Removing SmartComp Safe Network/GetPrivate virus
Solved/Closed
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
-
Nov 26, 2015 at 01:52 PM
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016 - Dec 21, 2015 at 06:37 PM
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016 - Dec 21, 2015 at 06:37 PM
Related:
- Skillbrains updater
- Windows network commands - Guide
- Goose virus - Download - Other
- Network error occurred - Guide
- Network card - Guide
- Ntuser.dat virus - Guide
11 responses
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Nov 27, 2015 at 04:57 PM
Nov 27, 2015 at 04:57 PM
Hello again,
This is a dandy. If you really give a virustotal scan to everything you download and install, it surely did not work for you. There are 50 malware infecting your computer as well as 14 useless files.
Shall we get rid of them? I assume your answer is yes.
Here is what I wish you do. If I ask you to delete some programs files, don't be alarmed as they really do contain malware.
Step one:
Through the add/remove program utility, remove the following:
Skillbrains
Step two
1. Close all applications
2. Go to this URL
https://nicolascoolman.eu
and download zhpfix
3. Select and copy the following bold lines:
(For any other user reading this thread, the following lines cannot be used by you, they are customized for Ezpz)
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O42 - Logiciel: Lightshot-5.3.0.0 - (.Skillbrains.) [HKLM][64Bits] -- {30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SOFTWARE\Wow6432Node\NpApp
HKLM\SOFTWARE\Wow6432Node\SecureWeb
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
HKLM\SOFTWARE\Wow6432Node\Skillbrains
HKLM\SOFTWARE\Wow6432Node\Systweak
HKLM\SOFTWARE\Wow6432Node\YourFileDownloader
HKCU\SOFTWARE\Skillbrains
O23 - Service: Privoxy (PrivoxyService) (PrivoxyService) . (...) - C:\Program Files (x86)\SmartComp Safe Network\privoxy.exe (.not file.)
[MD5.59F07211D52D191E465A2915EF448E0D] [APT] [Better Installer] (...) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe [495616]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-S-1-5-21-863551351-428171438-3677390635-1004] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [105728]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-sys] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [105728]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job [408]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-sys.job [408]
O39 - APT: Better Installer - (...) -- C:\WINDOWS\System32\Tasks\Better Installer [3430]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004 [3394]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-sys [3388]
[MD5.0B42873501A576FF6CDE35EA69EE930A] - (.Skillbrains - Lightshot.) -- C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe [477184] [PID.3996]
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 14/03/2015 - [] D -- C:\Program Files (x86)\Skillbrains
3 - CFD: 10/08/2014 - [0] D -- C:\Program Files (x86)\TowerTilt
3 - CFD: 20/11/2015 - [] D -- C:\Users\Bears\AppData\Roaming\Better Installer
3 - CFD: 31/01/2015 - [0] D -- C:\Users\Bears\AppData\Roaming\IHlpr
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.1B53EA087318112317CEB4BD8B24DC64] 20/11/2015 A -- C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
O45 - LFCP:[MD5.72B0018C7106214CEA435A83D3761750] 26/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
O61 - LFC: 2015/11/20 17:37:57 A . (..) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe [495616]
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SYSTEM\CurrentControlSet\Services\PrivoxyService
C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe
C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job
C:\WINDOWS\Tasks\update-sys.job
C:\WINDOWS\System32\Tasks\Better Installer
C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004
C:\WINDOWS\System32\Tasks\update-sys
C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe
C:\Program Files (x86)\Skillbrains
C:\Program Files (x86)\TowerTilt
C:\Users\Bears\AppData\Roaming\Better Installer
C:\Users\Bears\AppData\Roaming\IHlpr
C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
P2 - EXT FILE: (...) -- C:\Users\Bears\AppData\Roaming\Mozilla\Firefox\Profiles\7udurnxy.default\searchplugins\avg-secure-search.xml
O42 - Logiciel: Akamai NetSession Interface - (.Akamai Technologies, Inc.) [HKCU][64Bits] -- Akamai
HKCU\SOFTWARE\Akamai
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe [4691384] [PID.1892] ©
