1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New Suspected infection, remote access

Discussion in 'Virus & Other Malware Removal' started by JMFD17, Mar 31, 2017.

Thread Status:
Not open for further replies.
Advertisement
  1. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    I was talking with my elderly neighbor about her computer and became concerned when I found she did have internet, she said she didnt, and some remote access programs enabled, no login security, firewall turned off, and no router security. So, I ran The frst scan and would appreciate any assistance.

    Thank you.
     

    Attached Files:

  2. foxfire

    foxfire Malware Specialist

    Joined:
    Jan 14, 2003
    Messages:
    313
    Hello JMFD17,


    I am Foxfire I will be helping you with your problem.

    Before we begin, please follow my simple rules:-
    • If you do not understand any instructions, Stop & Ask do not risk creating further problems.
    • Please do not run any tools unless instructed to do so because it may well cause unforseen damage to your machine.
    • Please print out my instructions, so that mistakes are not made.
    • Malware removal is frequently complex, it takes time to analyse logs, please be patient.
    • I will advise you as soon as your computer is clean, until then it may still be infected !
    • Before you begin the cleanup process, it's very important that you back up all of your important data such as documents, photos, music, emails, etc. to other media such as CDs or an external hard drive.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


    Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:
    [​IMG]Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. [​IMG]
    Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

    [​IMG]Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. [​IMG]Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

    [​IMG] Internet Explorer - Click the Tools menu in the upper right-corner of the browser. [​IMG] Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

    [​IMG]Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

    In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

    Be aware you are not changing the Browser download folder location, you are changing the user's download directory location.....
    >>>>>>>>>>>>>>>>>>>>>>>>>>

    I am going through your logs n0w & will reply tomorrow.

    Foxfire
     
  3. foxfire

    foxfire Malware Specialist

    Joined:
    Jan 14, 2003
    Messages:
    313
    Could you advise if the copy of AVG Web TuneUp is the Free version ?


    Remove Ask toolbar & Ask Search

    Please go Here & follow directions.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>




    Open notepad. Please copy the contents of the code box below.
    To do this highlight the contents of the box and right click on it.
    Then paste it into the open notepad.
    Save it on the Desktop as fixlist.txt

    Code:
    CreateRestorePoint:
    CloseProcesses:
    EmptyTemp:
    Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    HKLM\...\Run: [] => [X]
    HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    GroupPolicy: Restriction ? <======= ATTENTION
    S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVENG.SYS [X]
    S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVEX15.SYS [X]
    S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [X]
    C:\Users\Jeannie\AppData\Roaming\WB.CFG
    C:\Windows\Tasks\{42108C75-CCDE-6044-86BC-2EEAF863EB93}.job
    URLSearchHook: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} -  No File
    SearchScopes: HKLM -> {F53CD4AF-28F0-43FB-B3FF-5D396282D957} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    SearchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={B7A8B727-5307-49BB-8BC5-D47418C490
    HO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-05-13] (Oracle Corporation)
    HO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-13] (Oracle Corporation)
    FF Plugin: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-13] (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-13] (Oracle Corporation)
    Java 8 Update 91 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
    Norton Internet Security (Version: 16.0.0.125 - Symantec Corporation) Hidden
    Task: {057FCFCA-1840-493F-9B80-437A901C1389} - System32\Tasks\{42108C75-CCDE-6044-86BC-2EEAF863EB93} => C:\Users\Jeannie\AppData\Local\{9785A~1\UNINST~1.EXE  <==== ATTENTION
    CMD: ipconfig /flushdns
    Reboot:
    

    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST/FRST64 and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    There has been a past severe exploitation of this software. Even though this exploit has been reportedly fixed there is still a vulnerability with the software, the below is currently all that it is installed Java related:-

    Java Issue
    You may want to read these before you decide whether to keep Java on your system:
    http://www.zdnet.com/a-close-look-a...eptive-software-with-java-updates-7000010038/
    http://www.itworld.com/article/2940...-make-yahoo-your-default-search-provider.html

    If You Decide to Keep it,
    Download and Install the latest versions of Java Runtime Environment
    from here :
    http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html, and install them to your computer.
    If it won't allow you to get past the "Agree to the license" dialog, you will need to set your browser to temporarily allow scripts.
    Check the button to agree to the license.
    Select the links for your Platform, both jre-8u102-windows-i586.exe and jre-8u102-windows-x64.exe
    Click them one at a time, download each and save them to your desktop.
    Then doubleclick each on your desktop, and they will install the newest versions of Java for you to use.
    During installation, be certain to Uncheck and Refuse any offer for "partner software" or toolbars.
    When it finishes, you can remove the Installer(s) from your desktop.
    (I don't have any Java on my system, but you may decide it's a "must have" for some games).

