "FreeFileViewer"No folders found.========== filefind ==========Searching for "FreeFileViewer"No files found.========== regfind ==========Searching for "FreeFileViewer"[HKEY_CURRENT_USER\Software\Bitberry Software]"FreeFileViewerSetup [1].exe"="1391577980171,http://www.freefileviewer.com/downloads/newest.exe"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pages\OpenWithList]"d"="FreeFileViewer.exe"[HKEY_USERS\S-1-5-21-2261785502-2541491869-2394418403-1001\Software\Bitberry Software]"FreeFileViewerSetup [1].exe"="1391577980171,http://www.freefileviewer.com/downloads/newest.exe"[HKEY_USERS\S-1-5-21-2261785502-2541491869-2394418403-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pages\OpenWithList]"d"="FreeFileViewer.exe"-= EOF =- Link to comment Share on other sites More sharing options...
Juliet Posted November 17, 2014 Share Posted November 17, 2014 Open Notepad and copy and paste the text in blue below in it: REGEDIT4 [-HKEY_CURRENT_USER\Software\Bitberry Software] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pages\OpenWithList] "d"="FreeFileViewer.exe"=- [HKEY_USERS\S-1-5-21-2261785502-2541491869-2394418403-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pages\OpenWithList] "d"="FreeFileViewer.exe"=- [-HKEY_USERS\S-1-5-21-2261785502-2541491869-2394418403-1001\Software\Bitberry Software] Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as to All Files" ..Double click on the delete.reg file and choose Yes to merge/add it to the registry. It will look like this .. You may delete the file afterwards. Copy all text in the code box (below)...to Notepad. @echo off del /f /s /q "H:\Local Disk ©\Users\Vidya Samson\Downloads\FreeFileViewerSetup [1].exe" del %0 Save the Notepad file on your desktop..save type as "All Files" and as delfile.bat... Double click on delfile.bat to execute it. A black CMD window will flash, then disappear...this is normal. The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted. That should do it, your computer should now be malware free. Link to comment Share on other sites More sharing options...
crossword Posted November 18, 2014 Author Share Posted November 18, 2014 Done. Someone told me to try Ubuntu or Mint, which won't get viruses, and will work and look very much like windows. I hesitated because I thought Linux had a learning curve. I was afraid to try it out, since I'm far from competent when it comes to the computer and I figured I already get into enough troubles with the computer without taking on an added new thing to learn. I figured if Linux was easy to learn, why would anyone at all use Windows? Also, I don’t see how it would prevent viruses. I get that the virus writers target windows computers more, which is why Macs suffer less. But I got this malware because I downloaded stuff. So would the malware not have downloaded onto my computer if I had been using Linux? Link to comment Share on other sites More sharing options...
Juliet Posted November 18, 2014 Share Posted November 18, 2014 So would the malware not have downloaded onto my computer if I had been using Linux? I don't have that answer, I've never used it. We have a Linux forum here http://forums.pcpitstop.com/index.php?/forum/7-linux/ I feel they can help with anything you like. Let's remove these tools and quarantine folders now. Download Delfix from here Ensure Remove disinfection tools is tickedAlso tick: Create registry backup Click Run Purge system restore Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc. Answers to common security questions - Best Practices by quietman7, MVP How Malware Spreads - How did I get infected? by quietman7, MVP Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP How to Prevent Malware by miekiemoes, MVP How to backup and restore your data using Cobian Backup by YourHighness Slow Computer/browser? It May Not Be Malware by quietman7, MVP The following programmes come highly recommended in the security community. AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads. CryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted. Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software. Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution. NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you. Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you. SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies. Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website. Link to comment Share on other sites More sharing options...
