Trovi Virus - help to remove please

Tousdae · 17 Jul 2014

File name:askslib.dll

Publisher:Ask.com (signed and verified)

Product:AskIC Dynamic Link Library

Version:9.9.9.9

MD5:b28c334c03cee7c5e829c43ae75dae5a

SHA-1:71435ddb11e00d0243380c4902324853fe4ece8f

SHA-256:b2e9e737eb5dcee0a8d8d1e36d6b171efbda18bbdb18033498035cdd52913401

Analysis
Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
3/21/2014 6:26:22 PM UTC (three months ago)

Scan engine
Detection
Engine version

Boost by Reason
Adware.Ask.H
2013.8.29.0

ESET NOD32
Win32/Bundled.Toolbar.Ask (variant)
7.9133

Reason Heuristics
PUP.Ask.H
14.3.21.14

File Details
File size:
242.2 KB (248,008 bytes)

Product version:
9.9.9.9

Copyright:
Copyright (C) Ask 2012

Original file name:
AskIC.dll

File type:
Dynamic link library (Win32 DLL)

Language:
English (United States)

Common path:
C:\users\user\appdata\local\temp\askslib.dll

Digital Signature
Signed by:
Ask.com

Authority:
VeriSign, Inc.

Valid from:
6/19/2011 5:00:00 PM

Valid to:
6/18/2014 4:59:59 PM

Subject:
CN=Ask.com, OU=Distribution, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ask.com, L=Oakland, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0965F2AC7236C7E1BDCA44ED139B273A

File PE Metadata
Compilation timestamp:
8/22/2012 8:37:23 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:5qVcBJqeLnzl2hxxIvEX89+dsUk71rSteEj3HdC4Qsqz3nC2DwkV4gcIyxUY49Tc:5W07Lnzl2lI28o+Uk71P4Qh3JYXs4

Entry address:
0x180FC

Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, BF, A3, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, EC, FE, FF, FF, 59, 5D, C2, 0C, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 27, C8, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 14, A1, 40, 78, 03, 10, 33, C5, 89, 45, FC, 53, 56, 33, DB, 57, 8B, F1, 39, 1D, 4C, 90, 03, 10, 75, 38, 53, 53, 33, FF, 47, 57, 68, 14, 01, 03, 10, 68, 00, 01, 00, 00, 53, FF, 15, B0, C1, 02, 10, 85, C0, 74, 08, 89...
[+]

Entropy:
6.5336

Code size:
171.5 KB (175,616 bytes)

Variants
There are 5 known versions of askslib.dll by Ask.com.

3 / 68 (PUP)
askslib.dll 9.9.9.9 (090b6cdbda1fca4e5ea5ceebe75da1b0122a6f4a)

3 / 68 (PUP)
askslib.dll 5.1.2.0 (eeaa8e7cbf57449ab12ab62b19a60c7ece9c975b)

4 / 68 (PUP)
askslib.dll 5.1.1.0 (40e49124ad0b55a25f947333ca88e9d0bc30a7e3)

3 / 68 (PUP)
askslib.dll 4.2.0.0 (81c2c3354f11ece49d7667538cefe9f2b2395319)

2 / 68 (PUP)
askslib.dll 3.0.0.0 (1eff205d7d0d82baf841a98c176d700114e13fe6)

Related
3 / 68 (PUP)
apnic.dll (e32aa2e78d2c8f0e9316080e71a714befe851e6c)

Slartybart · 17 Jul 2014

Ok, thanks, now do the same thing, click... details...post for the other three files.

I have a link to get rid of Ask.

Let me know about the other files first and then you can get rid of Ask.

edit: This is looking very good. I think once you get rid of Ask, I'll post the housekeeping tasks and you'll be done.

Tousdae · 17 Jul 2014

File name:quarantine.exe

MD5:10ce1874520612e5f9bdc21c962aef1b

SHA-1:797a6d631d6a19f7e556bdbd7ef17d11fb648406

SHA-256:8b72f75687da4a6c80c41cf380fc1b5557334d67aab49c8ba16a101c80b36f79

Analysis
Scanner detections:
3 / 68

Status:
Inconclusive (not enough data for an accurate detection)

Analysis date:
3/14/2014 5:03:29 AM UTC (four months ago)

Scan engine
Detection
Engine version

Antiy Labs AVL
Trojan/Win32.Agent
0.1.0.1

Jiangmin
Trojan/MSIL.bfsx
KV140314

Norman
Injector.GCAC
10.20140314

File Details
File size:
896.5 KB (918,016 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\user\appdata\local\temp\quarantine.exe

File PE Metadata
Compilation timestamp:
3/13/2014 11:13:50 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:84lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaWL/Z3q9MmCS:84lavt0LkLL9IMixoEgeaWLh3q9MmCS

Entry address:
0x26BF7

Entry point:
E8, 97, CF, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 58, 01, 4C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 70, A3, 4B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 58, 01, 4C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03...
[+]

Code size:
560 KB (573,440 bytes)

Structural Variants
There are numerous known code variantions that share the same compilation structure.

