New Member, Hidden Taimed Adware. Win.7 64

[Spyderedge]

Hello forum, new member here and I can only hope this thread is OK on this forum and in the right place.

Short story even shorter, I am led to believe I have the Adware called "Taimed, LLC". Simple enough, I'll delete the program from "Programs and features".....but it's not there. Free edition of Malwarebytes and Spybot S&D did not pick anything up. (Around 2AM).

I found a cleaner program, fixed it up. Yesterday, around 1AM it somehow came back. Downloaded "Junk Removal Tool" and it removed it. Low and behold tonight it came back YET AGAIN!

I have dealt with viruses in the past, and have simply removed the file and their gone. This is beyond me, and I really need some help.

Thank you!

EDIT: "Show Hiden files" button is checked, and am currently using AdBlock to get Chrome working. This is also happening on Mozilla, so it's not a browser extension. Also tonight when it came back, it happened after I restarted my computer.

 

[Spyderedge]

Downloaded "Reimage" after reading a good review. Tried to run it and said that it wouldn't run because Spybot Tea Timer was running in the background. Uninstalled Spybot and it still says that it's running.

EDIT: Scanned tonight with JRT again. Hopped on chrome and it couldn't connect to the Proxy Server. Rebooted, and the Adware is back. HELP!

 

[Jacee]

Disable TeaTimer by doing the following:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean

 

[Spyderedge]

I removed TeaTimer in the registry. Preformed the scan and guess what, the time to tell me you have to pay for it is AFTER the scan.

However, even though I didn't pay for it it told me what files it found. One of the was Adware, so I went in and manually removed it.

Downloaded two Rootkit cleaners, solved the problem for now. Lets see if it comes back tonight.

 

[Jacee]

TAIMED LLC is a software publisher located in Moscow district, Lubertsy in Russia*. A majority of the programs developed by the company can be classified as adware or other potentially unwanted programs.

See if you have any of these programs installed: TAIMED LLC Analysis - herdProtect

​

 

[Spyderedge]

TAIMED LLC is a software publisher located in Moscow district, Lubertsy in Russia*. A majority of the programs developed by the company can be classified as adware or other potentially unwanted programs.

See if you have any of these programs installed: TAIMED LLC Analysis - herdProtect

​

Thank you No programs installed under those names, thankfully. Especially that one towards the end....

rKill, KVRT, and some other scans. Nothing....

It's really hiding if it's still there.

 

[Spyderedge]

I feel really bad to keep posting in this thread, but it's back again after a two day hiatus. Can anybody help?

 

[Berkey]

Have you tried Adwarecleaner by chance. It's a nice tool that might be able to weed out some hard to find files.

Also, do you have a back up available to revert to?

 

[Spyderedge]

Yes, I created a registry backup. A few cleaner programs I downloaded (Trusted ones) created two others aswell. If not, dad has a Windows XP disk....in the worst case scenario.

Junkware Removal Tool removed some suspiciously named registry entries I didn't catch, and I'm fairly sure it fixed the issue. If it comes back I will try that cleaner. Thank you

 

[Spyderedge]

It came back....
ADW Cleaner deleted a lot of things other cleaners didn't catch.

Is it common to have Adware, Malware, or other viruses that come back after being *deleted*?

 

[Berkey]

Malware can sometimes root itself deep in the system and simply "removing" it will not solve all the issues. I'm not an expert in Malware removal, so I will not try to BS my way through it, however I have sent a PM to an expert who may take a look at this thread.

