Please help with removal of Trojan/tracking software.

Viruses and worms
1

Help needed in removal of trojan.

They told me their system was “overheating” and randomly would shut down. There’s known issues for this problem from the manufacture as well but they didn’t want to apply the fix. Eventually the machine became unbootable, would post but not load windows so they gave it to me to see if I can restore it. I found the problem and fixed it. When trying to update the drivers for their video card as they haven’t used the computer in at least 2 or more years I went to the nvidia site (http://www.geforce.com/drivers) and two pop-ups came onscreen. both at the bottom corners. One in the left & the other on the right. The left was saying I didn’t have some program needed to watch this video, click here to get it. The other on the right was saying something like click here to learn more about nvidia. They were obviously advertisements/malware/spyware or a virus I was able to go to that same page w/o popups on any of my other computers or devices. Each time opening the homepage “google.com” and doing a search on no matter what those same boxes at the lower corners reappeared trying to say they pertained to my search topic. After hours of scans quick & full with multiple antispyware programs some found things and “removed” them others said the system was clean. The popups still came. Eventually I installed Avast onto the machine and decided to run the bootscan offered. It told me there was a file in one one of the folders named Super Mario Brothers.txt that was infected with JS:ScriptIP-inf [Trj]. I followed the prompts and chose to delete all and let it continue the scan.

The popups still are there!

  1. Detected: by myself by seeing popups then by avast during the boot scan.
  2. File Source: Super Mario Brothers.txt infected with JS:ScriptIP-inf [Trj]
  3. Downloaded/Received: Unknown the system hasn’t been used for a few years.
  4. Exact file name with extension: Super Mario Brothers.txt
  5. Last Pop up message from Avast: None. Quick Scan didn’t find anything. Boot scan did.
  6. Rescan File: Can’t scan particular file, Avast deleted it after my comfirmation during the bootscan find.
  7. Check with an online scanner: Can’t, the computer thats infected recently lost wifi internet & and network connection.
  8. Currently checking sites listed on forum post guide “What to do if a file is infected?” on other safe running computer.
  9. Decision: Infected computer may still be at risk. There’s popups that seem to be tracking and scanners thus far have failed. Still will be running others. Checked youtube and there’s supposedly a removal tool but I don’t trust the sites they offer to download.
    (http://www.virusremoval-tool.net/jsscriptip-inf-trj-remove-jsscriptip-inf-trj-in-a-hassle-free-way) Please confirm if that site is good to use.
  10. Inform others. Will do so soon once I get this solved.

Edited: The first 2 sites mentioned on the What to do guide have invalid links and I can’t apply the online scan on the broken computer at the moment. It’s not able to connect to the net. It suddenly dropped connection and couldn’t seem to reconnect when I went to youtube to try to get the download of one of the suggested removal tools.

2

hello

to begin i’d like to know what programs/antispyware etc…did you use ?

have you got any report of them ?
If yes , accommodate each of them on http://cjoint.com and give the link they give in exchange

3

Hi, and thanks for the response.
There are the programs I’ve used to try and clean this computer up.
CCleaner, Kaspersky Virus Removal Tool, Malwarebytes Anti-Malware Free, SUPERAntiSpyware Free Edition, Microsoft Software Removal Tool, Microsoft Security Essentials, Adaware, Avast Free Antivirus, and currently have it scanning with Spybot Search and Destroy 2.1.

I have not been able to update spybot after just recently installing it but also have yet to install bitdefender and scan with that. Each scan as been taking at least an hour or a little more. This has turned into quite a project.

The site you linked is all in french and I don’t understand any of it to follow the instructions on there if there are any.
When you ask if I’ve got any report of the programs that have scanned thus far. I’d have to say yes and no. Earlier hours after running CCleaner to remove junk files I ran SUPERAntiSpyware Free Edition and it came up with about 114 threats found. None of them were in memory or registry from what I remember. It “cleaned” them and all repeated scans said the machine was clean. Malwarebytes hasn’t picked anything up either. After they said it was clean I tried to go online. That’s when the same pop ups were still there and I proceeded to install Avast and run a boot scan. I felt that would be the best choice but when the prompt came up it said there was a infection as I mentioned above and I told it to “Delete All”. The pop ups are still there and I’m awaiting spybot to finish its run.