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8/10 users right-click and select
      Run As Administrator
    • The tool will start to update the database, please wait a bit.
    • Click on I agree button.
    • Click on the Scan button.
    • AdwCleaner will begin...be patient please as the scan may take some time to complete.
    DO NOT CLEAN ANYTHING! Removal will be done after analysis of the log.
    After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[S#].txt) will open in Notepad for review
    (where the largest value of # represents the most recent report).
    The contents of the log file may be confusing. Unless you see a program name that you know should not be removed,
    don't worry about it. If you see an entry you want to keep, let me know about it.
    Copy and paste the contents of that logfile in your next reply.
    A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
    >>>>>>>>>>>>>>>>

    I need the fixlog.txt & a copy of AdwCleaner log please.
    Foxfire
     
  4. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    Hello Foxfire,

    Thank you for your assistance. I will go to her house tomorrow and do as instructed, find out about the AVG, and upload the logs.

    Thank you,
    JMFD17
     
  5. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    I apologize for the delay I have not been able to go over there when the time was convenient for both of us, but hopefully tomorrow will be the day. Thank you for your patience.
     
  6. foxfire

    foxfire Malware Specialist

    Joined:
    Jan 14, 2003
    Messages:
    313
    Thank you for keeping me advised, I appreciate your difficulty.
    In the meantime, It might be helpful to ask if she uses TeamViewer & Wild Tangent.
    Foxfire
     
  7. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    She does not use Teamviewer or Wild Tangent, AVG was a free trial. I am completing the steps above and will list the results when they are available.

    JMFD17
     
  8. foxfire

    foxfire Malware Specialist

    Joined:
    Jan 14, 2003
    Messages:
    313
    Thank you for that.
    To try & save time/streamline the cleaning process,
    I can now give you an updated FRST fix to be used before running AdwCleaner:-



    Open notepad. Please copy the contents of the code box below.
    To do this highlight the contents of the box and right click on it.
    Then paste it into the open notepad.
    Save it on the Desktop as fixlist.txt

    Code:
    CreateRestorePoint:
    CloseProcesses:
    EmptyTemp:
    