 

[Jacee]

Scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[Spyderedge]

Ran the ESET program:


C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R8WENE4.exe Win32/ReImageRepair.F potentially unwanted application deleted - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Administrator\AppData\Local\Torch\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Andre\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Andre\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Andre\AppData\Local\Torch\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Andre\AppData\Roaming\ED62.tmp.exe.vir Win32/Techsnab.H potentially unwanted application deleted - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\$RECYCLE.BIN\S-1-5-21-979314786-3880189125-3514849237-1000\$R7GZND2\C\Users\Guest\AppData\Local\Torch\User Data\Default\Extensions\kfhamapbpbifcoklamkeaamolomdockm\2.2\h1Oi3j2.js.vir Win32/Adware.MultiPlug.EB application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Assistant\ExtensionUpdaterService.exe.vir a variant of Win32/Toolbar.BitCocktail.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Assistant\InstallerHelper.dll.vir a variant of Win32/Toolbar.BitCocktail.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Web Assistant\Firefox\chrome\content\main.js.vir Win32/Toolbar.Perion.K potentially unwanted application deleted - quarantined
C:\Program Files\IDT\DownloadManagerSetup.exe a variant of Win32/InstallCore.BQ potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Techsmart Computer\amnet.dll a variant of Win32/Techsnab.H potentially unwanted application deleted (after the next restart) - quarantined
C:\Program Files (x86)\Techsmart Computer\ittask.exe a variant of Win32/Techsnab.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Techsmart Computer\jpff.exe a variant of Win32/Techsnab.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Techsmart Computer\jswchromium.exe a variant of Win32/Techsnab.H potentially unwanted application deleted - quarantined
C:\Users\Andre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZO5M3IGK\ReimagePackage1814x64[1].exe Win32/ReImageRepair.F potentially unwanted application deleted - quarantined
C:\Users\Andre\AppData\Local\Temp\ReimagePackage.exe Win32/ReImageRepair.F potentially unwanted application deleted - quarantined
Operating memory a variant of Win32/Techsnab.H potentially unwanted application contained infected files

 

[cottonball]

Spyderedge,

If Taimed is still an issue, or you wish to us a second platform, please use the herdProtect Anti-Malware Scanner:
Download herdProtect - Free Anti-Malware Platform

It has identified the elusive Taimed LLC in other requests for assistance.

Select the Portable Version (green button on the right), and save to the Desktop.
Double-click the herdProtectScan_Portable file to run the program setup.

On the last prompt, make sure Launch herdProtect is checked, and press: Finish

Next, when presented with the Scanner prompt, press the green Scan button. (An Internet connection needs to be available.)

OK the next prompt.

The scan goes through various stages, and, when done, the scan Results are presented (Files scanned: xxx, Processes scanned: xxxx, etc. Press (at the top): Save Results

:ar: Please do not remove any entries, and provide the herdProtect Scan_2015-(date) report in your reply.

 

[cottonball]

BTW, did you restart the computer after the ESET Scan?
If not, please do so.

Also, there may be a relationship between these two:

CN=TAIMED LLC, O=TAIMED LLC, STREET=Kirova st. 20A office 422, L=Moscow district, S=Lubertsy, PostalCode=140005, C=RU


Techsnab, identified by Eset, and also on the list Jacee provided in post #5 :

CN=Techsnab LLC, O=Techsnab LLC, STREET="Otradnaya st. 15,", STREET="Location IIА, Office 1", L=Moscow, S=Moscow, PostalCode=127273, C=RU


It may be in your best interest to scan with herdProtect Anti-Malware.


The program appesars to also have a grasp of this particular adware/malware.

 

[Spyderedge]

Yes, I restarted my computer. Will download Herd-Protect and see what it finds.

As far as I know, on Google Chrome it's gone. I went to Firefox today and the ads are still blaring over there, then when I hit the shortcut to chrome the shortcut has changed to "JSWchrome.exe" and would no longer work. Removed and re-installed chrome, everything is fine again after a "Adwcleaner" scan. Removed and re-installed firefox.

Just mentioning that in case it is helpful for you guys.

EDIT: Also, it changed my view of Facebook to Korean!!!

 

[Jacee]

Delete all cookies within Facebook...
You might have to delete the 'shortcut' and re-log in with a new "User password".
https://www.facebook.com/help/748385731848104