Solved Bogus files appearing in my PC

[jimrich]

I live in Encino, CA. I thought you were in a different time zone than us. I took a while but here is the ESET report:
C:\Windows\SysWOW64\LavasoftTcpService.dll a variant of Win32/Packed.Komodia.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\jimrich\AppData\LocalLow\internethelper3.1\hk64tbInte.dll.vir a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\jimrich\AppData\LocalLow\internethelper3.1\hktbInte.dll.vir a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\jimrich\AppData\LocalLow\internethelper3.1\ldrtbInte.dll.vir a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\jimrich\AppData\LocalLow\internethelper3.1\tbInte.dll.vir a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\ksys2kh8hxd\doguhkdbnupvw.exe.xBAD a variant of Win32/Agent.XDQ trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\ksys2kh8hxd\vezkoophwj.exe.xBAD a variant of Win32/Agent.XDQ trojan cleaned by deleting - quarantined
C:\iplorrggjphxta\ewkzljtc.exe a variant of Win32/Bayrob.R trojan cleaned by deleting - quarantined
C:\Users\jimrich\Desktop\COMPUTER STUFF\FileZilla_3.10.2_win32-setup.exe a variant of Win32/InstallCore.XA potentially unwanted application deleted - quarantined
C:\Users\jimrich\Desktop\FIXES & REPAIRS\lifeguard-diagnostics cnet2_WinDlg_124_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
C:\Users\jimrich\Desktop\TECH\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
C:\Windows\imaqugdcooyqv\aol\tmp\caozhongwang.mp3 _______________________________________.exe a variant of Win32/Bayrob.T trojan cleaned by deleting - quarantined
C:\Windows\System32\LavasoftTcpService.dll a variant of Win32/Packed.Komodia.A potentially unwanted application deleted - quarantined
F:\Desktop\COMPUTER STUFF\FileZilla_3.10.2_win32-setup.exe a variant of Win32/InstallCore.XA potentially unwanted application deleted - quarantined
F:\Desktop\FIXES & REPAIRS\lifeguard-diagnostics cnet2_WinDlg_124_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\Desktop\TECH\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Desktop\FileZillaSetup (2013_11_07 08_55_37 UTC).exe Win32/DownWare.S potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Desktop\FIXES & REPAIRS\lifeguard-diagnostics cnet2_WinDlg_124_zip (2013_07_03 22_59_45 UTC).exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Desktop\TECH\Unlocker1.9.2 (2013_09_14 05_22_31 UTC).exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\COMPUTER-TECH\lifeguard-diagnostics cnet2_WinDlg_124_zip (2013_07_02 04_03_27 UTC).exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\COMPUTER-TECH\lifeguard-diagnostics cnet2_WinDlg_124_zip (2014_02_18 18_45_28 UTC).exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\COMPUTER-TECH\Unlocker_1.9.2 (2013_07_03 02_26_37 UTC).exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\COMPUTER-TECH\Unlocker_1.9.2 (2014_02_18 18_45_28 UTC).exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\COMPUTER-TECH\registry fix for Help & Support application\registryfix (2013_07_02 04_03_27 UTC).exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\COMPUTER-TECH\registry fix for Help & Support application\registryfix (2014_02_18 18_45_28 UTC).exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined
F:\FileHistory\jimrich\IDEA-PC\Data\C\Users\jimrich\Documents\Downloads\FileZilla_3.10.2_win32-setup (2015_03_09 02_57_08 UTC).exe a variant of Win32/InstallCore.XA potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\lifeguard-diagnostics cnet2_WinDlg_124_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\Unlocker_1.9.2.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\LENOVO\jimrich\AppData\Local\Temp\wajam_download.exe Win32/Wajam.B potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\LENOVO\jimrich\AppData\Local\Temp\is-P4STN.tmp\vtoolsToolbar-stub-1.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\LENOVO\jimrich\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe Win32/Toolbar.DefaultTab.A potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\LENOVO\jimrich\Documents\COMPUTER-TECH\lifeguard-diagnostics cnet2_WinDlg_124_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\LENOVO\jimrich\Documents\COMPUTER-TECH\registry fix for Help & Support application\registryfix.exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined
F:\My Documents\COMPUTER-TECH\LENOVO\jimrich\Documents\COMPUTER-TECH\SKYPE\SoftonicDownloader_for_skype.exe Win32/SoftonicDownloader.E potentially unwanted application deleted - quarantined
F:\My Documents\COMPUTER-TECH\registry fix for Help & Support application\registryfix.exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined
F:\Programs-more programs below\File Type Assistant\tsassist.exe a variant of Win32/FileTypeAssistant.A potentially unwanted application deleted - quarantined
F:\Programs-more programs below\FREE FILE VIEWER\FreeFileViewer2012Setup.exe a variant of Win32/InstallIQ.A potentially unwanted application deleted - quarantined
F:\Windows8_OS\Program Files (x86)\Application Updater\ApplicationUpdater.exe a variant of Win32/Toolbar.Widgi.A potentially unwanted application deleted - quarantined
F:\Windows8_OS\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi potentially unwanted application deleted - quarantined
F:\Windows8_OS\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings64.exe a variant of Win64/Toolbar.Widgi.A potentially unwanted application deleted - quarantined
F:\Windows8_OS\Program Files (x86)\Common Files\Spigot\Search Settings\wth162.dll a variant of Win32/Toolbar.Widgi.A potentially unwanted application deleted - quarantined
F:\Windows8_OS\Program Files (x86)\Common Files\Spigot\Search Settings\wthx162.dll a variant of Win64/Toolbar.Widgi.B potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\AppData\Local\Conduit\CT3289663\InternetHelper3.1AutoUpdateHelper.exe Win32/Toolbar.Conduit.V potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\AppData\LocalLow\InternetHelper3.1\hk64tbInte.dll a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\AppData\LocalLow\InternetHelper3.1\hktbInte.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\AppData\LocalLow\InternetHelper3.1\ldrtbInte.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\AppData\LocalLow\InternetHelper3.1\tbInte.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe Win32/Toolbar.DefaultTab.A potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\Desktop\FIXES & REPAIRS\lifeguard-diagnostics cnet2_WinDlg_124_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
F:\Windows8_OS\Users\jimrich\Desktop\TECH\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
H:\DOCUMENTS\COMPUTER-TECH\registry fix for Help & Support application\registryfix.exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined
H:\LEVONO DESK TOP\COMPUTER STUFF\FileZilla_3.10.2_win32-setup.exe a variant of Win32/InstallCore.XA potentially unwanted application deleted - quarantined
H:\LEVONO DESK TOP\FIXES & REPAIRS\lifeguard-diagnostics cnet2_WinDlg_124_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
H:\LEVONO DESK TOP\TECH\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined

[note] there was no "Scan archives" option in this version of ESET when I started the scan. I am using Firefox so the first ESET download sent me over to a non-IE browser version. THAT'S A LOT OF INFECTIONS!!!!!!!

 

[jimrich]

Oh, one other question. In the final ESET box/panel there is an option to delete the quarantined files, so should I delete them before closing the ESET box ? - it's still open.
And there is an option which says: Manage Quarantine under the Export to text file option. Should I do anything with that option?
jim

 

[jimrich]

I just fix BITS & syst. restore but I'm leaving the ESET box open til I hear from you and then I'll restart and do the FSS log.

 

[jimrich]

I closed the ESET window without doing anything about the Quarantine items, restarted and ran the FSS scan:

Farbar Service Scanner Version: 17-01-2015
Ran by jimrich (administrator) on 25-05-2015 at 22:07:07
Running from "C:\Users\jimrich\Desktop\1 CLEAN UP"
Microsoft Windows 8.1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Action Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

[jimrich]

It's after 11 pm here so let's continue tomorrow. Thanks for all you are doing here and I will be making a donation. jim

 

[Broni]

It doesn't matter what you do with Eset. You can keep it for future use. Quarantine folder doesn't bother anything either.

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download

DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create registry backup
• Purge System Restore
• Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

12. Please, let me know, how your computer is doing.

 

[jimrich]

Broni, I am installing Win updates (after quite a struggle to get Win updates back in action). It seems strange that there are 39 updates at over 800 MB. Is that "normal" or is my PC just importing more viruses now? It is taking a very long time to install these updates. Thanks for your help. jim

 

[Broni]

800MB of updates takes time.

 

[jimrich]

Broni, looks like everything is back to OK and I really appreciate all that you have done and also the various educational and helpful links and maintenance programs you have given me. I will definitely make a donation by the end of the month when my $$$ comes in. Is it OK to stay in touch with you should any other complicated PC issues arise? I wish I had the time to get to know all the stuff that you seem to know about computers and I'm really glad that a person like you is willing and available to help guys like me. Best wishes and good health my friend. Yours, Jim

 

[Broni]

I removed your email address from your last message so you don't get any spam mails there.

Good luck and stay safe