Author Topic: need help pls.. trojane virus in temp folder.. cant remove it..  (Read 10379 times)

0 Members and 1 Guest are viewing this topic.

itzmekelvin

  • Guest
here is my logs

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #1 on: August 01, 2013, 03:38:52 PM »
Hi,


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #2 on: August 01, 2013, 03:52:27 PM »
here. ;D

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #3 on: August 01, 2013, 04:06:21 PM »
..

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #4 on: August 01, 2013, 04:32:24 PM »
Ok, you realy don't know to appreciate your system.  ;D  I didn't tell you to re-run MBAM or to run OTL.


FIRST

Start > Control Panel > Programs and Features

Remove ( Uninstall ) :

AVG SafeGuard toolbar (x32 Version: 15.2.0.5)
Search Protect by conduit (x32 Version: 1.5.0.71)
uTorrentControl_v2 Toolbar (x32 Version: 6.10.3.27)




NEXT


Download AppRemover (~ 6MB) on Desktop .
Run it by double-clicking ...

Click Next, choose the second option (Clean Up a Failed Uninstall), confirm with Continue, go to Next, wait to be finished, choose remains that find and remove it by clicking on the Next. Do not remove avast.



NEXT






1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Code: [Select]
START
(Conduit) C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe
(Conduit) C:\Users\User\AppData\Roaming\SearchProtect\bin\cltmng.exe
HKCU\...\Run: [SearchProtect] - C:\Users\User\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-08] (Conduit)
HKCU\...\Run: [tsiVideo] - C:\Windows\SysWOW64\rundll32.exe [44544 2009-07-14] (Microsoft Corporation) <===== ATTENTION
MountPoints2: {70c1e670-cffc-11e2-a68f-f4b7e227598a} - G:\AutoRun.exe
MountPoints2: {70c1e67c-cffc-11e2-a68f-f4b7e227598a} - G:\AutoRun.exe
MountPoints2: {9b96c262-ca71-11e2-8d0f-f4b7e227598a} - G:\Autorun.exe
MountPoints2: {fa1b9278-8d05-11e2-a286-089e01670cb3} - F:\setup.exe
HKLM-x32\...\Run: [SearchProtectAll] - C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-08] (Conduit)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3220468&octid=CT3220468&SearchSource=61&CUI=UN55550934749442219&UM=UM_ID&UP=SP5C5ED61A-672B-4621-AB30-A9E71414F50B
URLSearchHook: (No Name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} -  No File
SearchScopes: HKLM-x32 - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468&CUI=UN55550934749442219
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468&CUI=UN55550934749442219
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={42B0A091-6C6A-400A-9E2A-6281BCD8C8DF}&mid=7ae59e3bfb4e47d39050d9d74783e540-7d3dc3c5a43d137a896f46bffed600e155ef318b&lang=en&ds=bl011&pr=sa&d=2013-05-25 20:13:05&v=15.2.0.5&pid=safeguard&sg=2&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468&CUI=UN55550934749442219
BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File
BHO-x32: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
BHO-x32: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\15.2.0.5\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\15.2.0.5\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKCU - No Name - {7473B6BD-4691-4744-A82B-7854EB3D70B6} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
FF SelectedSearchEngine: uTorrentControl_v2 Customized Web Search
FF SearchPlugin: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\jyhg2m8h.default\searchplugins\conduit.xml
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\15.2.0.5
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\15.2.0.5
CHR HomePage: hxxp://mysearch.avg.com/?cid={42B0A091-6C6A-400A-9E2A-6281BCD8C8DF}&mid=7ae59e3bfb4e47d39050d9d74783e540-7d3dc3c5a43d137a896f46bffed600e155ef318b&lang=en&ds=bl011&pr=sa&d=2013-05-25 20:13:05&v=15.2.0.5&pid=safeguard&sg=2&sap=hp
CHR RestoreOnStartup: "hxxp://mysearch.avg.com/?cid={42B0A091-6C6A-400A-9E2A-6281BCD8C8DF}&mid=7ae59e3bfb4e47d39050d9d74783e540-7d3dc3c5a43d137a896f46bffed600e155ef318b&lang=en&ds=bl011&pr=sa&d=2013-05-25 20:13:05&v=15.2.0.5&pid=safeguard&sg=2&sap=hp"]},"sync_promo":{"startup_count"
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\User\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG SafeGuard toolbar\ChromeExt\15.2.0.5\avg.crx
R2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [93984 2013-02-20] (Conduit)
S4 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-25] (AVG Secure Search)
Folder: C:\Program Files (x86)\AnvSoft
Folder: C:\Program Files (x86)\SaveShare
Folder: C:\ProgramData\InstallMate
Folder: C:\Users\User\AppData\Roaming\AnvSoft
C:\Users\User\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
C:\Users\User\AppData\Local\Temp\iswizard
C:\Program Files (x86)\uTorrentControl_v2
C:\Program Files (x86)\AVG SafeGuard toolbar
REG: reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "SearchProtect" /f
REG: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "SearchProtectAll" /f
C:\Users\User\AppData\Local\Temp\{D72671BC-D5B1-42ED-A006-9D930CC5534A}\Addons\extfs_setup.exe
C:\Users\User\AppData\Local\Temp\{D72671BC-D5B1-42ED-A006-9D930CC5534A}\Addons\ext_setup.exe
C:\Users\User\AppData\Local\Temp\{D72671BC-D5B1-42ED-A006-9D930CC5534A}\Addons\OptimizerProInstaller.exe
C:\Users\User\Local Settings\Temporary Internet Files\Content.IE5\1V2PX5PY\51f92f05c8ce9[1].exe
C:\Users\User\Local Settings\Temporary Internet Files\Content.IE5\B0FSAN0E\51f92ed89941e[1].exe
C:\Users\User\Local Settings\Temporary Internet Files\Content.IE5\MCRWC6O8\OptimizerPro[1].exe
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\Users\User\AppData\Roaming\SearchProtect
C:\Program Files (x86)\SearchProtect
CMD: IPConfig /FlushDNS
END

