Sign in to follow this  
zubbs1

Skypemoticons

Recommended Posts

I stupidly clicked a link in a skype chat that has now given me an infection. It causes lots of popup tabs when browsing internet and flashing ads within webpages showing ads by skypemoticon . No matter what I've done, it keeps reappearing after reboot.

 

I ran adaware and it quarantined some things. Attached are the Frst scan logs. I really appreciate your help.

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Hi zubbs1,

 

1. Have you had this program installed a long time?

Download your driver (HKLM-x32\...\Download your driver 1.0.0) (Version: 1.0.0 - Tlapia) <==== ATTENTION

FRST believes it's malware or adware.

 

2. Please uninstall:

Java 8 Update 25

Since it's an old version with known vulnerabilities that can be exploited by a web page to infect the computer. Most persons don't need to have Java installed, but if you have to it's important to always have the latest version.

 

3. CHR dev: Chrome dev build detected! <======= ATTENTION

Chrome is set to use early test versions and use less secure settings. Have you or any adware/malware done it?

 

 

4. Please, start Notepad.

Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-14] (AVG Technologies)
R1 SbFw; C:\Windows\System32\drivers\SbFw.sys [253528 2011-04-05] (Sunbelt Software, Inc.)
S3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [84568 2011-02-08] (Sunbelt Software, Inc.)
R3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [84568 2011-02-08] (Sunbelt Software, Inc.)
S3 sbhips; C:\Windows\System32\drivers\sbhips.sys [60504 2011-04-05] (Sunbelt Software, Inc.)
R1 SbTis; C:\Windows\System32\drivers\sbtis.sys [94296 2011-04-05] (Sunbelt Software, Inc.)
S3 GPU-Z; \??\C:\Users\Zubba\AppData\Local\Temp\GPU-Z.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
2015-02-18 10:51 - 2015-02-26 10:29 - 00000000 ____D () C:\Program Files (x86)\ABV Notifier
2015-02-18 10:51 - 2015-02-18 10:51 - 00000000 ____D () C:\Program Files (x86)\DeltaFix
2015-02-18 10:50 - 2015-02-26 09:42 - 00000000 ____D () C:\Program Files (x86)\SkypEEmotiCons
2015-02-18 10:50 - 2015-02-18 10:50 - 00000000 ____D () C:\ProgramData\jhfolibblbjmpihcbaonckjabcaiffph
2015-02-18 10:50 - 2015-02-18 10:50 - 00000000 ____D () C:\ProgramData\4557412500390496948
2013-07-29 17:26 - 2014-06-24 18:12 - 0003711 _____ () C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
AlternateDataStreams: C:\ProgramData\TEMP:0B174FAE
AlternateDataStreams: C:\ProgramData\TEMP:556BBACC
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt  
CMD: ipconfig /release
CMD: ipconfig /renew
Reboot:
and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your answer.

 

 

5. To get a second opinion run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/

To shorten the scanning time disable your antivirus program while scanning.

 

Select Enable detection of potentially unwanted applications.

Click Advanced Settings.

 

Deselect Remove found threats.

 

Select:

Scan Archives

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

 

Click Start.

 

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your answer.

Share this post


Link to post
Share on other sites

I do not recognize the 'download you driver' entry, and have not done anything with chrome (I just did a vanilla install and then used it). I did uninstall the outdated Java as instructed.

 

I created the fixlist file and ran FRST fix mode. It ran the script and completed with a reboot. However, my LAN card had no connectivity after the reboot. I was forced to use the created restore point. Upon reboot, the internet connection was established.

 

I have noticed lately that my LAN card has had some issues connecting on reboots. Sometimes it is very slow to finally connect. I'm not sure if this is malware/infection related or if it is something else? I've also noticed that my computer (windows explorer especially) gets very laggy and nonresponsive (especially when reusing the computer that has been sitting idle for hours). I've had more forced reboots in the last 2-3 weeks than in the previous 3 years combined.

 

ESET found 18 threats, so hopefully that gives you more clues. Thanks again for all your help.

