Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: suspect a virus need help removing....please

26 Feb 2015   #1
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 
suspect a virus need help removing....please

thanks for reading and any assistance! I joined the forum 4 days ago. A little over a week ago, I started cleaning up my laptop and wife's desktop to get them running better. I did, but then after reading in your great forums I got inspired learning about event viewer and other tools and started exploring for more windows 7 stuff and online. so inspired, I thought I could try to tweak performance and improve boot times, etc....

I discovered a couple of driver issues on my laptop, and still haven't been able to address them, as 2 days ago my AVG2015 free said it suspected a threat (while browsing EBay for ram sticks). So I immediately ran a full system scan, found was:

(the original alert)
SWF/Exploit.cy - located in c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DIZ1EXUI\player[1].swf

(and)
Corrupted executable file- - located in c:\Windows\SysWOW64\mfc45.dat

I followed the AVG recommendations and assumed the files were safely quarantined and wouldn't be a further pest. I also ran Malwarebytes Free which found no threats. Then about an hour later AVG popped up again with the mfc.dat file, but not the original .swf threat. so, I ran another full scan and it quarantined it again......and 3 hours later when it happened again. I checked the file location after AVG found it each time, and it was not there, but would reappear or replicate itself. This is when I started to suspect foul play. (likely because of my lack of adequate protection and recent or very recent downloads, ugh)

So, I gave the Laptop the night off. after waking it up from sleep mode with the Wi-Fi turned off overnight, I ran Malwarebytes free which again found no threats. I ran AVG2015 Free which again found mfc.dat as a threat, quarantined it again. I did some more searching on the web for the 2 types of malware/viruses. I found too many dead ends and close calls. The mfc.dat file kept reappearing and finally yesterday afternoon I got fed up and.....downloaded some more stuff. Bitdefender free, Avast free, Kaspersky TDSSkiller & Virus Removal Tool, and final Rogue Killer from Adlice. I probably should have come here first......

I'm not convinced I got whatever this virus/malware is while surfing EBay, or the tweaking app downloads last week and over the weekend, or if it was there prior and waiting to be triggered. I did update AVG back in early Feb and I think there are a few conspicuous things in my system and program files from around that date, but I don't.


Anyway, I got fed up with AVG and installed Bitdefender Free last night. It was an extra aggravation trying to completely uninstall AVG, but I got it done and Bitdefender is running. Virus Shield has found no threats and deep scan has found no threats. mfc45.dat is back in SysWOW64 folder......hmmm

This made me wonder about false positives and such. So I decided to run Kaspersky Virus Removal Tool. Found 4 threats (will attach screen shots). I quarantined these and that was it for the night and I shut Laptop off.

Turned on this morning, Laptop seemed to be stable with the condition it's currently in. Some windows updates configured and I began trying to work on my problem. No alerts from Bitdefender. Ran Kaspersky VRT and it again found the same 4 files and I quarantined again. Concluding this wasn't really getting to the heart of the problem, I installed Kaspersky TDSS killer and ran that as administrator. It found one suspected threat, suggested action was to skip, so I did. I have yet to install Roguekiller. I'm at a point I realize I shouid have come here immediately and sought advice and help. I don't feel like I am making progress on this. I've wasted valuable time looking around my file system and I have seen what look like clues of suspicious programs, folders, and files...... but I'm not sure or savvy enough to conclude anything.

My laptop is running, I'm fairly free to run all aps and surf online, but not to sound paranoid, I am certain there is something lying hidden in my system somewhere and what little clues AVG and Kaspersky have dug up are just red herrings. Malwarebytes and Bitdefender find nothing. I'm sure I have missed some steps and information, hopefully with some expert help I can learn and be a smarter pc user. Advice....please.

Here are some screen shots:




Attached Thumbnails
suspect a virus need help removing....please-avg-threat1a-2242015.jpg   suspect a virus need help removing....please-avg-threat1-2242015.jpg   suspect a virus need help removing....please-avg-threat2-2242015.jpg   suspect a virus need help removing....please-kaspersky-vrt-2262014-quareteened-objects-returned-fom-yesterday.jpg   suspect a virus need help removing....please-kaspersky-tdss-2262015.jpg  

suspect a virus need help removing....please-mfc45-dat-4.jpg   suspect a virus need help removing....please-swf-search-1.jpg   suspect a virus need help removing....please-swf-search-2.jpg   suspect a virus need help removing....please-swf-search-3.jpg   suspect a virus need help removing....please-swf-search-4.jpg  

suspect a virus need help removing....please-swf-search-5.jpg   suspect a virus need help removing....please-swf-search-6.jpg   suspect a virus need help removing....please-swf-search-7.jpg  
Attached Images
suspect a virus need help removing....please-mfc45-dat-1.jpg suspect a virus need help removing....please-mfc45-dat-2.jpg suspect a virus need help removing....please-mfc45-dat-3.jpg 
Attached Files
File Type: txt TDSS scan 2262015.txt (199.1 KB, 1 views)
My System SpecsSystem Spec
.
26 Feb 2015   #2
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Do you have "system mechanic pro"? I believe that program is connected with SysWOW64\mfc45.dat

This is in a temporary file location and we'll get rid of it later--> SWF/Exploit.cy

You do have a lot of adware. Kaspersky picked up on some of it. Check mark what Kaspersky found and quarantine/ delete it.

