PS Is there any way to find out when the Trojan got in? If there is, is it then worthwhile my looking at the various event logs to see what I was doing at the time eg what website was I visiting or what else was going on?
I've just pm'd you, Donna.
OMG - I've just noticed that my Norton IS is back on again. I turned it off for the 5 hours shown in the menu - might it have come back on during the scan?
Just a thought.
In my opinion have installed and or using Reg Clean Pro is just piling problems on top of problems.
From post # 8
Reg Clean Pro / AdwCleaner / OTL
Hi Layback Bear. I haven't knowingly installed Reg Clean Pro. The file you mention is what AdwCleaner found when scanning my PC to try to establish what's happened. Perhaps this is one of the 'few things' that DonnaB has spotted.
Thank you for answering my concern and I think I understand your problem better.
I will go back to watching and let DonnaB do her thing.
no problem, Layback Bear. Thanks for your concern.
Hi there folks,
@Taffy,
There is no need to worry about the trojan found by ESET. If you look closely, that trojan was found in the C:\AdwCleaner\Quarantine folder and goes on to show where the trojan was removed from, meaning that when we remove AdwCleaner and the Quarantine folder that was created, the trojan will no longer exist anywhere on the system.
Reg Cleaner Pro was more than likely installed inadvertently as bundled software from some other free software that was installed at one time or another. This is the reason that you should take you time and pay close attention to every screen presented when installing any software, to ensure that if there is foistware included, to uncheck any pre-checked boxes or if you are provided with the opportunity to choose a Custom Install, do so.
The files that I found where not serious files of the malicious nature. Note the following entries:
O4 - HKU\S-1-5-21-3597321822-3438477668-356034365-1000..\Run: [Download Nitro] C:\PROGRAM FILES (X86)\PCPITSTOP\DOWNLOAD NITRO\PCPITSTOP-NITRO.EXE -autorun File not found
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirva...ls/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
PC PitStop, far as I am concerned, is snake oil. I wouldn't waste my money on these types of optimizing programs. In due time, they can cause more damage to a file system than what they propose to fix.
I would like to add those file above to my fix. I only ask because if I am not mistaken, they are paid for programs.
Hi DonnaB. I cancelled my PCMatic subscriptions in June [https://community.norton.com/forums/...-thrown-towel] so please remove everything that you find. I used Revo Free to uninstall it but after the first pass there were several hundreds of debris left. Some appeared to be ones that should be kept so I had to select individually items for removal rather than 'check all'. Must have missed some!
I always use 'custom' to download stuff having been caught out by the likes of Adobe and some of the free download sites. That's why I was tempted to try to find when the blasted thing was installed so I could try to trace the source.
Over to you again, DonnaB!!
Hi Taffy,
Ok then!! Let's get rid of those orphaned files and I'll have you remove the tools!
- Double click on the
to open the program. On Vista/Win7/Win8 right click select Run As Administrator to start the program. If prompted by UAC, please allow it.
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKU\S-1-5-21-3597321822-3438477668-356034365-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-3597321822-3438477668-356034365-1000..\Run: [Download Nitro] C:\PROGRAM FILES (X86)\PCPITSTOP\DOWNLOAD NITRO\PCPITSTOP-NITRO.EXE -autorun File not found
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirva...ls/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]- Make sure all other windows are closed.
- Click the Run Fix button at the top
- Let the program run uninterrupted. The computer should reboot when the scan is done. If not, please reboot the computer.
- Post the log that is found in C:\_OTL\Moved Files in your next reply.
- Open OTL again and click the Quick Scan button.
Please attach the following logs in your next reply:
C:\_OTL\Moved Files
OTL.txt
Hi Donna. I've done as you asked - I struggled with the "C:\_OTL\Moved files folder" - in it were
(1) the OTL.txt file and (2) a folder with the same name. In that folder was another folder "C_Windows" and in that was a folder "Downloaded Program Files" in which was the 'PCMatic Setup Information file'.
I've posted that too - I couldn't attach the actual file shown as it is 'inf, invalid extension so I opened it and saved as unicode. Please let me know if I've missed something.
PS OK to go off-topic? I hope that you and the forum's USA members are safe and well in the awful snow storm.
Hi Taffy,
Not sure how this happened but the commands I added to my fix were not executed properly:
Here are the commands I included in the fix:
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
This is what OTL saw and could not execute:
File sethosts] not found.
File ptytemp] not found.
File EATERESTOREPOINT] not found.
See the difference? It looks as if each line of the script was copied and pasted individually instead of the entire script being copied and pasted as a whole.
I am going to ask you to run the whole fix again. Hope you don't mind. It will only take a couple of minutes of your time, then we can proceed to remove the tools.
Please follow the instructions below:
- Double click on the
- Under the Custom Scans/Fixes box at the bottom, copy then paste all of the following content of the script that I coded in blue.
:OTL
O3 - HKU\S-1-5-21-3597321822-3438477668-356034365-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-3597321822-3438477668-356034365-1000..\Run: [Download Nitro] C:\PROGRAM FILES (X86)\PCPITSTOP\DOWNLOAD NITRO\PCPITSTOP-NITRO.EXE -autorun File not found
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirva...ls/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
:Services
:Reg
:Files
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]- Make sure all other windows are closed.
- Click the Run Fix button at the top
- Let the program run uninterrupted. The computer should reboot when the scan is done. If not, please reboot the computer.
- Attach just the log that is found in C:\_OTL\Moved Files in your next reply.
I do not need you run a Quick Scan at this time.
Please post the following log in your next reply:
C:\_OTL\Moved Files
Quote