    
    C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
    (Sysgem AG) C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe
    Sysgem AG) C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe
    (Sysgem AG) C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe
    (TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
    (TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer.exe
    (TeamViewer GmbH) C:\Program Files\TeamViewer\tv_w32.exe
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
    HKLM\...\Run: [] => [X]
    C:\Program Files\AVG Web TuneUp
    C:\Program Files\AVG Web TuneUp\vprot.exe
    C:\Program Files\AVG Web TuneUp\CefHost.exe
    C:\Program Files\AVG Web TuneUp\CefHost.exe
    Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporatio
    [vProt] => C:\Program Files\AVG Web TuneUp\vprot.exe [2183752 2017-03-03] ()
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    GroupPolicy: Restriction ? <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKU\S-1-5-21-2736668572-1433372153-159621795-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
    HKU\S-1-5-21-2736668572-1433372153-159621795-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
    HKU\S-1-5-21-2736668572-1433372153-159621795-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
    HKU\S-1-5-21-2736668572-1433372153-159621795-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
    URLSearchHook: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} -  No File
    SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
    SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
    SearchScopes: HKLM -> {F53CD4AF-28F0-43FB-B3FF-5D396282D957} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    SearchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {08C2FE8D-012D-4327-B7C9-37C8EC2D2B7F} URL =
    159621795-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={B7A8B727-5307-49BB-8BC5-D47418C49081}&mid=44d26d010f4547ccb4c4d16dca89858e-f416f6a4e84614dfe2940501b06f7d0a192d0d10&lang=en&ds=AVG&coid=avgtbavg&cmpid=0616tb&pr=fr&d=2016-06-08 09:04:40&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL =
    SearchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {F53CD4AF-28F0-43FB-B3FF-5D396282D957} URL =
    BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-05-13] (Oracle Corporation)
    BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.3.7.452\AVG Web TuneUp.dll [2017-03-03] (AVG)
    BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-13] (Oracle Corporation)
    Toolbar: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
    Toolbar: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> No Name - {42435041-322D-5637-00A7-7A786E7484D7} -  No File
    Toolbar: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
    FF Extension: (AVG Web TuneUp) - C:\Users\Jeannie\AppData\Roaming\Mozilla\Firefox\Profiles\ldyuvi6l.default\Extensions\[email protected] [2017-03-03]
    FF SearchPlugin: C:\Users\Jeannie\AppData\Roaming\Mozilla\Firefox\Profiles\ldyuvi6l.default\searchplugins\avg-secure-search.xml [2017-03-03]
    FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.7\\npsitesafety.dll [No File]
    FF Plugin: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-13] (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-13] (Oracle Corporation)
    FF Plugin: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll [2016-10-01] ()
    R2 AccessGatewayConnectorService; C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe [4337272 2016-05-25] (Sysgem AG)
    AVG Web TuneUp (HKLM\...\AVG Web TuneUp) (Version: 4.3.7.452 - AVG Technologies)
    R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
    R2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [981576 2017-03-03] ()
    S2 Norton Internet Security; "C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1
    S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVENG.SYS [X]
    S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVEX15.SYS [X]
    Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
    HP Total Care Advisor (HKLM\...\{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}) (Version: 2.4.5106.2815 - Hewlett-Packard)
    HP Total Care Setup (HKLM\...\{38058455-8C21-4C2F-B2F6-14ED166039CB}) (Version: 1.1.1983.2818 - Hewlett-Packard Company)
    Java 8 Update 91 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation
    Norton Internet Security (Version: 16.0.0.125 - Symantec Corporation) Hidden
    TeamViewer 10 (HKLM\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
    Update Installer for WildTangent Games App (Version:  - WildTangent) Hidden
    WildTangent Games App for HP (HKLM\...\{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp) (Version: 4.1.1.8 - WildTangent
    Task: {057FCFCA-1840-493F-9B80-437A901C1389} - System32\Tasks\{42108C75-CCDE-6044-86BC-2EEAF863EB93} => C:\Users\Jeannie\AppData\Local  \{9785A~1\UNINST~1.EXE  <==== ATTENTION
    Task: {421F2BC8-9DDC-4DEA-A3F7-FA4A2F965F7C} - System32\Tasks\Antivirus Emergency Update => C:\Program Files\AVG\Antivirus\AvEmUpdate.exe [2017  -03-02] (AVG Technologies CZ, s.r.o.)
    Task: C:\Windows\Tasks\{42108C75-CCDE-6044-86BC-2EEAF863EB93}.job => C:\Users\Jeannie\AppData\Local\{9785A~1\UNINST~1.EXE <==== ATTENTION
    2016-06-08 09:04 - 2017-03-03 17:46 - 00981576 _____ () C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
    2008-12-16 17:50 - 2008-09-15 07:14 - 00028672 _____ () c:\Program Files\Cyberlink\Shared files\RichVideops.dll
    2016-06-08 09:04 - 2017-03-03 17:46 - 02183752 _____ () C:\Program Files\AVG Web TuneUp\vprot.exe
    2016-06-08 09:04 - 2017-03-03 17:46 - 01205320 _____ () C:\Program Files\AVG Web TuneUp\CefHost.exe
    2016-06-08 09:04 - 2017-03-03 17:46 - 40638536 _____ () C:\Program Files\AVG Web TuneUp\libcef.dll
    FirewallRules: [{7F855FB3-66E8-4A83-B7B7-161ADC6E26F4}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
    FirewallRules: [{09BDD2BE-1A99-4154-B530-2BFF0A26B390}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
    FirewallRules: [{5871F93D-201A-4F87-BC79-2E604703596B}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    FirewallRules: [{E757F48D-5529-4354-AF8B-56210389811D}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
    FirewallRules: [{D87CCD84-0250-467D-BA97-69EF7162ED2A}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
    FirewallRules: [{38E24ED2-EAAC-454A-83FE-E7A97D4A22D3}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
    FirewallRules: [{C20301B6-E73A-481A-9D56-C42965446921}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
    C:\Users\Jeannie\AppData\Roaming\WB.CFG
    CMD: ipconfig /flushdns
    Empty temp:
    Reboot:
    
    NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
    (Both on the Desktop is OK, or both in the same folder elsewhere)

    Run FRST64 and press the FIX button just once, and wait.

    Run FRST64 and press the FIX button just once, and wait. DO NOT PRESS THE SCAN BUTTON.
    If for some reason the tool needs a restart, please make sure you let the system restart normally.
    The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
    When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.
    Foxfire
     
  9. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    I apologize for giving you conflicting information, but she does use TeamViewer. She doesn't always remember the first time I ask her something.
    Also, I have noticed that she has a lot of the same files and issues that I am having on my PCs. Can you take a look at a couple things and tell me if you think anything looks off? Like the driver dates, particularly 6/21/06, which is what are on all of my computers no matter which windows version I am running or the age of the PC. Is that normal? I would think that there would have been some driver updates in the last eleven years, particularly for machines and programs created after that. I will attach some snips.
    Thank you.

    in recents.JPG Malwarebytes Quarantine Snip.JPG MBAM Q.JPG networks.JPG sec dev.JPG Snip Generic SM xD Picture USB Device.JPG connections.JPG xbox.com permissions.JPG xbox.xom page info - media.JPG xbox.com page info gen.JPG
     
  10. foxfire

    foxfire Malware Specialist

    Joined:
    Jan 14, 2003
    Messages:
    313
    In that case it would be better not to use the last FRST fix I gave you & simply use the first one.
    We need to clean her computer first before digressing into miscellaneous details.

    I have had a quick look at the images you gave me but do not see any abnormalities there.

    Why are you concerned about xbox.com ?
    Foxfire
     
  11. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    Understood.

    Xbox concern:

    She has told me repeatedly she doesnt know how to use the computer other than playing hearts and getting her "mail", she has shortcuts on the desktop for both - several for each.

    She didnt think she had internet, and doesnt know how to look up anything, really doesn't.

    Since there were so many remote access apps/programs I was curious about her browser history and found several to a specific xbox page, and some other curious pages.

    Xbox of course has xbox live, and Windows live is one of the programs being used to access my computers, and I have uninstalled it about a hundred times from mine and it never actually uninstalls.

    And team viewer is set up to let someone else remotely control her computer. Someone she doesn't really know and the settings were such that she'd never know when he was connected or what he was doing. This person is also an administrator with his own log in.

    I can tell you for a fact she doesn't have any interest in xbox, but he's a young techy guy.

    She said someone told her to buy the computer and set it up for her. Set up her internet, modem, and router, on a used PC running Vista. I have a pc that runs Vista home premium and it is a totally different setup. Doesn't even have the same features or commands. Both pcs are hp and about the same year so it's suspicious to me that the same operating system is so very different from my Vista and acts more like my Windows 8 or even 10.

    But, I am overly suspicious right now because people at trying to take advantage of her situation. And I've been trying to do what I can to stop it until her daughter can get here to step in. So, when she said it was setup for her and that no one has come to make sure it's ok, or taught her how to use it, And I have find team viewer set up with the username and password saved and certain settings selected, well it makes me very concerned.

    I'm just trying to be as thorough as possible because I had planned a move prior to knowing how she had declined, so come May 1 I won't be here to check on her.

    I spent the day trying to contain things and am exhausted, so I apologize if that didn't make sense.
     
  12. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    I probably should add that my computers were compromised 8/16. Followed by Id theft, bank fraud, cc fraud, mail theft, theft of services, and the list goes on and on. I am still trying to secure mine and have spent thousands. I don't want that to happen to her.