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe [4691384] [PID.10052] ©
O4 - HKCU\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe ©
O4 - HKUS\S-1-5-21-863551351-428171438-3677390635-1004\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe ©
O43 - CFD: 26/09/2015 - [0] D -- C:\ProgramData\Reprise
O43 - CFD: 14/11/2015 - [] D -- C:\Users\Bears\AppData\Local\Akamai
O87 - FAEL: "UDP Query User{527DD5B6-1909-4540-8296-DA363FA9041C}C:\games\counter-strike global offensive\csgo.exe" [In-None-P17-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "TCP Query User{E91211BC-87F5-4084-A72D-E56460E940B7}C:\games\counter-strike global offensive\csgo.exe" [In-None-P6-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "{4A93956D-7C85-40A0-A101-CE4F9D282F5E}" [In-None-P6-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "{1DA55B90-969F-49AA-9D39-C35C40D7A07A}" [In-None-P17-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "UDP Query User{ED0760EB-A3B9-4104-829D-66C50FCFF4A8}C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P17-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "TCP Query User{1FB8229F-67CD-4261-AD9E-EDF540CBFA3F}C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P6-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
4. Launch ZHP Fix and click on "Import" the lines you copied will get pasted.
5. Click on Go. A report will be generated which you can post here.
Good luck and let me know
This is a dandy. If you really give a virustotal scan to everything you download and install, it surely did not work for you. There are 50 malware infecting your computer as well as 14 useless files.
Shall we get rid of them? I assume your answer is yes.
Here is what I wish you do. If I ask you to delete some programs files, don't be alarmed as they really do contain malware.
Step one:
Through the add/remove program utility, remove the following:
Skillbrains
Step two
1. Close all applications
2. Go to this URL
https://nicolascoolman.eu
and download zhpfix
3. Select and copy the following bold lines:
(For any other user reading this thread, the following lines cannot be used by you, they are customized for Ezpz)
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O42 - Logiciel: Lightshot-5.3.0.0 - (.Skillbrains.) [HKLM][64Bits] -- {30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SOFTWARE\Wow6432Node\NpApp
HKLM\SOFTWARE\Wow6432Node\SecureWeb
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
HKLM\SOFTWARE\Wow6432Node\Skillbrains
HKLM\SOFTWARE\Wow6432Node\Systweak
HKLM\SOFTWARE\Wow6432Node\YourFileDownloader
HKCU\SOFTWARE\Skillbrains
O23 - Service: Privoxy (PrivoxyService) (PrivoxyService) . (...) - C:\Program Files (x86)\SmartComp Safe Network\privoxy.exe (.not file.)
[MD5.59F07211D52D191E465A2915EF448E0D] [APT] [Better Installer] (...) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe [495616]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-S-1-5-21-863551351-428171438-3677390635-1004] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [105728]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-sys] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [105728]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job [408]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-sys.job [408]
O39 - APT: Better Installer - (...) -- C:\WINDOWS\System32\Tasks\Better Installer [3430]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004 [3394]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-sys [3388]
[MD5.0B42873501A576FF6CDE35EA69EE930A] - (.Skillbrains - Lightshot.) -- C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe [477184] [PID.3996]
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 14/03/2015 - [] D -- C:\Program Files (x86)\Skillbrains
3 - CFD: 10/08/2014 - [0] D -- C:\Program Files (x86)\TowerTilt
3 - CFD: 20/11/2015 - [] D -- C:\Users\Bears\AppData\Roaming\Better Installer
3 - CFD: 31/01/2015 - [0] D -- C:\Users\Bears\AppData\Roaming\IHlpr
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.1B53EA087318112317CEB4BD8B24DC64] 20/11/2015 A -- C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
O45 - LFCP:[MD5.72B0018C7106214CEA435A83D3761750] 26/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
O61 - LFC: 2015/11/20 17:37:57 A . (..) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe [495616]
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SYSTEM\CurrentControlSet\Services\PrivoxyService