2 / 68
shortcut_module.exe 3.6.2014.1 (ad2983aaa33065707e4187523caa6a06ac3c49fa)

2 / 68
~au3udhyuhz.exe 2.2.2014.2 (540486ae5bf52a33abd618415bc8f4b2c555556b)

2 / 68
~au3vpoktvf.exe 1.0.0.0 (3269a33084e797977573bb997a42d8a679321768)

1 / 68
pre_scan.exe (09206d641b8e4ee20a1e4d4025fe3c09824d4455)

1 / 68
~au3yawbrhx.exe (4bbb9ff63a7acc27a380ecc92890eca1b01f7c4c)

2 / 68
~au3wanosqq.exe (d044726147bb9413ec7c7f072f1646fd5feceb0b)

2 / 68
~au3vlfhhqc.exe (b6cfbb4413eaf132a07938d87ab116a3a36bb698)

1 / 68
~au3ldrpgmq.exe (3629fdf5cc8419c5d629401eedf437f452e5a1db)

1 / 68
~au3jhcxmru.exe (bc0ee0947f8da8f8a4def43b2666cb3ac5e6ab31)

3 / 68 (inconclusive)
~au3ficegir.exe (d2dbf1462b568490d2042c7d98952a44c71a3b3c)

1 / 68
~au3etwfodi.exe (92c1b01471ae4cc559523a1c1d40c97de224dd7b)

2 / 68
~au3dkcbhrl.exe (9a01d645b70bfcddffdc79c20b0df74fc2bda747)

0 / 68
~au3dfgarzc.exe (f2466362df3ca519a7918a18fa4f6af6eeab31b7)

1 / 68 (inconclusive)
~au3bhjjzgo.exe (f1c03ab084a89233a3da76bbb36caaacf54bdcfb)

1 / 68
~au3ammvosl.exe (5fefaef8038812918b1443af124de9c81f3a05a6)

Fuzzy Variants
The following files closely match quarantine.exe based on a fuzzy CTPH.

2 / 68
updateinstaller.exe [97% match] (ba681c907537da964bf48be3707862af01997895)

2 / 68
video.exe [97% match] (be95325e41555d11b5fbb268d2ab926592b9c791)

2 / 68 (Adware)
regadd.exe [97% match] (985445fb6145860c18bbe146cb2e4863aaea2ad8)

4 / 68 (Malware)
áوþç çáþóيس ßان هäاك.exe [96% match] (0cd73f5ddd5058408d9146a7a5ccac0eb624706b)

6 / 68 (Malware)
w0rm.exe [94% match] (a06d5488afdad92de2183f890b94df248c9a21c5)

Tousdae · 17 Jul 2014

File name:{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi

MD5:fc26f8841215642da0cc98f66bc403ce

SHA-1:978bcbe29255fdc40ea200d1bda790490aa2bb66

SHA-256:982857a836929026f98d3e530e91c0ffe6194064f2b047312d560c472e65636f

Analysis
Scanner detections:
1 / 68

Status:
Inconclusive (not enough data for an accurate detection)

Analysis date:
3/1/2014 8:52:05 AM UTC (four months ago)

Scan engine
Detection
Engine version

Dr.Web
Adware.FreeCause.3
9.0.1.0341

File Details
File size:
566.8 KB (580,368 bytes)

File type:
Cross-Platform Installer Module (XPI), used by Mozilla bundles

Common path:
C:\users\user\appdata\roaming\mozilla\firefox\profiles\user.default\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi

Behaviors
Mozilla Extension
Name:
{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi

Variants
0 / 68
{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi (f33793c353bafee0d369c031c7a14907a78bb7a0)

Tousdae · 17 Jul 2014

File name:iwinarcadelauncher.exe

Publisher:iWin, Inc (signed and verified)

MD5:28bd5ae31c863f05f5398b7668208435

SHA-1:28fc30b5eae707b86d2c3efc307dceb790a5fdcd

SHA-256:724c52bb6b902942e7d90264e5ed9ff258ba18bff5feccb47b7c5d31e8a3c975

Analysis
Scanner detections:
1 / 68

Status:
Inconclusive (not enough data for an accurate detection)

Analysis date:
3/6/2014 3:23:41 PM UTC (four months ago)

Scan engine
Detection
Engine version

Reason Heuristics
Unnamed.Threat.16
14.3.6.10

File Details
File size:
45 KB (46,128 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\iwin games\firefox\iwinarcadelauncher.exe

Digital Signature
Signed by:
iWin, Inc

Authority:
Thawte Consulting (Pty) Ltd.