    Mine, is related to an angry ex who's in cybersecurity, but I know how devastating it can be to your life. Particularly when really weird stuff happens like getting calls from your home or prepaid phone that's out of minutes, every time you leave the house. It can be scary.
     
  13. foxfire

    foxfire Malware Specialist

    Joined:
    Jan 14, 2003
    Messages:
    313
    Thank you, I can now understand your position more clearly.
    I consider that we should proceed with standardised cleaning of the computer.

    I am reluctant to remove TeamViewer when the lady tells me that it is used.
    However, now knowing the circumstances, I consider a sensible compromise
    would be to restrict any access as detailed Here It can always be re-enabled later if required.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Assuming that you have not run either of my previous scripts, please do this:-

    Open notepad. Please copy the contents of the code box below.
    To do this highlight the contents of the box and right click on it.
    Then paste it into the open notepad.
    Save it on the Desktop as fixlist.txt
    Code:
       CreateRestorePoint:
       CloseProcesses:
       C:\Program Files\AVG Web TuneUp
       C:\Program Files\AVG Web TuneUp\vprot.exe
       C:\Program Files\AVG Web TuneUp\CefHost.exe
       C:\Program Files\AVG Web TuneUp\CefHost.exe
       (Sysgem AG) C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe
       (Sysgem AG) C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe
       (Sysgem AG) C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe
       Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
       HKLM\...\Run: [] => [X]
       [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporatio
       [vProt] => C:\Program Files\AVG Web TuneUp\vprot.exe [2183752 2017-03-03] ()
       ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
       ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
       GroupPolicy: Restriction ? <======= ATTENTION
       HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
       HKU\S-1-5-21-2736668572-1433372153-159621795-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
       HKU\S-1-5-21-2736668572-1433372153-159621795-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.yahoo.com/yhs/search?      type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
       HKU\S-1-5-21-2736668572-1433372153-159621795-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?      TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
       HKU\S-1-5-21-2736668572-1433372153-159621795-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?        TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
       URLSearchHook: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} -  No File
       SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?   type=avastbcl&hspart=avast&hsimp=yhs-   001&p={searchTerms}
       SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-   001&p=   {searchTerms}
       SearchScopes: HKLM -> {F53CD4AF-28F0-43FB-B3FF-5D396282D957} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
       SearchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {08C2FE8D-012D-4327-B7C9-37C8EC2D2B7F} URL =
       159621795-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={B7A8B727-5307-49BB-8BC5-   D47418C49081}   &mid=44d26d010f4547ccb4c4d16dca89858e-     416f6a4e84614dfe2940501b06f7d0a192d0d10&lang=en&ds=AVG&coid=avgtbavg&cmpid=0616tb&pr=fr&d=2016-06-08         9:04:40&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms}
       SearchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL =
       searchScopes: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> {F53CD4AF-28F0-43FB-B3FF-5D396282D957} URL =
       BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-05-13] (Oracle Corporation)
       BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.3.7.452\AVG Web TuneUp.dll [2017-03-03] (AVG)
       BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-13] (Oracle Corporation)
       Toolbar: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
       Toolbar: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> No Name - {42435041-322D-5637-00A7-7A786E7484D7} -  No File
       Toolbar: HKU\S-1-5-21-2736668572-1433372153-159621795-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
       FF Extension: (AVG Web TuneUp) - C:\Users\Jeannie\AppData\Roaming\Mozilla\Firefox\Profiles\ldyuvi6l.default\Extensions\[email protected] [2017-03-03]
       FF SearchPlugin: C:\Users\Jeannie\AppData\Roaming\Mozilla\Firefox\Profiles\ldyuvi6l.default\searchplugins\avg-secure-search.xml [2017-03-03]
       FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller   \40.3.7\  
       npsitesafety.dll [No File]
       FF Plugin: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-13] (Oracle Corporation)
       FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-13] (Oracle Corporation)
       R2 AccessGatewayConnectorService; C:\Program Files\Sysgem AG\SysMan Remote Control Server\Remote Connector.exe [4337272 2016-05-25] (Sysgem AG)
       AVG Web TuneUp (HKLM\...\AVG Web TuneUp) (Version: 4.3.7.452 - AVG Technologies)
       R2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [981576 2017-03-03] ()
       S2 Norton Internet Security; "C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files\Norton Internet    Security  Engine\16.0.0.125\diMaster.dll" /prefetch:1
       S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVENG.SYS [X]
       S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVEX15.SYS [X]
       Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
       HP Total Care Advisor (HKLM\...\{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}) (Version: 2.4.5106.2815 - Hewlett-Packard)
       HP Total Care Setup (HKLM\...\{38058455-8C21-4C2F-B2F6-14ED166039CB}) (Version: 1.1.1983.2818 - Hewlett-Packard Company)
       Java 8 Update 91 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation
       Norton Internet Security (Version: 16.0.0.125 - Symantec Corporation) Hidden
       Task: {057FCFCA-1840-493F-9B80-437A901C1389} - System32\Tasks\{42108C75-CCDE-6044-86BC-2EEAF863EB93} => C:\Users\Jeannie\AppData\Local\{9785A~1\UNINST~1.EXE       <==== ATTENTION
       Task: {421F2BC8-9DDC-4DEA-A3F7-FA4A2F965F7C} - System32\Tasks\Antivirus Emergency Update => C:\Program Files\AVG\Antivirus\AvEmUpdate.exe [2017-03-02] (AVG       Technologies CZ, s.r.o.)
       Task: C:\Windows\Tasks\{42108C75-CCDE-6044-86BC-2EEAF863EB93}.job => C:\Users\Jeannie\AppData\Local\{9785A~1\UNINST~1.EXE <==== ATTENTION
       2016-06-08 09:04 - 2017-03-03 17:46 - 00981576 _____ () C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe
       2008-12-16 17:50 - 2008-09-15 07:14 - 00028672 _____ () c:\Program Files\Cyberlink\Shared files\RichVideops.dll
       2016-06-08 09:04 - 2017-03-03 17:46 - 02183752 _____ () C:\Program Files\AVG Web TuneUp\vprot.exe
       2016-06-08 09:04 - 2017-03-03 17:46 - 01205320 _____ () C:\Program Files\AVG Web TuneUp\CefHost.exe
       2016-06-08 09:04 - 2017-03-03 17:46 - 40638536 _____ () C:\Program Files\AVG Web TuneUp\libcef.dll
       [B][/B]C:\Users\Jeannie\AppData\Roaming\WB.CFG
       CMD: ipconfig /flushdns
       Empty temp:
       Reboot:
       
    NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
    (Both on the Desktop is OK, or both in the same folder elsewhere)

    Run FRST64 and press the FIX button just once, and wait.

    Run FRST64 and press the FIX button just once, and wait. DO NOT PRESS THE SCAN BUTTON.
    If for some reason the tool needs a restart, please make sure you let the system restart normally.
    The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
    When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Please download AdwCleaner] onto your Desktop.

    Take care NOT to click on any ad, such as PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer".
    NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    • Close your browser and double click the AdwCleaner icon on your desktop.
    • Click on the Scan in the Actions box
    • Please wait for the scan to finish..
    • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
    • Click on the Cleaning box.
    • Next click OK on the "Closing Programs" pop up box.
    • Click OK on the Information box & again OK to allow the necessary reboot
      After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply....
    • If you lose track of the log, it is saved in this folder C:\AdwCleaner\
    NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.
    Close your browser and double click the AdwCleaner icon on your desktop.

    I need Fixlist.txt & AdwCleaner log please.
    Foxfire
     
  14. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    Thank you for understanding. I have not run either script but will try again tomorrow.

    Do you know what Polaris Office is? I got an email today about not logging in for a year and my data will be deleted. I don't know what that is.

    Thank you.
     

    Attached Files:

    Last edited: Apr 7, 2017
  15. JMFD17

    JMFD17 Thread Starter

    Joined:
    Mar 25, 2017
    Messages:
    54
    It's very strange but frst.exe was no where to be found on the computer. So I downloaded it again and ran your fixlist. It restarted let me choose a login account then went black for several minutes. All I could see was the white cursor.

    It has come back on but a dialogue box flashed on the screen, just like mine at home before the desktop appeared. I will attach the log and message from the computer now that it is back on.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1187718

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice