Solved Certain of malware on HP laptop, Windows 7

Status
Not open for further replies.
I was able to uninstall the remnants of those games but tune up utilities has advised me that the "SBRE" device is not working properly. And also [FONT=Segoe UI]"X6XSEx_Pr143" is not working properly. I am unsure how to fix this. I will look in device manager to check drivers needing updating. I will probably still need advice please if you can.[/FONT]

Checked into it and these devices are stopped and the files for these cannot be found to enable them. I do not know how important they are or the effect they will have by not working. I wait on your advice before proceeding.
 
Did you have any products from Sunbelt, like Viper or CounterSpy in the past or currently? (Sunbelt is now GFI Software)

This: [FONT=Segoe UI]X6XSEx_Pr143 - is part of EXTender player.[/FONT]

Use SystemLook again, here's the script:
[FONT=Segoe UI][/FONT]

:regfind
[FONT=Segoe UI]X6XSEx_Pr143[/FONT]

:filefind
[FONT=Segoe UI]X6XSEx_Pr143[/FONT]

:folderfind
[FONT=Segoe UI]X6XSEx_Pr143[/FONT]
 
Yes, I used to have Vipre. My sister talked me into getting it saying how good it was but that is what started all my troubles. I hate vipre and want no part of it in my computer. I have posted the log results for you.

SystemLook 30.07.11 by jpshortstuff
Log created at 06:57 on 10/02/2013 by Administrator
Administrator - Elevation successful

========== regfind ==========

Searching for "X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_X6XSEX_PR143]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_X6XSEX_PR143\0000]
"Service"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_X6XSEX_PR143\0000]
"DeviceDesc"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6XSEx_Pr143]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6XSEx_Pr143]
"ImagePath"="\??\C:\Program Files\Free Ride Games\X6XSEx_Pr143.Sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6XSEx_Pr143]
"DisplayName"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6XSEx_Pr143\Enum]
"0"="Root\LEGACY_X6XSEX_PR143\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_X6XSEX_PR143]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_X6XSEX_PR143\0000]
"Service"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_X6XSEX_PR143\0000]
"DeviceDesc"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\X6XSEx_Pr143]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\X6XSEx_Pr143]
"ImagePath"="\??\C:\Program Files\Free Ride Games\X6XSEx_Pr143.Sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\X6XSEx_Pr143]
"DisplayName"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_X6XSEX_PR143]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_X6XSEX_PR143\0000]
"Service"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_X6XSEX_PR143\0000]
"DeviceDesc"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\X6XSEx_Pr143]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\X6XSEx_Pr143]
"ImagePath"="\??\C:\Program Files\Free Ride Games\X6XSEx_Pr143.Sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\X6XSEx_Pr143]
"DisplayName"="X6XSEx_Pr143"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\X6XSEx_Pr143\Enum]
"0"="Root\LEGACY_X6XSEX_PR143\0000"

========== filefind ==========

Searching for "X6XSEx_Pr143"
No files found.

========== folderfind ==========

Searching for "X6XSEx_Pr143"
No folders found.

-= EOF =-

I still see "Free Ride Games" remnants in there too. I don't know how that ever got in but I didn't want it and it doesn't seem to want to leave too easily.
 
OTL Fix

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :services
    LEGACY_X6XSEX_PR143
    X6XSEx_Pr143
    SBRE

    :files
    C:\Program Files\Free Ride Games

    :commands
    [emptytemp]
    [reboot]
  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
 
That completely took care of it!! Have we finally got it cleaned out? Log:

All processes killed
========== SERVICES/DRIVERS ==========
Error: No service named LEGACY_X6XSEX_PR143 was found to stop!
Service\Driver key LEGACY_X6XSEX_PR143 not found.
Service X6XSEx_Pr143 stopped successfully!
Service X6XSEx_Pr143 deleted successfully!
Service SBRE stopped successfully!
Service SBRE deleted successfully!
========== FILES ==========
File\Folder C:\Program Files\Free Ride Games not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 4997294 bytes
->Temporary Internet Files folder emptied: 167505 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 7603345 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66016 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 12.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02112013_231911

Files\Folders moved on Reboot...
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advanced System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create


Remove tools, temp files, old Restore Points

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :files
    ipconfig /flushdns /c

    :commands
    [CREATERESTOREPOINT]
    [CLEARALLRESTOREPOINTS]
    [emptyflash]
    [emptytemp]
    [emptyjava]
    [reboot]
  • Then click the Run Fix button at the top.
  • Note: The fix for OTL sometimes hides your Desktop and Start menu so the cleanup can be completed. Do not be alerted, as this is normal.
  • It may open a log for you, but I don't need that.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Clean Restore Point made. All programs/tools used while fixing my system have been removed. Think it is OK especially if you say so. Here is the log you requested and thanks from my heart for your help. I don't have much but I may try to give you what I can as a donation. I know the rules; it is not payment it is a donation. Let me know if we are finally clean and clear, thanks. Log:


Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)
Java(TM) 6 Update 26
Java Card Security for HP ProtectTools
Java version out of Date!
Adobe Flash Player 11.4.402.278
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (18.0.2)
Google Chrome 16.0.912.77
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````


Is it OK to update my Java and Adobe Reader?
 
Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.


Any other questions before I mark this topic solved?
 
I uninstalled all adobe products. It would let me uninstall (The 8.2.0 version) It still has adobe air but it may have updated it because it updated all the plug-ins. I cannot uninstall "Java Security for HP Protect Tools" and I don't see any J2Se Runtime Enviroment so I downloaded the latest version. Before installing it removed all older versions. I now have the newest versions of adobe and java. Seems like all is well.
 
Status
Not open for further replies.
Back