C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe
C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job
C:\WINDOWS\Tasks\update-sys.job
C:\WINDOWS\System32\Tasks\Better Installer
C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004
C:\WINDOWS\System32\Tasks\update-sys
C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe
C:\Program Files (x86)\Skillbrains
C:\Program Files (x86)\TowerTilt
C:\Users\Bears\AppData\Roaming\Better Installer
C:\Users\Bears\AppData\Roaming\IHlpr
C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
P2 - EXT FILE: (...) -- C:\Users\Bears\AppData\Roaming\Mozilla\Firefox\Profiles\7udurnxy.default\searchplugins\avg-secure-search.xml
O42 - Logiciel: Akamai NetSession Interface - (.Akamai Technologies, Inc.) [HKCU][64Bits] -- Akamai
HKCU\SOFTWARE\Akamai
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe [4691384] [PID.1892] ©
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe [4691384] [PID.10052] ©
O4 - HKCU\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe ©
O4 - HKUS\S-1-5-21-863551351-428171438-3677390635-1004\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe ©
O43 - CFD: 26/09/2015 - [0] D -- C:\ProgramData\Reprise
O43 - CFD: 14/11/2015 - [] D -- C:\Users\Bears\AppData\Local\Akamai
O87 - FAEL: "UDP Query User{527DD5B6-1909-4540-8296-DA363FA9041C}C:\games\counter-strike global offensive\csgo.exe" [In-None-P17-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "TCP Query User{E91211BC-87F5-4084-A72D-E56460E940B7}C:\games\counter-strike global offensive\csgo.exe" [In-None-P6-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "{4A93956D-7C85-40A0-A101-CE4F9D282F5E}" [In-None-P6-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "{1DA55B90-969F-49AA-9D39-C35C40D7A07A}" [In-None-P17-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "UDP Query User{ED0760EB-A3B9-4104-829D-66C50FCFF4A8}C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P17-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "TCP Query User{1FB8229F-67CD-4261-AD9E-EDF540CBFA3F}C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P6-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
4. Launch ZHP Fix and click on "Import" the lines you copied will get pasted.
5. Click on Go. A report will be generated which you can post here.
Good luck and let me know
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Nov 26, 2015 at 04:17 PM
Nov 26, 2015 at 04:17 PM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.
1. Open this link and download ZHPDiag3 :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button
2. Save the file on your Desktop.
3. Double click on ZHPDiag.exe and follow the installation instructions.
(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)
4. Double click on the short cut ZHPDiag on your Destktop.
5. Click on Full.
Wait for the tool to finished (maybe a long time)
6. Close ZHPDiag.
7. To transmit the report, click on this link :
https://authentification.site
8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from Speedyshare and paste it here in your reply.
Ambucias
Moderator and Virus/Security Contributor
1. Open this link and download ZHPDiag3 :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button
2. Save the file on your Desktop.
3. Double click on ZHPDiag.exe and follow the installation instructions.
(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)
4. Double click on the short cut ZHPDiag on your Destktop.
5. Click on Full.
Wait for the tool to finished (maybe a long time)
6. Close ZHPDiag.
7. To transmit the report, click on this link :
https://authentification.site
8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from Speedyshare and paste it here in your reply.
Ambucias
Moderator and Virus/Security Contributor
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 26, 2015 at 06:57 PM
Nov 26, 2015 at 06:57 PM
Hi, I downloaded ZHPDiag3.exe from the link you provided, and I scanned the file on virustotal like I do with every file/program I download on the internet. And I noticed that it detected 5/55. Should I ignore that and install or is it something I need to worry about?
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 27, 2015 at 04:19 AM
Nov 27, 2015 at 04:19 AM
ZHP Diag, I use all the time and also hundreds of v/s experts, it's 100% safe.
Please, follow exactly the instructions I have given you about ZHP Diag.
Please, follow exactly the instructions I have given you about ZHP Diag.