Edited: I used a translator for the Cjoint website and I don’t have a log file on the machine I’m using to post this on. I can’t get the other one with the scanners running back on the internet.

4

ok

stop spybot

Adaware => you can uninstall it , It’s useless
SUPERAntiSpyware Free Edition => same thing
spybot search and destroy => same thing

uninstall too all this => Microsoft Software Removal Tool, Microsoft Security Essentials

========

Download and register http://www.bleepingcomputer.com/download/adwcleaner/dl/125/ADWCleaner on your office(desk):

do not click Download , wait that the popup of download arrives for confirmation

launch (For vista / 7 / 8 = > right click “as administrator”)

Click deletion and post C:\Adwcleaner[S1].txt via http://cjoin.com and give the link they give you

5

Here’s the link for what you mentioned.

http://cjoint.com/?cfgjzYKL4F5

There’s a C:\Adwcleaner[S1].txt & C:\Adwcleaner[R1].txt and I’m working on trying to get a screenshot of the problem with my phone.

It’s just easier for me to retype the link on the other pc. the screen pics from the phone are bad.

here’s the screen shot link

http://cjoint.com/?CFgjGpI1LON

The first link once I checked to make sure it was working didn’t show the log I tried it again and here’s that one.
http://cjoint.com/?3FgjJVU26rx

6

there’s nothing on your link perhaps you made a mistake copying it

7

Sorry, must have. As you can see if the link for the screenshot is still working the pop ups still there. I put up another one above, In case that one isn’t working, I checked it myself on the good computer and copied the text of that display to this.

AdwCleaner v2.301 - Logfile created 06/06/2013 at 03:16:30

Updated 16/05/2013 by Xplode

Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits)

User : K3Y5 - AQUASNIPER

Boot Mode : Normal

Running from : I:\PC Ultilities\Hazard Removal\Other Cleaning\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\adawaretb
Deleted on reboot : C:\Program Files (x86)\Free Offers from Freeze.com
Deleted on reboot : C:\ProgramData\adawaretb
Deleted on reboot : C:\ProgramData\blekko toolbars
Deleted on reboot : C:\Users\K3Y5\AppData\LocalLow\adawaretb

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{67A2568C-7A0A-4EED-AECC-B5405DE63B64}

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

-\ Google Chrome v27.0.1453.110

File : C:\Users\K3Y5\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

AdwCleaner[R1].txt - [1534 octets] - [06/06/2013 03:13:37]
AdwCleaner[S1].txt - [1347 octets] - [06/06/2013 03:16:30]

########## EOF - C:\AdwCleaner[S1].txt - [1407 octets] ##########

8

ok

let’s do a diagnostic

Download here: http://oldtimer.geekstogo.com/OTL.exe

Register OTL on your Office(Desk).

If you have XP = > double click
If you have Vista or Windows 7 / 8 = > right click “as administrator”

On OTL.exe to Launch it.

Click here to configure it : http://www.archive-host.com/files/1897388/ecd939269bcc7cdfed2d2e726c22709a32db3067/OTL.PNG

Copy and Paste the contents of what follows in bold face in the bottom of OTL “Customization”(“Personalization”)

HKCU\Software
HKLM\Software
HKCU\Software\Microsoft\Command Processor /s
%Homedrive%*
%Homedrive%*.
%Userprofile%*
%Userprofile%*.
%Allusersprofile%*
%Allusersprofile%*.
%LocalAppData%*
%LocalAppData%*.
%Userprofile%\Local Settings\Application Data*
%Userprofile%\Local Settings\Application Data*.
%programFiles%*
%programFiles%*.
%Systemroot%\Installer*.
%Systemroot%\Temp*.exe /s
%systemroot%\system32*.dll /lockedfiles
%systemroot%\system32*.exe /lockedfiles
%systemroot%\system32*.in*
%systemroot%\Tasks*
%systemroot%\Tasks*.
%systemroot%\system32\Tasks*
%systemroot%\system32\Tasks*.
%systemroot%\system32\drivers*.sy* /lockedfiles
%systemroot%\system32\config*.exe /s
%Systemroot%\ServiceProfiles*.exe /s
%systemroot%\system32*.sys
msconfig
activex
/md5start
explorer.exe
winlogon.exe
wininit.exe
volsnap.sys
atapi.sys
ndisuio.sys
ndis.sys
cdrom.sys
i8042prt.sys
iastor.sys
tdx.sys
netbt.sys
afd.sys
/md5stop
netsvcs
safebootminimal
safebootnetwork
CREATERESTOREPOINT

Click on “Analyse”

At the end of the scan, the Pad is going to open with the reports (OTL.txt) and (Extras.txt).

