malware

[pcspike]

I recently downloaded ‘Spybot’ to my laptop to safeguard from malware and realised that something other than Spybot was being installed. I quickly stopped the process by using the cancel button. However, when I now open any browser I have Popups and new ad pages opening automatically!
I have done all I can to rid my laptop of this but nothing seems to work, this includes the browser popup settings, and running Malwarebytes. I’ve also tried ‘Add Remove’ programs, but nothing is listed there other than my trusted installations.

I then went to System restore only to find that all the restore points have also vanished. Can anyone suggest any other options than I can try; I don’t really want to reinstall the system if I can help it.

I’m using Windows 7.

 

[NoN]

Welcome to Sevenforums!

Can you upload a screenshot of the process you have stopped? This could be handful for helpers.

PS: sometimes its hidding in the temporay internet files therefore you'll have to browse for a suspecious process there. It also install as portable process with no trace in add & remove programs. Quite hard to see the process!!

 

[VistaKing]

PCspike welcome to Seven Forums

Please download the two programs below

AdwCleaner

Click here AdwCleaner

:ar: Click on Download Now button

:ar: Save to the Desktop

:ar: Right-click on AdwCleaner.exe and choose

:ar: Click on Delete and confirm the prompt.

:ar: Your computer will be rebooted automatically. A text file will open after the restart.

Upload the log : The log file is at C:\AdwCleaner[Sn].txt


Download Junkware Removal Toolkit

Click here Junkware Removal Tool to download

Drag the JRT.exe from the Downloads folder to your Desktop

Right click JRT.exe and choose

Once done upload the JRT.txt file



How To Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

 

[VistaKing]

pcspike

What version is your Windows 7 32-bit or 64-bit ?

 

[pcspike]

Hi,

It's 64 bit

 

[pcspike]

Welcome to Sevenforums!

Can you upload a screenshot of the process you have stopped? This could be handful for helpers.

PS: sometimes its hidding in the temporay internet files therefore you'll have to browse for a suspecious process there. It also install as portable process with no trace in add & remove programs. Quite hard to see the process!!

Unfortunately I didn’t take that much notice at the time (silly of me now I know). Had a look in the temp files can’t see anything there for that date.

 

[VistaKing]

Run Farbar Recovery Scan Tool

64-Bit Version OS Farbar Recovery Scan Tool x64 <===== Download Link

Drag the FRST64.exe from the Downloads folder to your Desktop

Right click on FRST64.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.

FRST will let you know when the scan is complete and has written the FRST.txt to file

   Note

The first time Farbar Recovery Scan Tool is run, it makes also another log Addition.txt

Please upload both logs in your reply.(FRST.txt and Addition.txt)

:note: FRST.txt and Addition.txt will be on the Desktop :note:

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

 

[VistaKing]

pcspike

Have you done post #3 ?

 

[VistaKing]

pcspike

I am not seeing anything being done

 

[pcspike]

See attachments

 

[VistaKing]

Download

HitManPro

64-Bit Version OS :ar: HitmanPro_x64

32-Bit Version OS :ar: HitmanPro

:ar: Save to the Desktop

:ar: Right click on HitmanPro.exe and choose

:ar: When HitmanPro opens up click on Settings uncheck Scan for tracking cookies . Click on OK . Then click on the Next button

:ar: Click on No, I only want to perform a one-time scan to check this computer on the Setup page . Click Next once done .

:ar: Let it scan the PC once its done Click Next

:ar: Click Activate free license to start the free 30 days trial and remove all the malicious files from your computer then click Next

Copy and paste the contents of the log . Located in C:\ ProgramData\Hitman Pro\Logs

 

[pcspike]

Hi Vista King,

See attachment to Hitmanpro log. Just checked the browser and it now seem clear of popups. Are you able to tell what was the cause of the problem?

 

[VistaKing]

Delete the old FRST.txt file and rerun FRST64.exe please . Upload the new FRST.txt

 

[pcspike]

See attachment

 

[VistaKing]