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 27, 2015 at 03:11 PM
Nov 27, 2015 at 03:11 PM
Here is the zhpdiag.txt link:
http://speedy.sh/BJBy5/ZHPDiag.txt
At the moment, the virus has not downloaded back onto my computer.
http://speedy.sh/BJBy5/ZHPDiag.txt
At the moment, the virus has not downloaded back onto my computer.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 27, 2015 at 04:13 PM
Nov 27, 2015 at 04:13 PM
Thanks for the log
The is the potential for it to return.
I will get to you with the medicinal compound very soon, just stand-by.
The is the potential for it to return.
I will get to you with the medicinal compound very soon, just stand-by.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Nov 28, 2015 at 04:46 PM
Nov 28, 2015 at 04:46 PM
On ZHP Fix, After "go" did you validate the message asking you to confirm the removal or clean up?
If not, please repeat the ZHP Fix
If not, please repeat the ZHP Fix
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 28, 2015 at 05:43 PM
Nov 28, 2015 at 05:43 PM
It did ask me to confirm the uninstall of lightshot and Akamai NetSession Interface but I don't think I remember it asking me to confirm the removal.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 28, 2015 at 05:53 PM
Nov 28, 2015 at 05:53 PM
Please repeat ZHP Fix and, after go, confirm everything that ZHP Fix asks for
Thank you
Thank you
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 28, 2015 at 05:56 PM
Nov 28, 2015 at 05:56 PM
Okay, I remembered that I did confirm the removal but I did repeat the ZHP Fix anyways.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 29, 2015 at 04:55 AM
Nov 29, 2015 at 04:55 AM
can I see the report ?
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 29, 2015 at 12:18 PM
Nov 29, 2015 at 12:18 PM
http://speedy.sh/cUpFT/ZHPFix-R2.txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Nov 29, 2015 at 04:36 PM
Nov 29, 2015 at 04:36 PM
Hello and thank you for the report!
Everything looks honky dory and your system is as clean as a whistle.
Your antivirus is Kaspersky, along with F-Secure they are the most efficient on the market but no antivirus is 100% safe. In my opinion, most of the 50 malware on your computer came from torrent sites: uTorrent, Pando, Bit Torrent and Bears. Those p2p sites most often hide malware and there are the best mode for pirates, hackers and other malicious people to infect computers. If you invite them in, Kaspersky will not protest because you are the boss.
I suggest that your remove Malwarebyte so that it does not come in conflict with Kaspersky. You can always get it back if necessary.
These two keys, if you wish can also be deleted:
HKLM\SOFTWARE\Wow6432Node\McAfee
HKCU\SOFTWARE\McAfee
It was a pleasure helping you.
Everything looks honky dory and your system is as clean as a whistle.
Your antivirus is Kaspersky, along with F-Secure they are the most efficient on the market but no antivirus is 100% safe. In my opinion, most of the 50 malware on your computer came from torrent sites: uTorrent, Pando, Bit Torrent and Bears. Those p2p sites most often hide malware and there are the best mode for pirates, hackers and other malicious people to infect computers. If you invite them in, Kaspersky will not protest because you are the boss.
I suggest that your remove Malwarebyte so that it does not come in conflict with Kaspersky. You can always get it back if necessary.
These two keys, if you wish can also be deleted:
HKLM\SOFTWARE\Wow6432Node\McAfee
HKCU\SOFTWARE\McAfee
It was a pleasure helping you.
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 29, 2015 at 05:30 PM
Nov 29, 2015 at 05:30 PM
Hello, I greatly appreciate your time and effort to help me get rid of this darn malware! My PC is as clean as ever. And I surely will be more careful on those torrent sites and watching what I download. Anyway, thanks for the help and making this a smooth experience!
Didn't find the answer you are looking for?
Ask a question
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Nov 30, 2015 at 08:22 PM
Nov 30, 2015 at 08:22 PM
Hello again, the GetPrivate virus has downloaded back to my computer, if you wouldn't mind, could you help me get rid of it so that it doesn't come back?