2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.



THEN


Re-run FRST, click on Scan button and attach here fresh FRST.txt logreport.






« Last Edit: August 01, 2013, 04:47:47 PM by magna86 »

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #5 on: August 01, 2013, 05:01:07 PM »
here sir.. thnx.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #6 on: August 01, 2013, 08:02:24 PM »
Looks much better.  8)


And if you would beleve me, USB Security can't provide valid protections from USB based malwares ( + it is not freeware ).
For valid USB protections, you may use MCShield. We will use it now to check all your USB flash devices.



Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

  • Double click MCShield-Setup to install the application.
  • Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
  • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.







TNEN


Re-run FRSTScript




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Code: [Select]
START
C:\Program Files (x86)\SaveShare
C:\ProgramData\InstallMate
C:\Users\User\AppData\Local\Temp\iswizard
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
C:\Program Files\ESET
Folder: C:\Users\User\Downloads\pang virus
END
    2. Save notepad as
fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.



THEN




  • Download AdwCleaner (by Xplode) on your desktop.
  • Launch it, click on the [Delete] Wait for the programme completes his work.
    The program will close all active programs. Click OK to confirm that.
    On the next two windows that open ( Informations and Restart required ) click OK

  • The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
  • Save the notepad report on the Desktop
  • Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]




LAST...

Re-run FRST and post me another FRST.txt logreport.
« Last Edit: August 01, 2013, 08:08:19 PM by magna86 »

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #7 on: August 02, 2013, 01:54:30 AM »
 ;D

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #8 on: August 02, 2013, 02:04:39 AM »
 ;D

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #9 on: August 02, 2013, 02:25:21 AM »
 :)

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #10 on: August 02, 2013, 02:31:24 AM »
thank you very much sir.. ;D

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #11 on: August 02, 2013, 01:45:19 PM »
FRST log looks good.  8) You need to setup homepage for your Google Chrome.

Run Google Chrome > in URL field copy-paste this:

Quote
chrome://settings/


On startup, check Open a specific page or set of pages, and then click on Set pages.
enter there www.google.com and confirm



-In the section startup, check Open a specific page or set of pages, and then click Set pages.

Next to Add new page type in what you want (eg. www.google.com), then confirm with the OK

-In the Appearance section, check the Show Home button, if not already, and then click Change

Select Open this page, and enter what you want (eg www.google.com), and click OK.

-Below is a search, where you need to click on the Manage search engines ...

Move the mouse to Google and click the Make default, and the rest can be removed, by moving the mouse over them and click on the x

-Click OK ...




THEN ...

Re-run Malwarebytes;


  • Make sure you Update Malwarebytes' Anti-Malware before you launch this scan.
    If an update is found, it will download and install the latest version.

  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember ( desktop for example ).
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

itzmekelvin

  • Guest
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #12 on: August 04, 2013, 04:09:20 AM »
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.03.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
User :: USER-PC [administrator]

Protection: Enabled

8/4/2013 10:01:38 AM
mbam-log-2013-08-04 (10-01-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223331
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\User\AppData\Local\Temp\SecondStepInstaller.exe (PUP.Optional.Conduit) -> Quarantined and deleted successfully.

(end)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: need help pls.. trojane virus in temp folder.. cant remove it..
« Reply #13 on: August 04, 2013, 01:16:13 PM »
How is your computer running now? 8)