crossword Posted November 18, 2014 Author Share Posted November 18, 2014 thanks. will do all teh above and get back to you. You had asked how my comp is doing: my father is a Company Secretary who gets paid to affix his digital signature to the documents his colleagues send him. We share this computer and he works on it. He got a new Signature installed a couple of months ago. After some teething troubles, I got it to work fine for the past 2 months. Four days ago, On November 14, it stopped working. Meaning I still affix the siggy to the documents but the guy who we email the documents to and who has to file them said the body he is filing them with, the ROC, says the siggy is not valid. The ROC says the siggy shows it is coming from my father and not the place he bought the siggy from and which has authorized him to use this as his siggy. Therefore the docs cannot be validated. This has been happening for the past 4 days, ie the colleague is unable to make the ROC accept the siggy. It didn’t strike me till now but is it possible all the cleaning we have been doing has caused some change, some kind of damage to the siggy? My father contacted the ROC and they said keep trying, perhaps there is something wrong with the ROC website where they file the documents and siggys. Another suggestion given was to reinstall the siggy. So what do you think? If it was some cleaning I did then I will have to reinstall the siggy. I have just checked my father's inbox and I see the last time he was sent docs to sign was Oct 27. And then again on Nov 14 as I said. Its possible the siggy stopped working somewhere between Oct 27 and Nov 14 and I didn’t realize it because we were not sent docs in between. Also, I do try to avoid downloading any software but it's not always possible. I now need some program that will help me edit pictures so I can make covers for my ebooks. I had tried to add the title with MS Paint but could not manage, so I'm looking for a program that makes it simple. The main problem I had when I tried with Paint is that it would not center. Do you by chance know of any simple SAFE program that lets you easily add titles to covers and move them around to where you want? I'm now afraid to download anything, fearing it will give me malware. I'm trying to avoid some big program like GIMP that would be a large download. Is there some some small program that would let me do the basics? I'm not going to do any serious photo manipulation, so GIMP would be a waste. Thanks! Link to comment Share on other sites More sharing options...
crossword Posted November 18, 2014 Author Share Posted November 18, 2014 Ran DelFix: # DelFix v10.8 - Logfile created 18/11/2014 at 19:21:26 # Updated 29/07/2014 by Xplode # Username : Vidya Samson - VIDYA # Operating System : Windows 8 Enterprise (32 bits) ~ Removing disinfection tools ... Deleted : C:\Qoobox Deleted : C:\FRST Deleted : C:\AdwCleaner[R11].txt Deleted : C:\AdwCleaner[R12].txt Deleted : C:\AdwCleaner[s10].txt Deleted : C:\AdwCleaner[s9].txt Deleted : C:\ComboFix.txt Deleted : C:\TDSSKiller.3.0.0.10_08.09.2014_22.52.04_log.txt Deleted : C:\Users\Vidya Samson\Desktop\Addition.txt Deleted : C:\Users\Vidya Samson\Desktop\AdwCleaner.exe Deleted : C:\Users\Vidya Samson\Desktop\ComboFix.exe Deleted : C:\Users\Vidya Samson\Desktop\dds.com Deleted : C:\Users\Vidya Samson\Desktop\Fixlog.txt Deleted : C:\Users\Vidya Samson\Desktop\FRST 2.exe Deleted : C:\Users\Vidya Samson\Desktop\Rkill.txt Deleted : C:\Users\Vidya Samson\Desktop\RogueKiller.exe Deleted : C:\Users\Vidya Samson\Desktop\SystemLook.exe Deleted : C:\Users\Vidya Samson\Desktop\SystemLook.txt Deleted : C:\Users\Vidya Samson\Desktop\tdsskiller.exe Deleted : C:\Windows\grep.exe Deleted : C:\Windows\PEV.exe Deleted : C:\Windows\NIRCMD.exe Deleted : C:\Windows\MBR.exe Deleted : C:\Windows\SED.exe Deleted : C:\Windows\SWREG.exe Deleted : C:\Windows\SWSC.exe Deleted : C:\Windows\SWXCACLS.exe Deleted : C:\Windows\Zip.exe Deleted : HKLM\SOFTWARE\AdwCleaner Deleted : HKLM\SOFTWARE\Swearware Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe ~ Creating registry backup ... OK ~ Cleaning system restore ... Deleted : RP #68 [scheduled Checkpoint | 11/08/2014 02:55:04] Deleted : RP #69 [scheduled Checkpoint | 11/16/2014 02:51:07] New restore point created ! ########## - EOF - ########## However, I still found some stuff in the C Drive: in C: Program Files, I found: AdwareRemovalToolv3.7 And in C: ProgramData, I found: HitmanPro RogueKiller The HitmanPro was left over from a previous time I got malware. But I found none of these in the uninstall or change programs, so I can't get rid of them from there. In UpdateChromeLinksLogs I found some stuff titled Comodo Dragon. They were all 1KB and the type was Setup Information. Should I just delete all the above? Link to comment Share on other sites More sharing options...
Juliet Posted November 18, 2014 Share Posted November 18, 2014 yes, it is safe to delete all of that. Link to comment Share on other sites More sharing options...
crossword Posted November 18, 2014 Author Share Posted November 18, 2014 ok, thanks. will delete. i had asked you earlier; don't know if you missed this post: You had asked how my comp is doing: my father is a Company Secretary who gets paid to affix his digital signature to the documents his colleagues send him. We share this computer and he works on it. He got a new Signature installed a couple of months ago. After some teething troubles, I got it to work fine for the past 2 months. Four days ago, On November 14, it stopped working. Meaning I still affix the siggy to the documents but the guy who we email the documents to and who has to file them said the body he is filing them with, the ROC, says the siggy is not valid. The ROC says the siggy shows it is coming from my father and not the place he bought the siggy from and which has authorized him to use this as his siggy. Therefore the docs cannot be validated. This has been happening for the past 4 days, ie the colleague is unable to make the ROC accept the siggy. It didn’t strike me till now but is it possible all the cleaning we have been doing has caused some change, some kind of damage to the siggy? My father contacted the ROC and they said keep trying, perhaps there is something wrong with the ROC website where they file the documents and siggys. Another suggestion given was to reinstall the siggy. So what do you think? If it was some cleaning I did then I will have to reinstall the siggy. I have just checked my father's inbox and I see the last time he was sent docs to sign was Oct 27. And then again on Nov 14 as I said. Its possible the siggy stopped working somewhere between Oct 27 and Nov 14 and I didn’t realize it because we were not sent docs in between. Also, I do try to avoid downloading any software but it's not always possible. I now need some program that will help me edit pictures so I can make covers for my ebooks. I had tried to add the title with MS Paint but could not manage, so I'm looking for a program that makes it simple. The main problem I had when I tried with Paint is that it would not center. Do you by chance know of any simple SAFE program that lets you easily add titles to covers and move them around to where you want? I'm now afraid to download anything, fearing it will give me malware. I'm trying to avoid some big program like GIMP that would be a large download. Is there some some small program that would let me do the basics? I'm not going to do any serious photo manipulation, so GIMP would be a waste. Thanks! Link to comment Share on other sites More sharing options...
Juliet Posted November 19, 2014 Share Posted November 19, 2014 Let me see if I can answer some of this but most is out of my field. It didn’t strike me till now but is it possible all the cleaning we have been doing has caused some change, some kind of damage to the siggy? If anything was removed it was because something had attached to what he used or what he had made, or the executable from the program was made corrupt. If the signature wasn't being accepted by a client it could be because at that time the machine was infected and theirs or corporate antivirus software would not allow the download. Another suggestion given was to reinstall the siggy.So what do you think? If it was some cleaning I did then I will have to reinstall the siggy. I'd say thats the best and I hope the easiest solution at this time...Someone will have to experiment with this till one can be accepted.....I know that might not help much but it's probably the best answer at this time. Today, when trying to download what looks like an easy legitimate tool or program can be filled with junk and adware. Sometimes this opens the door for other malware related items to jump on board like it opened the door to all it's cousins. Also, I do try to avoid downloading any software but it's not always possible. I now need some program that will help me edit pictures so I can make covers for my ebooks. I'm not sure what to say here or how to direct you really other then to start a new topic in one of our other forums where other members can assist. User to User http://forums.pcpitstop.com/index.php?/forum/3-user-to-user-help/ Making Web Sites.http://forums.pcpitstop.com/index.php?/forum/27-making-web-sites/ Link to comment Share on other sites More sharing options...
Juliet Posted November 21, 2014 Share Posted November 21, 2014 Let's finish this up with removing tools and quarantine folders. Download Delfix from here Ensure Remove disinfection tools is ticked Also tick: Create registry backup Click Run Purge system restore Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc. Answers to common security questions - Best Practices by quietman7, MVP How Malware Spreads - How did I get infected? by quietman7, MVP Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP How to Prevent Malware by miekiemoes, MVP How to backup and restore your data using Cobian Backup by YourHighness Slow Computer/browser? It May Not Be Malware by quietman7, MVP The following programmes come highly recommended in the security community. AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads. CryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted. Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software. Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution. NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you. Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you. SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies. Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website. Link to comment Share on other sites More sharing options...
Juliet Posted November 25, 2014 Share Posted November 25, 2014 Glad we could help. Since this issue appears resolved ... this Topic is closed. Link to comment Share on other sites More sharing options...
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
Recommended Posts