Next:
Please download AdwCleaner by Xplode and save to your Desktop.
Step 1.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Step 2.
Using AdwCleaner v3: Scan & Clean:
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder

******Post both .txt logs (you can copy/ paste them) in your next reply.
My System SpecsSystem Spec
26 Feb 2015   #3
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 

thx...will get to work on this now. post back when I have more
My System SpecsSystem Spec
.

26 Feb 2015   #4
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 

btw, I did install system mechanic free last week (on laptop and my wife's pc......hopefully this isn't an omen for her machine)
My System SpecsSystem Spec
26 Feb 2015   #5
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 

# AdwCleaner v4.111 - Logfile created 26/02/2015 at 15:58:05
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Admin - TOSHIBA-PC
# Running from : C:\Users\Admin\Downloads\adwcleaner_4.111.exe
# Option : Scan
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\PC Drivers HeadQuarters
Folder Found : C:\Users\Admin\AppData\Local\Conduit
Folder Found : C:\Users\Admin\AppData\LocalLow\Conduit
***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B13B6BB7-8B42-4F00-A84A-4CE3FF27D486}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\OCS
Key Found : HKCU\Software\usyndication.com
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\AVG Secure Search
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B13B6BB7-8B42-4F00-A84A-4CE3FF27D486}
Key Found : [x64] HKCU\Software\OCS
Key Found : [x64] HKCU\Software\usyndication.com
Key Found : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Found : HKLM\SOFTWARE\AVG Secure Search
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17631

-\\ Google Chrome v
*************************
AdwCleaner[R0].txt - [2936 bytes] - [26/02/2015 15:58:05]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2995 bytes] ##########
My System SpecsSystem Spec
26 Feb 2015   #6
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 

i don't see anything here i SHOULDNT clean. i will wait a minute for a reply if you have one and then i will proceed with step 2 and clean with ADWcleaner
My System SpecsSystem Spec
26 Feb 2015   #7
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 

Here is the log after cleaning and reboot:


# AdwCleaner v4.111 - Logfile created 26/02/2015 at 16:15:15
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Admin - TOSHIBA-PC
# Running from : C:\Users\Admin\Downloads\adwcleaner_4.111.exe
# Option : Cleaning
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\PC Drivers HeadQuarters
Folder Deleted : C:\Users\Admin\AppData\Local\Conduit
Folder Deleted : C:\Users\Admin\AppData\LocalLow\Conduit
***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B13B6BB7-8B42-4F00-A84A-4CE3FF27D486}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\OCS
Key Deleted : HKCU\Software\usyndication.com
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Conduit
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17631

-\\ Google Chrome v

*************************
AdwCleaner[R0].txt - [3106 bytes] - [26/02/2015 15:58:05]
AdwCleaner[S0].txt - [2748 bytes] - [26/02/2015 16:15:15]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2807 bytes] ##########
My System SpecsSystem Spec
26 Feb 2015   #8
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forum and save it to your desktop. Keep this temporary file cleaner and use it!
Save any unsaved work. TFC will close ALL open programs including your browser! This will also eliminate all desktop shortcuts, so just be aware!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! Manually reboot the machine to ensure a complete clean.

Make sure your Internet settings aren't using a 'Proxy', unless you purposely set it that way.
1) Under “Tools” in the browser tool bar select “Internet Options”.
2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
3) Click “LAN Settings” near the bottom of the “Connections” section.
4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
6) Click “Ok” to close the “Internet Options” window.

Now clean the DNS cache and restore MS's Hosts file:
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop.
Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Make sure "Proxy server" is still disabled under your LAN Settings.
My System SpecsSystem Spec
26 Feb 2015   #9
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Windows 7 does not want or need such programs like System Mechanic.

Back to watching.
My System SpecsSystem Spec
26 Feb 2015   #10
vid4763

windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
Windows 7 does not want or need such programs like System Mechanic.

Back to watching.

thx.....as I am finding out.
My System SpecsSystem Spec
Reply

 suspect a virus need help removing....please




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Help removing the shortcut virus
Hello all, Can anyone give me a working solution for removing the shortcut virus, you know the one that creates shortcuts of all the files in any external device that is plugged in. I know you can just run CMD and use attrib -h -r -s /s /d f:\*.* to get the files shown again, but MSE ,...
System Security
BSOD on booting after windows logo. Atikdmag.sys relat. Suspect virus.
G,day. Warning: Depressed as F*** so sorry if I come off distasteful. I keep getting a BSOD crash on every load. It gets to the windows logo, the one that shines, and the screen goes black and the tower goes quiet. Then it BSOD's.
BSOD Help and Support
need help removing svchost.exe virus
hello i have been infected with the svchost virus and well its making me angry...can someine help? Things i have tried: using antivirus to remove it but it comes right back, and using rkill but it did not detect anything as a threat... so if anyone can help me please do so.... and sorry if...
System Security
All My Folders Are Gone After Removing Virus !!
i cant seem to see any of my folders on my laptop the wallpaper is now all black and there are only 2 icons on my desktop are my files deleted or just hidden :confused:
Performance & Maintenance
Help with removing happili virus
Hi there! Recently it seems as though my Google searches are being redirected to happili more and more often (and I think once to infomash?). Anyway, it seems as if people on here have been very helpful in helping folks remove this virus but, it also looks like the instructions vary on a system...
System Security
I Need Help Removing A Virus
When i try to select "remove all unhealed" in AVG it says that removing the virus can cause instability or a system crash. How can i get rid of it safely? Here's a screen of my AVG and the virus details. http://i964.photobucket.com/albums/ae126/SonicBrewtality/Virus.png
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:01.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App