Open Notepad. Inside notepad paste the highlighted text below

start
HKLM-x32\...\Run: [] - [x]
CHR HKLM-x32\...\Chrome\Extension: [ddjobbmbkpnhmiloopddfpnedcmhcdpg] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\chromeExtension.crx
2013-08-05 16:02 - 2013-08-05 16:11 - 00000000 ____D C:\Program Files (x86)\Web Cake
2013-08-05 16:02 - 2013-08-05 16:09 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Web Cake
2013-08-05 20:05 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-05 16:11 - 2013-08-05 16:04 - 00000000 ____D C:\Program Files (x86)\WinZipper
2013-08-05 16:11 - 2013-08-05 16:02 - 00000000 ____D C:\Program Files (x86)\Web Cake
2013-08-05 16:09 - 2013-08-05 16:03 - 00000000 ____D C:\Users\Dave\AppData\Roaming\player
2013-08-05 16:09 - 2013-08-05 16:02 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Web Cake
2013-08-05 16:04 - 2013-08-05 16:04 - 00000000 ____D C:\Users\Dave\AppData\Roaming\WinZipper
end


Click on File select SAve as

Location: Desktop
File Name: Fixlist.txt
Save as type : All files

click on the Save button

Open FRST64.exe click on the [Fix] button once its done it will create a new log file on your desktop called Fixlog.txt. Upload that log

Once you're done run ESET online scanner

On

Hold down Control and click on ESET Online Scanner to open ESET OnlineScan in a new window
Click the

button
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.


On

or

Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
Right click on

choose

on your desktop
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

 

[VistaKing]

You also would want to take a look at the link below to remove some items from your Chrome search section

:ar: Remove Delta Search (Uninstall Guide)

 

[NoN]

Hi Vista King,

See attachment to Hitmanpro log. Just checked the browser and it now seem clear of popups. Are you able to tell what was the cause of the problem?

Looks D2M-Precheck[1].exe was the trojan...

Some reporting aswell strange folders come along with:

Question owner



I ran AdwCleaner first. It found many registry keys. It also found these folders:

• C:\Program Files (x86)\OApps
• C:\Program Files (x86)\SaveValet

In the OApps directory was the file: dler.exe
Then I ran Malwarebytes Anti-Malware which found: D2M-Precheck[1].exe (Trojan.MSIL)
All of the above were missed by Microsoft's Security Essentials.
The malware that was was putting the banner in the webpages I viewed was SelectionLinks. It is a FireFox plugin that was sneakily installed.
I am certain the above infections happened because of free software I had downloaded. I do not know which of them it was. I suspect one or more of them was downloaded from other than the official site for them.
I thank you for your help. I had some serious infections, especially dler.exe.

You might want in a near future set those settings to internet:
Internet Explorer Delete Browsing History

Empty Temporary Internet Files folder when closed

 

[pcspike]

Open Notepad. Inside notepad paste the highlighted text below

start
HKLM-x32\...\Run: [] - [x]
CHR HKLM-x32\...\Chrome\Extension: [ddjobbmbkpnhmiloopddfpnedcmhcdpg] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\chromeExtension.crx
2013-08-05 16:02 - 2013-08-05 16:11 - 00000000 ____D C:\Program Files (x86)\Web Cake
2013-08-05 16:02 - 2013-08-05 16:09 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Web Cake
2013-08-05 20:05 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-05 16:11 - 2013-08-05 16:04 - 00000000 ____D C:\Program Files (x86)\WinZipper
2013-08-05 16:11 - 2013-08-05 16:02 - 00000000 ____D C:\Program Files (x86)\Web Cake
2013-08-05 16:09 - 2013-08-05 16:03 - 00000000 ____D C:\Users\Dave\AppData\Roaming\player
2013-08-05 16:09 - 2013-08-05 16:02 - 00000000 ____D C:\Users\Dave\AppData\Roaming\Web Cake
2013-08-05 16:04 - 2013-08-05 16:04 - 00000000 ____D C:\Users\Dave\AppData\Roaming\WinZipper
end


Click on File select SAve as

Location: Desktop
File Name: Fixlist.txt
Save as type : All files

click on the Save button

Open FRST64.exe click on the [Fix] button once its done it will create a new log file on your desktop called Fixlog.txt. Upload that log

Once you're done run ESET online scanner

On

Hold down Control and click on ESET Online Scanner to open ESET OnlineScan in a new window
Click the

button
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.


On

or

Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
Right click on

choose

on your desktop
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

Okay, its 9pm here, so the first scan could be running to the early hours. I have an appointment tomorrow morning which means the second scan will only start in the afternoon.

Thanks for your help so far, it’s appreciated.

 

[Diosoth]

ESET is slow. On an XP PC with only about 50 GB of space used it took almost an hour. On my Gateway a few months back it took around 4 hours. The more HDD space taken up, the longer the scan takes.

 

[VistaKing]

Once ESET is complete uninstall pc suite and

Remove Search-Results toolbar (Uninstall Guide) take a look at the Google Chrome sections