suspect a virus need help removing....please

Page 1 of 4 123 ... LastLast

  1. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
       #1

    suspect a virus need help removing....please


    thanks for reading and any assistance! I joined the forum 4 days ago. A little over a week ago, I started cleaning up my laptop and wife's desktop to get them running better. I did, but then after reading in your great forums I got inspired learning about event viewer and other tools and started exploring for more windows 7 stuff and online. so inspired, I thought I could try to tweak performance and improve boot times, etc....

    I discovered a couple of driver issues on my laptop, and still haven't been able to address them, as 2 days ago my AVG2015 free said it suspected a threat (while browsing EBay for ram sticks). So I immediately ran a full system scan, found was:

    (the original alert)
    SWF/Exploit.cy - located in c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DIZ1EXUI\player[1].swf

    (and)
    Corrupted executable file- - located in c:\Windows\SysWOW64\mfc45.dat

    I followed the AVG recommendations and assumed the files were safely quarantined and wouldn't be a further pest. I also ran Malwarebytes Free which found no threats. Then about an hour later AVG popped up again with the mfc.dat file, but not the original .swf threat. so, I ran another full scan and it quarantined it again......and 3 hours later when it happened again. I checked the file location after AVG found it each time, and it was not there, but would reappear or replicate itself. This is when I started to suspect foul play. (likely because of my lack of adequate protection and recent or very recent downloads, ugh)

    So, I gave the Laptop the night off. after waking it up from sleep mode with the Wi-Fi turned off overnight, I ran Malwarebytes free which again found no threats. I ran AVG2015 Free which again found mfc.dat as a threat, quarantined it again. I did some more searching on the web for the 2 types of malware/viruses. I found too many dead ends and close calls. The mfc.dat file kept reappearing and finally yesterday afternoon I got fed up and.....downloaded some more stuff. Bitdefender free, Avast free, Kaspersky TDSSkiller & Virus Removal Tool, and final Rogue Killer from Adlice. I probably should have come here first......

    I'm not convinced I got whatever this virus/malware is while surfing EBay, or the tweaking app downloads last week and over the weekend, or if it was there prior and waiting to be triggered. I did update AVG back in early Feb and I think there are a few conspicuous things in my system and program files from around that date, but I don't.


    Anyway, I got fed up with AVG and installed Bitdefender Free last night. It was an extra aggravation trying to completely uninstall AVG, but I got it done and Bitdefender is running. Virus Shield has found no threats and deep scan has found no threats. mfc45.dat is back in SysWOW64 folder......hmmm

    This made me wonder about false positives and such. So I decided to run Kaspersky Virus Removal Tool. Found 4 threats (will attach screen shots). I quarantined these and that was it for the night and I shut Laptop off.

    Turned on this morning, Laptop seemed to be stable with the condition it's currently in. Some windows updates configured and I began trying to work on my problem. No alerts from Bitdefender. Ran Kaspersky VRT and it again found the same 4 files and I quarantined again. Concluding this wasn't really getting to the heart of the problem, I installed Kaspersky TDSS killer and ran that as administrator. It found one suspected threat, suggested action was to skip, so I did. I have yet to install Roguekiller. I'm at a point I realize I shouid have come here immediately and sought advice and help. I don't feel like I am making progress on this. I've wasted valuable time looking around my file system and I have seen what look like clues of suspicious programs, folders, and files...... but I'm not sure or savvy enough to conclude anything.

    My laptop is running, I'm fairly free to run all aps and surf online, but not to sound paranoid, I am certain there is something lying hidden in my system somewhere and what little clues AVG and Kaspersky have dug up are just red herrings. Malwarebytes and Bitdefender find nothing. I'm sure I have missed some steps and information, hopefully with some expert help I can learn and be a smarter pc user. Advice....please.

    Here are some screen shots:
    Attached Thumbnails Attached Thumbnails suspect a virus need help removing....please-avg-threat1a-2242015.jpg   suspect a virus need help removing....please-avg-threat1-2242015.jpg   suspect a virus need help removing....please-avg-threat2-2242015.jpg   suspect a virus need help removing....please-kaspersky-vrt-2262014-quareteened-objects-returned-fom-yesterday.jpg   suspect a virus need help removing....please-kaspersky-tdss-2262015.jpg  

    suspect a virus need help removing....please-mfc45-dat-1.jpg   suspect a virus need help removing....please-mfc45-dat-2.jpg   suspect a virus need help removing....please-mfc45-dat-3.jpg   suspect a virus need help removing....please-mfc45-dat-4.jpg   suspect a virus need help removing....please-swf-search-1.jpg  

    suspect a virus need help removing....please-swf-search-2.jpg   suspect a virus need help removing....please-swf-search-3.jpg   suspect a virus need help removing....please-swf-search-4.jpg   suspect a virus need help removing....please-swf-search-5.jpg   suspect a virus need help removing....please-swf-search-6.jpg  

    suspect a virus need help removing....please-swf-search-7.jpg  
    suspect a virus need help removing....please Attached Files
      My Computer


  2. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #2

    Do you have "system mechanic pro"? I believe that program is connected with SysWOW64\mfc45.dat

    This is in a temporary file location and we'll get rid of it later--> SWF/Exploit.cy

    You do have a lot of adware. Kaspersky picked up on some of it. Check mark what Kaspersky found and quarantine/ delete it.

