Trovi Virus - help to remove please

[Tousdae]

It's done. Here's the log. I thought I went to the website of who made the program.

adw wasn't installed until today.

 

[Slartybart]

Take your time, keep asking questions if you need an explanation, wait for the answer

As I said most of the file herdProtect flagged were game related and a lot of them were language components.

Ask is a toolbar that can sneak in if you don't pay attention during an install (people miss those little checkboxes)

atiesrxx is probably legit, but herdProtect tells me that it belongs in a different location. I just searched the name, you'll be providing more information to herdProtect when you check the detail.

 

[Tousdae]

What am I doing now? Waiting to run herdprotect again?

 

[Slartybart]

You have to make sure that new infections aren't introduced by rushing. That just puts you a step back.
We'll see if any real damage was caused or if you can continue to move forward (I hope so).

First uninstall AdwCleaner Packages in Control Panel > Programs and features.

That puppy brought in more malware (adware which the real AdwCleaner does not).

If you're not sure, stop and ask.

After you've uninstalled AdwCleaner Packages in Control Panel > Programs and features, tell me if there is an AdwCleaner shortcut on your Desktop.

then we'll see what's next.

edit: I'll be away for a bit

 

[Tousdae]

Yes. I added a rocket browser. I've uninstalled it from programs. I then went into program files and deleted the folder. I went into my browser settings and removed that browser from my choices and put bing back.

I uninstalled adwcleaner. There isn't a short cut on the desktop.

Ok. I'll hang here and refresh every few mins. Thank you.

 

[Slartybart]

Ok, here's the real deal.

I can't help you keep viruses off of your system - you're the only one that can do that.
I can only help you get rid of them, but I need your co-operation.

I should have said this way back, so I accept responsibility for being part of the cause.

Nothing should be added to the system while you try to disinfect it.
After the system has been disinfected, you have to pay attention to every install. A lot of free and paid for programs add extra programs to the installer package. They get paid a small percentage every time someone installs the extra software.
The end user, you or me, has to be alert to this and decline the offers of the extra software. Sometimes it's easy to spot, sometimes the wording isn't exactly clear and it looks like it's part of the program you want, sometimes it's not easy to spot and in the worst cases you don't even know it's being installed.

You've seen two cases of this during the disinfection - one was AdwCleaner, not from the link Jacee gave you. It had an ad in it - the author's version does not. The second case was Rocket Browser - it had a scheduled task to go get more something, probably ads... I don't know.

A third case is the Ask toolbar. I don't know where that came from, but it might have been the games you installed or the Snag bar.

I say this only to explain where malware comes from and why you, the end user has to be aware and alert when installing software.

Please do not install anything until we're through, or we'll never get through... ok? After that be very cautious what you install and what web sites you visit or your system will probably get some sort of malware.

---

I will be as specific as I can be so that I don't misdirect you.

Is herdProtect still open?
Did you get the details from their knowledge base for the two files I asked about
c:\windows\system32\atiesrxx.exe
c:\users\li\appdata\local\temp\askslib.dll

 

[Tousdae]

Ok. I will not install anything else. Sorry.

No. Herdprotect is closed.

Well ... I don't seem to have that atiesrxx.exe .. aaand I don't seem to have an appdata folder either.

 

[Slartybart]

Ok, we'll go to the 2nd run of herdProtect

In Windows Explorer, navigate to C:\Users\LI\Downloads
herdProtect should be there
Double click to launch
Answer yes to any UAC prompts, then click scan

Keep herdProtect open - do not close it this time.
Post a screen shot of the window that shows what herdProtect found
I'll ask you to click on some of the files in that window and select Details
That should open a browser window on herdProtect and provide additional information on the file

If something doesn't match my descriptions, post a screen shot so I can see what you see

Thanks

 

[Tousdae]

Done

 

[Slartybart]

ok click on Askslib.dll - do you get two options?
click Details
post the herdProtect details window opened in your browser