These files are on your Desktop.

Give the links of both files onto cjoint.com

9

Ok, I’ve got the OTL program running as administrator under those settings in the picture. The scan is still going, while I’m dozing off watching it.

10

isn’t it ok now ? you’ve got a problem with OTL ?

11

Sorry for the late return but yes the popups where still there even after OTL ran and did the log.

Here are the logs from OTL as requested.
http://cjoint.com/?0FgwzFk0AZk
http://cjoint.com/?0FgwBljU80L

12

ok

I said to you to uninstall spybot and I see it running again…
I said to you to uninstall AD-Aware and I see it running again
Uninstall all Java too , it’s not up to date

you host file is infected !!!

do what I ask , else , I cannot operate what is good for your computer

13

Ok, very sorry. Those programs are now uninstalled and I just rebooted the computer.

Now, do I rerun the OTL and generate a new log?

14

yes with the configuration I gave you above please

15

The log came up and here it is.
http://cjoint.com/?0FhaimpeZH6

16

ok I study it and give you the aswer

17

I think you’ve got some problems with certain services in your windows

you used a lot of tools !! perhaps not knowing what they do in the computer !

ATTENTION !!! : Script personalized for this machine only, not to reproduce!!

If you have XP = > click double
If you have Vista or Windows 7/8 = > right click “as administrator”

On OTL.exe to launch it

Copy the list which is bold below,

paste it in the zone under “Customization”(“Personalization”):

[b][b]:processes
explorer.exe
iexplore.exe
firefox.exe
msnmsgr.exe
Teatimer.exe
safari.exe
opera.exe
rundll32.exe

:OTL
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No CLSID value found.
O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No CLSID value found.
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces{84CD4C2F-7B8A-473E-924A-29D8EB485FD8}: DhcpNameServer = 75.75.75.75 75.75.76.76
[2013/06/06 02:20:07 | 000,000,000 | —D | C] – C:\ProgramData\Spybot - Search & Destroy
[2013/06/05 18:21:49 | 000,000,000 | —D | C] – C:\ProgramData\blekko toolbars
[2013/06/05 18:21:49 | 000,000,000 | —D | C] – C:\ProgramData\adawaretb
[2013/06/05 18:21:4[/b]1 | 000,000,000 | —D | C] – C:\Program Files (x86)\adawaretb
[2013/06/05 18:21:38 | 000,000,000 | —D | C] – C:\Program Files (x86)\Toolbar Cleaner
[2009/04/06 11:53:55 | 000,000,000 | —D | M] – C:\ProgramData{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2011/04/26 12:25:46 | 000,000,000 | —D | M] – C:\Program Files (x86)\Free Offers from Freeze.com

:Reg
[-HKEY_CURRENT_USER\Software\Ad-Aware Search Protection]
[-HKEY_LOCAL_MACHINE\Software\PCTools]
[-HKEY_LOCAL_MACHINE\Software\Toolbar Cleaner]

:Files
C:\3a8fb82f71d9e672c437d2
C:\3aedc9f728200204527f6d
C:\69bc0f5449b2f286d130
C:\825624550b2b734fa9f00d
C:\dc55c265e3c993f016fada7177

:commands
[emptytemp][/b]

The abolition(deletion) clicks “Correction” to throw(launch).

Post the report(relationship) which logically will open alone at the end of work after the restart.

18

Some of the text listed looks like it should be in blue but it’s not. Should I copy and paste all the lines both blue and black text? Or just the blue bold?

19

I published(edited) and corrected it

20

OTL just finished up and here is the OTL.txt & Extras.txt links

http://cjoint.com/?0FhbkUqWvcP

&

http://cjoint.com/?0FhbtsHKaOf