    Next:
    Please download AdwCleaner by Xplode and save to your Desktop.
    Step 1.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator.
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Step 2.
    Using AdwCleaner v3: Scan & Clean:
    This time click on the Clean button.
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder

    ******Post both .txt logs (you can copy/ paste them) in your next reply.
      My Computer


  3. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
    Thread Starter
       #3

    thx...will get to work on this now. post back when I have more
      My Computer


  4. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
    Thread Starter
       #4

    btw, I did install system mechanic free last week (on laptop and my wife's pc......hopefully this isn't an omen for her machine)
      My Computer


  5. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
    Thread Starter
       #5

    # AdwCleaner v4.111 - Logfile created 26/02/2015 at 15:58:05
    # Updated 18/02/2015 by Xplode
    # Database : 2015-02-18.3 [Server]
    # Operating system : Windows 7 Professional Service Pack 1 (x64)
    # Username : Admin - TOSHIBA-PC
    # Running from : C:\Users\Admin\Downloads\adwcleaner_4.111.exe
    # Option : Scan
    ***** [ Services ] *****

    ***** [ Files / Folders ] *****
    Folder Found : C:\Program Files (x86)\Conduit
    Folder Found : C:\Program Files (x86)\PC Drivers HeadQuarters
    Folder Found : C:\Users\Admin\AppData\Local\Conduit
    Folder Found : C:\Users\Admin\AppData\LocalLow\Conduit
    ***** [ Scheduled tasks ] *****

    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****
    Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
    Key Found : HKCU\Software\APN PIP
    Key Found : HKCU\Software\AppDataLow\Software\Conduit
    Key Found : HKCU\Software\AVG Secure Search
    Key Found : HKCU\Software\Conduit
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B13B6BB7-8B42-4F00-A84A-4CE3FF27D486}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Found : HKCU\Software\OCS
    Key Found : HKCU\Software\usyndication.com
    Key Found : [x64] HKCU\Software\APN PIP
    Key Found : [x64] HKCU\Software\AVG Secure Search
    Key Found : [x64] HKCU\Software\Conduit
    Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B13B6BB7-8B42-4F00-A84A-4CE3FF27D486}
    Key Found : [x64] HKCU\Software\OCS
    Key Found : [x64] HKCU\Software\usyndication.com
    Key Found : HKLM\SOFTWARE\AVG SafeGuard toolbar
    Key Found : HKLM\SOFTWARE\AVG Secure Search
    Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
    Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Found : HKLM\SOFTWARE\Conduit
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    ***** [ Web browsers ] *****
    -\\ Internet Explorer v11.0.9600.17631

    -\\ Google Chrome v
    *************************
    AdwCleaner[R0].txt - [2936 bytes] - [26/02/2015 15:58:05]
    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2995 bytes] ##########
      My Computer


  6. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
    Thread Starter
       #6

    i don't see anything here i SHOULDNT clean. i will wait a minute for a reply if you have one and then i will proceed with step 2 and clean with ADWcleaner
      My Computer


  7. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
    Thread Starter
       #7

    Here is the log after cleaning and reboot:


    # AdwCleaner v4.111 - Logfile created 26/02/2015 at 16:15:15
    # Updated 18/02/2015 by Xplode
    # Database : 2015-02-18.3 [Server]
    # Operating system : Windows 7 Professional Service Pack 1 (x64)
    # Username : Admin - TOSHIBA-PC
    # Running from : C:\Users\Admin\Downloads\adwcleaner_4.111.exe
    # Option : Cleaning
    ***** [ Services ] *****

    ***** [ Files / Folders ] *****
    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Program Files (x86)\PC Drivers HeadQuarters
    Folder Deleted : C:\Users\Admin\AppData\Local\Conduit
    Folder Deleted : C:\Users\Admin\AppData\LocalLow\Conduit
    ***** [ Scheduled tasks ] *****

    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B13B6BB7-8B42-4F00-A84A-4CE3FF27D486}
    Key Deleted : HKCU\Software\APN PIP
    Key Deleted : HKCU\Software\AVG Secure Search
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\OCS
    Key Deleted : HKCU\Software\usyndication.com
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
    Key Deleted : HKLM\SOFTWARE\AVG Secure Search
    Key Deleted : HKLM\SOFTWARE\Conduit
    Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
    ***** [ Web browsers ] *****
    -\\ Internet Explorer v11.0.9600.17631

    -\\ Google Chrome v

    *************************
    AdwCleaner[R0].txt - [3106 bytes] - [26/02/2015 15:58:05]
    AdwCleaner[S0].txt - [2748 bytes] - [26/02/2015 16:15:15]
    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2807 bytes] ##########
      My Computer


  8. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #8

    Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forum and save it to your desktop. Keep this temporary file cleaner and use it!
    Save any unsaved work. TFC will close ALL open programs including your browser! This will also eliminate all desktop shortcuts, so just be aware!
    Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
    Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
    Important! Manually reboot the machine to ensure a complete clean.

    Make sure your Internet settings aren't using a 'Proxy', unless you purposely set it that way.
    1) Under “Tools” in the browser tool bar select “Internet Options”.
    2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
    3) Click “LAN Settings” near the bottom of the “Connections” section.
    4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
    5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
    6) Click “Ok” to close the “Internet Options” window.

    Now clean the DNS cache and restore MS's Hosts file:
    Copy and paste these lines in Note pad.

    @Echo on
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 1
    del %0


    Save as flush.bat to your desktop.
    Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

    Make sure "Proxy server" is still disabled under your LAN Settings.
      My Computer


  9. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #9

    Windows 7 does not want or need such programs like System Mechanic.

    Back to watching.
      My Computer


  10. Posts : 94
    windows 7 professional 64 bit Version 6.1.7601 Service Pack 1 Build 7601
    Thread Starter
       #10

    Layback Bear said:
    Windows 7 does not want or need such programs like System Mechanic.

    Back to watching.

    thx.....as I am finding out.
      My Computer


 
Page 1 of 4 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:52.
Find Us