 

[Tousdae]

File name:askslib.dll


Publisher:Ask.com (signed and verified)


Product:AskIC Dynamic Link Library


Version:9.9.9.9


MD5:b28c334c03cee7c5e829c43ae75dae5a


SHA-1:71435ddb11e00d0243380c4902324853fe4ece8f


SHA-256:b2e9e737eb5dcee0a8d8d1e36d6b171efbda18bbdb18033498035cdd52913401


Analysis
Scanner detections:
3 / 68


Status:
Potentially unwanted


Analysis date:
3/21/2014 6:26:22 PM UTC (three months ago)


Scan engine
Detection
Engine version


Boost by Reason
Adware.Ask.H
2013.8.29.0


ESET NOD32
Win32/Bundled.Toolbar.Ask (variant)
7.9133


Reason Heuristics
PUP.Ask.H
14.3.21.14


File Details
File size:
242.2 KB (248,008 bytes)


Product version:
9.9.9.9


Copyright:
Copyright (C) Ask 2012


Original file name:
AskIC.dll


File type:
Dynamic link library (Win32 DLL)


Language:
English (United States)


Common path:
C:\users\user\appdata\local\temp\askslib.dll


Digital Signature
Signed by:
Ask.com


Authority:
VeriSign, Inc.


Valid from:
6/19/2011 5:00:00 PM


Valid to:
6/18/2014 4:59:59 PM


Subject:
CN=Ask.com, OU=Distribution, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ask.com, L=Oakland, S=California, C=US


Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


Serial number:
0965F2AC7236C7E1BDCA44ED139B273A


File PE Metadata
Compilation timestamp:
8/22/2012 8:37:23 PM


OS version:
5.0


OS bitness:
Win32


Subsystem:
Windows GUI


Linker version:
9.0


CTPH (ssdeep):
3072:5qVcBJqeLnzl2hxxIvEX89+dsUk71rSteEj3HdC4Qsqz3nC2DwkV4gcIyxUY49Tc:5W07Lnzl2lI28o+Uk71P4Qh3JYXs4


Entry address:
0x180FC


Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, BF, A3, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, EC, FE, FF, FF, 59, 5D, C2, 0C, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 27, C8, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 14, A1, 40, 78, 03, 10, 33, C5, 89, 45, FC, 53, 56, 33, DB, 57, 8B, F1, 39, 1D, 4C, 90, 03, 10, 75, 38, 53, 53, 33, FF, 47, 57, 68, 14, 01, 03, 10, 68, 00, 01, 00, 00, 53, FF, 15, B0, C1, 02, 10, 85, C0, 74, 08, 89...
[+]


Entropy:
6.5336


Code size:
171.5 KB (175,616 bytes)


Variants
There are 5 known versions of askslib.dll by Ask.com.


3 / 68 (PUP)
askslib.dll 9.9.9.9 (090b6cdbda1fca4e5ea5ceebe75da1b0122a6f4a)


3 / 68 (PUP)
askslib.dll 5.1.2.0 (eeaa8e7cbf57449ab12ab62b19a60c7ece9c975b)


4 / 68 (PUP)
askslib.dll 5.1.1.0 (40e49124ad0b55a25f947333ca88e9d0bc30a7e3)


3 / 68 (PUP)
askslib.dll 4.2.0.0 (81c2c3354f11ece49d7667538cefe9f2b2395319)


2 / 68 (PUP)
askslib.dll 3.0.0.0 (1eff205d7d0d82baf841a98c176d700114e13fe6)


Related
3 / 68 (PUP)
apnic.dll (e32aa2e78d2c8f0e9316080e71a714befe851e6c)

 

[Slartybart]

Ok, thanks, now do the same thing, click... details...post for the other three files.

I have a link to get rid of Ask.

Let me know about the other files first and then you can get rid of Ask.

edit: This is looking very good. I think once you get rid of Ask, I'll post the housekeeping tasks and you'll be done.

 

[Tousdae]

File name:quarantine.exe


MD5:10ce1874520612e5f9bdc21c962aef1b


SHA-1:797a6d631d6a19f7e556bdbd7ef17d11fb648406


SHA-256:8b72f75687da4a6c80c41cf380fc1b5557334d67aab49c8ba16a101c80b36f79


Analysis
Scanner detections:
3 / 68


Status:
Inconclusive (not enough data for an accurate detection)


Analysis date:
3/14/2014 5:03:29 AM UTC (four months ago)


Scan engine
Detection
Engine version


Antiy Labs AVL
Trojan/Win32.Agent
0.1.0.1


Jiangmin
Trojan/MSIL.bfsx
KV140314


Norman
Injector.GCAC
10.20140314


File Details
File size:
896.5 KB (918,016 bytes)


File type:
Executable application (Win32 EXE)


Language:
English (United Kingdom)


Common path:
C:\users\user\appdata\local\temp\quarantine.exe


File PE Metadata
Compilation timestamp:
3/13/2014 11:13:50 PM


OS version:
5.1


OS bitness:
Win32


Subsystem:
Windows GUI


Linker version:
11.0


CTPH (ssdeep):
12288:84lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaWL/Z3q9MmCS:84lavt0LkLL9IMixoEgeaWLh3q9MmCS


Entry address:
0x26BF7


Entry point:
E8, 97, CF, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 58, 01, 4C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 70, A3, 4B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 58, 01, 4C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03...
[+]


Code size:
560 KB (573,440 bytes)


Structural Variants
There are numerous known code variantions that share the same compilation structure.


2 / 68
shortcut_module.exe 3.6.2014.1 (ad2983aaa33065707e4187523caa6a06ac3c49fa)


2 / 68
~au3udhyuhz.exe 2.2.2014.2 (540486ae5bf52a33abd618415bc8f4b2c555556b)


2 / 68
~au3vpoktvf.exe 1.0.0.0 (3269a33084e797977573bb997a42d8a679321768)


1 / 68
pre_scan.exe (09206d641b8e4ee20a1e4d4025fe3c09824d4455)


1 / 68
~au3yawbrhx.exe (4bbb9ff63a7acc27a380ecc92890eca1b01f7c4c)


2 / 68
~au3wanosqq.exe (d044726147bb9413ec7c7f072f1646fd5feceb0b)


2 / 68
~au3vlfhhqc.exe (b6cfbb4413eaf132a07938d87ab116a3a36bb698)


1 / 68
~au3ldrpgmq.exe (3629fdf5cc8419c5d629401eedf437f452e5a1db)


1 / 68
~au3jhcxmru.exe (bc0ee0947f8da8f8a4def43b2666cb3ac5e6ab31)


3 / 68 (inconclusive)
~au3ficegir.exe (d2dbf1462b568490d2042c7d98952a44c71a3b3c)


1 / 68
~au3etwfodi.exe (92c1b01471ae4cc559523a1c1d40c97de224dd7b)


2 / 68
~au3dkcbhrl.exe (9a01d645b70bfcddffdc79c20b0df74fc2bda747)


0 / 68
~au3dfgarzc.exe (f2466362df3ca519a7918a18fa4f6af6eeab31b7)


1 / 68 (inconclusive)
~au3bhjjzgo.exe (f1c03ab084a89233a3da76bbb36caaacf54bdcfb)


1 / 68
~au3ammvosl.exe (5fefaef8038812918b1443af124de9c81f3a05a6)


Fuzzy Variants
The following files closely match quarantine.exe based on a fuzzy CTPH.


2 / 68
updateinstaller.exe [97% match] (ba681c907537da964bf48be3707862af01997895)


2 / 68
video.exe [97% match] (be95325e41555d11b5fbb268d2ab926592b9c791)


2 / 68 (Adware)
regadd.exe [97% match] (985445fb6145860c18bbe146cb2e4863aaea2ad8)


4 / 68 (Malware)
áوþç çáþóيس ßان هäاك.exe [96% match] (0cd73f5ddd5058408d9146a7a5ccac0eb624706b)


6 / 68 (Malware)
w0rm.exe [94% match] (a06d5488afdad92de2183f890b94df248c9a21c5)

 

[Tousdae]

File name:{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi


MD5:fc26f8841215642da0cc98f66bc403ce


SHA-1:978bcbe29255fdc40ea200d1bda790490aa2bb66


SHA-256:982857a836929026f98d3e530e91c0ffe6194064f2b047312d560c472e65636f


Analysis
Scanner detections:
1 / 68


Status:
Inconclusive (not enough data for an accurate detection)


Analysis date:
3/1/2014 8:52:05 AM UTC (four months ago)


Scan engine
Detection
Engine version


Dr.Web
Adware.FreeCause.3
9.0.1.0341


File Details
File size:
566.8 KB (580,368 bytes)


File type:
Cross-Platform Installer Module (XPI), used by Mozilla bundles


Common path:
C:\users\user\appdata\roaming\mozilla\firefox\profiles\user.default\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi


Behaviors
Mozilla Extension
Name:
{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi






Variants
0 / 68
{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi (f33793c353bafee0d369c031c7a14907a78bb7a0)

 

[Tousdae]

File name:iwinarcadelauncher.exe

Publisher:iWin, Inc (signed and verified)


MD5:28bd5ae31c863f05f5398b7668208435


SHA-1:28fc30b5eae707b86d2c3efc307dceb790a5fdcd


SHA-256:724c52bb6b902942e7d90264e5ed9ff258ba18bff5feccb47b7c5d31e8a3c975


Analysis
Scanner detections:
1 / 68


Status:
Inconclusive (not enough data for an accurate detection)


Analysis date:
3/6/2014 3:23:41 PM UTC (four months ago)


Scan engine
Detection
Engine version


Reason Heuristics
Unnamed.Threat.16
14.3.6.10


File Details
File size:
45 KB (46,128 bytes)


File type:
Executable application (Win32 EXE)


Common path:
C:\Program Files\iwin games\firefox\iwinarcadelauncher.exe


Digital Signature
Signed by:
iWin, Inc


Authority:
Thawte Consulting (Pty) Ltd.


Valid from:
11/16/2006 7:00:00 PM


Valid to:
11/16/2008 6:59:59 PM


Subject:
CN="iWin, Inc", OU=Secure Application Development, O="iWin, Inc", L=San Francisco, S=California, C=US


Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA


Serial number:
0484B0E7AC23C4FB5A9CBDCDC5249187


File PE Metadata
Compilation timestamp:
10/27/2006 4:09:39 AM


OS version:
4.0


OS bitness:
Win32


Subsystem:
Windows GUI


Linker version:
6.0


CTPH (ssdeep):
768:+f3VmVhsRI26KR+gO3iWn+Cyb9+6otVhyL3UF:Q3AkKBznexot3y4F


Entry address:
0x2A0E


Entry point:
55, 8B, EC, 6A, FF, 68, 38, 71, 40, 00, 68, 8C, 47, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 28, 70, 40, 00, 33, D2, 8A, D4, 89, 15, 78, 86, 40, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 74, 86, 40, 00, C1, E1, 08, 03, CA, 89, 0D, 70, 86, 40, 00, C1, E8, 10, A3, 6C, 86, 40, 00, 33, F6, 56, E8, D9, 1C, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 19, 1B, 00, 00, FF, 15, 24, 70, 40, 00, A3, 98, 8B, 40, 00, E8...
[+]


Entropy:
5.7237


Developed / compiled with:
Microsoft Visual C++ v6.0


Code size:
24 KB (24,576 bytes)


Structural Variants
0 / 68
iwinarcadelauncher.exe (f9220079bf7c3e024d44518a42665267ed263669)


Related
0 / 68
PGMTrusted.EXE (bde59574bf07fd2ea8a7aac2afe0801f702ab8c6)


0 / 68
iWinTrusted.EXE (43defd876ff0a3216a5585df50d98188ec1b055c)


0 / 68
iWinGames.exe (6714d26e0f84fb7a24cd0b6a2aa6c26caf1663dd)


0 / 68
PogoDGC.exe (ab5e39abd10cbc1be97c13bbfbab1442e15e5d5f)


1 / 68 (inconclusive)
WebUpdater.EXE (07e77f677619bfc46d3970caae3fe176abbf0d15)


13 / 68 (PUP)
iwingameshookie.dll (e8af7180dd6d8dfc2e281ed59c471f2af686f4ba)


0 / 68
Au_.exe (7ff6bcf7c280b243ac9eb565da559b952e199e15)


0 / 68
iWin_GDF.dll (a2f4c2a8be29c6f76748259d434d365ef571a8c8)


0 / 68
JewelQuest3.exe (23ffdb6966dd303d19ae1ed832e008c821144877)


0 / 68
uninstall.exe (67e36944b6557beaac849ff9e348c47bd3f70363)


0 / 68
AdminWorker.exe (82455d34481ca07539a8fc4faffbcc38fd519ff7)


0 / 68
WebInstaller.exe (84ce5ccca3ac382c34f28800cff149ab0f7c36e6)


0 / 68
JewelQuest2.exe (e49878aa54596f89d8f48089ff65414db8bfa336)


0 / 68
framework.dll (5eb28dd937fadfaa9a37bdc16e76e45096214144)


0 / 68
GamesManagerInitiator.exe (52ffcac3ffb98c96a8425ca5bcba457036abda87)


0 / 68
GamesManagerInstaller.exe (8fb0d2b73e06a9d9049bd6e2fe2828bec0b069d5)

 

[Tousdae]

I'm heading to bed. I'll check back tmr. Thank you.

 

[Slartybart]

If iwinarcadelauncher is the last file (you can't scroll down any) then we'll just have to clean up Ask and quarantine

Copy the following line and paste it into the Windows Explorer address bar

C:\USERS\LI\APPDATA\LOCAL\TEMP​

Press enter
post a screenshot
select quarantine
press the delete key

---

Clean up Ask

You'll have to close your browser for some of the steps and restarts are required. don't skip a step or the Ask cleanup won't be complete.

Download: http://apnmedia.ask.com/media/toolbar/utilities/ApnRemover.exe
Close all open browser windows.
Then run the utility; after it completes, please restart your computer.
Restarting the computer is necessary to complete the removal.

Then check each browser installed on your system
Follow each step on this webpage - yep every browser on your system even if you don't use it.
The Ask toolbar doesn't care if you use it or not, it installs on every browser it finds on your system.
If a browser is not installed, go to the instructions for the next browser

Why can't I remove the Ask default homepage from my browser?

 

[Slartybart]

It's getting late here, so I'll post the housekeeping stuff now.

Finish the quarantine and Ask cleanup, then

Uninstall HitmanPro from Control Panel > Programs & Features

Reset Windows Update (WU) so it matches this configuration

​

Run WU manually until there are no more updates offered. This will take a while.

Do NOT install anything else until your system is up to date​

Check Microsoft Security Essentials - make sure it is active and scans are scheduled

I'll check back tomorrow, g'nite

Bill
.

 

[Tousdae]

I looked at some of the logs above. I have no idea what this Jewel Quest is. And iwin is just a thorn in the side!

I held down shift and scrolled up or down to highlight the info so it should all be there.

This is what happened when I clicked on the ApnRemover.exe

 

[Tousdae]

... I can't do your first direction becuz I can't figure it out >.<