Valid from:
11/16/2006 7:00:00 PM

Valid to:
11/16/2008 6:59:59 PM

Subject:
CN="iWin, Inc", OU=Secure Application Development, O="iWin, Inc", L=San Francisco, S=California, C=US

Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:
0484B0E7AC23C4FB5A9CBDCDC5249187

File PE Metadata
Compilation timestamp:
10/27/2006 4:09:39 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:+f3VmVhsRI26KR+gO3iWn+Cyb9+6otVhyL3UF:Q3AkKBznexot3y4F

Entry address:
0x2A0E

Entry point:
55, 8B, EC, 6A, FF, 68, 38, 71, 40, 00, 68, 8C, 47, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 28, 70, 40, 00, 33, D2, 8A, D4, 89, 15, 78, 86, 40, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 74, 86, 40, 00, C1, E1, 08, 03, CA, 89, 0D, 70, 86, 40, 00, C1, E8, 10, A3, 6C, 86, 40, 00, 33, F6, 56, E8, D9, 1C, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 19, 1B, 00, 00, FF, 15, 24, 70, 40, 00, A3, 98, 8B, 40, 00, E8...
[+]

Entropy:
5.7237

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
24 KB (24,576 bytes)

Structural Variants
0 / 68
iwinarcadelauncher.exe (f9220079bf7c3e024d44518a42665267ed263669)

Related
0 / 68
PGMTrusted.EXE (bde59574bf07fd2ea8a7aac2afe0801f702ab8c6)

0 / 68
iWinTrusted.EXE (43defd876ff0a3216a5585df50d98188ec1b055c)

0 / 68
iWinGames.exe (6714d26e0f84fb7a24cd0b6a2aa6c26caf1663dd)

0 / 68
PogoDGC.exe (ab5e39abd10cbc1be97c13bbfbab1442e15e5d5f)

1 / 68 (inconclusive)
WebUpdater.EXE (07e77f677619bfc46d3970caae3fe176abbf0d15)

13 / 68 (PUP)
iwingameshookie.dll (e8af7180dd6d8dfc2e281ed59c471f2af686f4ba)

0 / 68
Au_.exe (7ff6bcf7c280b243ac9eb565da559b952e199e15)

0 / 68
iWin_GDF.dll (a2f4c2a8be29c6f76748259d434d365ef571a8c8)

0 / 68
JewelQuest3.exe (23ffdb6966dd303d19ae1ed832e008c821144877)

0 / 68
uninstall.exe (67e36944b6557beaac849ff9e348c47bd3f70363)

0 / 68
AdminWorker.exe (82455d34481ca07539a8fc4faffbcc38fd519ff7)

0 / 68
WebInstaller.exe (84ce5ccca3ac382c34f28800cff149ab0f7c36e6)

0 / 68
JewelQuest2.exe (e49878aa54596f89d8f48089ff65414db8bfa336)

0 / 68
framework.dll (5eb28dd937fadfaa9a37bdc16e76e45096214144)

0 / 68
GamesManagerInitiator.exe (52ffcac3ffb98c96a8425ca5bcba457036abda87)

0 / 68
GamesManagerInstaller.exe (8fb0d2b73e06a9d9049bd6e2fe2828bec0b069d5)

Tousdae · 17 Jul 2014

I'm heading to bed. I'll check back tmr. Thank you.

Slartybart · 17 Jul 2014

If iwinarcadelauncher is the last file (you can't scroll down any) then we'll just have to clean up Ask and quarantine

Copy the following line and paste it into the Windows Explorer address bar

C:\USERS\LI\APPDATA\LOCAL\TEMP

Press enter
post a screenshot
select quarantine
press the delete key

Clean up Ask

You'll have to close your browser for some of the steps and restarts are required. don't skip a step or the Ask cleanup won't be complete.

Download: http://apnmedia.ask.com/media/toolba...ApnRemover.exe
Close all open browser windows.
Then run the utility; after it completes, please restart your computer.
Restarting the computer is necessary to complete the removal.

Then check each browser installed on your system
Follow each step on this webpage - yep every browser on your system even if you don't use it.
The Ask toolbar doesn't care if you use it or not, it installs on every browser it finds on your system.
If a browser is not installed, go to the instructions for the next browser

Why can't I remove the Ask default homepage from my browser?

Slartybart · 17 Jul 2014

It's getting late here, so I'll post the housekeeping stuff now.

Finish the quarantine and Ask cleanup, then

Uninstall HitmanPro from Control Panel > Programs & Features

Reset Windows Update (WU) so it matches this configuration

Trovi Virus - help to remove please-tousdae-wu.png

Run WU manually until there are no more updates offered. This will take a while.

Do NOT install anything else until your system is up to date

Check Microsoft Security Essentials - make sure it is active and scans are scheduled

I'll check back tomorrow, g'nite

Bill
.

Tousdae · 18 Jul 2014

I looked at some of the logs above. I have no idea what this Jewel Quest is. And iwin is just a thorn in the side!

I held down shift and scrolled up or down to highlight the info so it should all be there.

This is what happened when I clicked on the ApnRemover.exe

Tousdae · 18 Jul 2014

... I can't do your first direction becuz I can't figure it out >.<