Eset 2-27-15.txt

Fixlog.txt

Edited by zubbs1

Share this post


Link to post
Share on other sites

Sorry, that you lost the internet connection :(

 

1. Did you download Chrome form Google's official web site?

I wonder due to this:

C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome.dll Win32/Patched.NFY trojan

 

 

2. Please, uninstall Download your driver and Google Chrome.

Delete these folders, if not deleted by the uninstallation program:

C:\Program Files (x86)\Google\Chrome

C:\Users\Zubba\AppData\Local\Google\Chrome

A Google Chrome folder in C:\ProgramData.

 

 

3. It's always dangerous to use cracked programs.

 

 

4. Regarding

E:\Media\FINAL FANTASY ANDROID MEGA PACK\FINAL FANTASY II\FinalFantasy2 unlimited gil V4.0.apk a variant of Android/Secapk.E potentially unsafe application

please read https://blog.avast.com/2014/03/31/the-gray-zone-of-malware-detection-in-android-os/#more-26393and particularly

The real concern of this blog-post is that every file that uses this protection must be detected as a PUP (potentially unwanted program). Many malware authors use this protection to make their malicious samples undetectable. In parallel, legitimate applications use the protection to stay away from disassembling, decompiling, injection of malicious code, and other illegal uses.

Is it a legal and safe Android app you have?

 

 

5. You have a left-over, a driver, of AVG running. You can remove it by using AVG Remover: http://www.avg.com/us-en/utilities

 

There are also several drivers from Sunbelt running. I used FRST to remove them, but it's possible that's why you lost the internet connection.

VIPRE's Firewall component that integrates with the Network Card needs to be removed to ensure connectivity.

 

Hold down the Windows Key and tap "R" once

Type "ncpa.cpl" and hit OK

Right click the Active Network Connection and select Properties

Highlight the Sunbelt/GFI NDIS IM Filter and select Uninstall

From https://threattrack.freshdesk.com/support/solutions/articles/1000070702

If you see other Sunbelt drivers, please uninstall them too.

 

It's best to remove those old drivers since they can disturb Ad-Aware and any future antivirus programs you want to have.

 

 

6. I'll try to clean again with FRST but less and hopefully that will keep your internet connection.

 

Please, start Notepad.

Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\INTERNET EXPLORER: Policy restriction <======= ATTENTION
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
S3 GPU-Z; \??\C:\Users\Zubba\AppData\Local\Temp\GPU-Z.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
Reboot:
and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished and the computer is restarted.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your answer.

 

 

7. Start FRST.

Select Addition.txt.

Let FRST scan the computer and attach the two new log files.

Share this post


Link to post
Share on other sites

I thought I had installed chrome from the official site, but uninstalled and reinstalled it. I also uninstalled download your driver. I went ahead and deleted that android app file, as I don't even use it. I downloaded and rant the AVG remover, and it ran a command prompt, but was too fast to see anything, and it gave no prompt afterward to indicate if it had done anything successfully or not.

 

I followed the instructions for the sunbelt uninstall. It took a few minutes, but the system reconnected through the LAN.

 

The fixlist was run and the reboot was successful this time. Attached are the requested logfiles.

FRST.txt

Addition.txt

Fixlog.txt

Share this post


Link to post
Share on other sites

Good!


1. Have you installed "Private Internet Access" yourself?
Sometimes such programs are installed in the background when installing another program.


2. Let us try to remove some more drivers.
Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-14] (AVG Technologies)
R1 SbFw; C:\Windows\System32\drivers\SbFw.sys [253528 2011-04-05] (Sunbelt Software, Inc.)
S3 sbhips; C:\Windows\System32\drivers\sbhips.sys [60504 2011-04-05] (Sunbelt Software, Inc.)
R1 SbTis; C:\Windows\System32\drivers\sbtis.sys [94296 2011-04-05] (Sunbelt Software, Inc.)
Folder: C:\ProgramData\jhfolibblbjmpihcbaonckjabcaiffph
Folder: C:\ProgramData\4557412500390496948
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt  
CMD: ipconfig /release
CMD: ipconfig /renew
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.


3. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

 

 

4. Do you have the ads in all three browsers?

Click on the Scan button.
Wait until the search has finished.

Click on the Report button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[R0].txt.

Share this post


Link to post
Share on other sites
ADWCLEANER Log:




# AdwCleaner v4.111 - Logfile created 28/02/2015 at 21:48:09

# Updated 18/02/2015 by Xplode

# Database : 2015-02-18.3 [Local]

# Operating system : Windows 7 Ultimate Service Pack 1 (x64)

# Username : Zubba - TESLA

# Running from : C:\Users\Zubba\Desktop\Malware Removal\adwcleaner_4.111.exe

# Option : Scan


***** [ Services ] *****



***** [ Files / Folders ] *****


Folder Found : C:\ProgramData\4557412500390496948

Folder Found : C:\ProgramData\bjkogcbbfiiejfpfgjkddfmmnhnlnfpk

Folder Found : C:\ProgramData\bjkogcbbfiiejfpfgjkddfmmnhnlnfpk

Folder Found : C:\Users\Zubba\AppData\Local\AVG SafeGuard toolbar


***** [ Scheduled tasks ] *****


Task Found : update-sys

Task Found : update-S-1-5-21-3403507024-58037063-281187845-1000

Task Found : update-sys


***** [ Shortcuts ] *****



***** [ Registry ] *****


Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

Key Found : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}

Key Found : HKCU\Software\AppDataLow\Software\adawarebp

Key Found : HKCU\Software\Conduit

Key Found : [x64] HKCU\Software\Conduit

Key Found : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}

Key Found : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}

Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1

Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Lightshot]


***** [ Web browsers ] *****


-\\ Internet Explorer v11.0.9600.17631



-\\ Mozilla Firefox v



-\\ Google Chrome v40.0.2214.115


[C:\Users\Zubba\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [search Provider] : hxxp://www.ask.com/web?q={searchTerms}

[C:\Users\Zubba\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}


-\\ Chromium v


*************************


AdwCleaner[R0].txt - [9769 bytes] - [22/11/2014 20:38:31]

AdwCleaner[R1].txt - [2079 bytes] - [28/02/2015 21:48:09]

AdwCleaner[s0].txt - [9820 bytes] - [22/11/2014 20:39:21]


########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [2197 bytes] ##########








Private internet access was an intentional install, and I plan on keeping it. I only use chrome, I really have no need for Firefox, I.E., or Opera. I only had the others installed at some point because I'm helping to beta test an online game and they wanted users to try other browsers than just Chrome. I am not needing to do that any longer, so I really just need chrome at this point.


Thank you.

Fixlog.txt

Share this post


Link to post
Share on other sites

Please, start Notepad.

Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
C:\ProgramData\4557412500390496948
C:\ProgramData\bjkogcbbfiiejfpfgjkddfmmnhnlnfpk
C:\ProgramData\jhfolibblbjmpihcbaonckjabcaiffph
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished and restarted the computer.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your answer.

 

It is useful to know if there are popups and flashing ads even in the browsers you don't use.

Share this post


Link to post
Share on other sites

I opened internet explorer and surfed around to several sites, and noticed nothing unusual. There also are no more flashing ads or popups on chrome. Firefox and Opera are not even installed anymore on my system, so couldn't check them. On reboots, my LAN card seems to be connecting better than I had noticed recently. Before I reinstalled chrome, I had the addon Adblocker installed. Is this a good choice for keeping banners and such off of webpages, or is there another one you would recommend?

 

Attached is the requested fixlog file.

Fixlog.txt

Share this post


Link to post
Share on other sites

Great!

 

1. My main browser is Firefox and Adblock Plus is a very common add-on for blocking ads in Firefox, if you want to support the web sites by allowing well-behaving ads. It's available for Chrome too:

https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

https://adblockplus.org/en/chrome

 

 

2. Time for removal of tools.

 

2a. Please, turn off all programs, including browsers.

Double-click on AdwCleaner to start the program.
Click on the Uninstall button.

2b. Download OTC http://oldtimer.geekstogo.com/OTC.exe
Close all programs.
Start OTC program.
Click the CleanUp! button.
Select Yes when asked "Begin cleanup process".
If you are asked to reboot, select Yes.
If any logs remain on the computer you can remove them.

 

 

3. Improve the security in the computer.
It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/describes how to install and use the program.

Share this post


Link to post
Share on other sites

Ok, I have done the ADW and OTC cleanup and uninstalls.

 

Thank you so much for your help. I won't be boneheaded again and click things reflexively.

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this