Thanks,
Ezpz
Thanks,
Ezpz
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 1, 2015 at 04:34 AM
Dec 1, 2015 at 04:34 AM
Hello EZ
With pleasure. Please, another ZHP Diag report. Thanks
With pleasure. Please, another ZHP Diag report. Thanks
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 1, 2015 at 08:32 PM
Dec 1, 2015 at 08:32 PM
I temporarily removed it with malwarebytes but here's the log:
http://speedy.sh/tpK73/ZHPDiag.txt
http://speedy.sh/tpK73/ZHPDiag.txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 2, 2015 at 05:04 AM
Dec 2, 2015 at 05:04 AM
Hello
Well, you did get infected again.
This time, we will go in what I believe to be the sources in an easy 1, 2, 3. 4
ONE
1. Open Internet Explorer
2. Click on the gear box.
3. Click on "Manage add-on and then on "Toolbars and extensions"
4. Look for and delete all suspicious extensions. (may say "not verified)
5. Close IE.
TWO
1. Open Firefox
2. Click the menu by click on the 3 horizontal lines, top right corner.
3. Click on the puzzle piece icon and then on plug-ins
4. Look for and delete all suspicious plug-in
Important note: If you still get problems with GetPlus after the above steps, you will need to reset both browsers' to default setting.
THREE
1. Open the add/remove program utility and delete
Download Manager
FOUR
1. We will repeat our ZHP Fix trick
Here are the bold lines:
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.E8D56F120C5EFF515F03CF3FE165FD1E] 30/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
Let me know
Well, you did get infected again.
This time, we will go in what I believe to be the sources in an easy 1, 2, 3. 4
ONE
1. Open Internet Explorer
2. Click on the gear box.
3. Click on "Manage add-on and then on "Toolbars and extensions"
4. Look for and delete all suspicious extensions. (may say "not verified)
5. Close IE.
TWO
1. Open Firefox
2. Click the menu by click on the 3 horizontal lines, top right corner.
3. Click on the puzzle piece icon and then on plug-ins
4. Look for and delete all suspicious plug-in
Important note: If you still get problems with GetPlus after the above steps, you will need to reset both browsers' to default setting.
THREE
1. Open the add/remove program utility and delete
Download Manager
FOUR
1. We will repeat our ZHP Fix trick
Here are the bold lines:
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.E8D56F120C5EFF515F03CF3FE165FD1E] 30/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
Let me know
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 3, 2015 at 09:13 PM
Dec 3, 2015 at 09:13 PM
I do not see a "Download Manager" program in the add/remove program utility.
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 3, 2015 at 09:18 PM
Dec 3, 2015 at 09:18 PM
Here's the log:
http://speedy.sh/RW5TH/ZHPFix-R3.txt
http://speedy.sh/RW5TH/ZHPFix-R3.txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 4, 2015 at 05:06 AM
Dec 4, 2015 at 05:06 AM
Please download, install and run Adwcleaner
https://ccm.net/downloads/security-and-maintenance/6911-adwcleaner/
https://ccm.net/downloads/security-and-maintenance/6911-adwcleaner/
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 4, 2015 at 10:56 PM
Dec 4, 2015 at 10:56 PM
I installed it.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 5, 2015 at 04:41 AM
Dec 5, 2015 at 04:41 AM
Did you run a scan with it?
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 5, 2015 at 04:03 PM
Dec 5, 2015 at 04:03 PM
Here's the log:
http://speedy.sh/7uY4k/AdwCleaner-C1.txt
http://speedy.sh/7uY4k/AdwCleaner-C1.txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 5, 2015 at 04:21 PM
Dec 5, 2015 at 04:21 PM
Those were the adware viruses I was talking about as browser extensions.
Chrome did not show on your ZHP Diag log!!!
Folder Deleted : C:\Program Files (x86)\download Manager
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\madakpajlmcpaodhfbekojajlhbdklol
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog
Folder Deleted : C:\Users\Bears\AppData\Roaming\SoftwareUpdater
Could you please check in your Chrome extensions to see if:
lhoahihokddepjlegpenefeaahdkojog
madakpajlmcpaodhfbekojajlhbdklol
gngocbkfmikdgphklgmmehbjjlfgdemm
Are still there; if they are, we may need to remove them manually.
Did you find that the virus returned after you launched Chrome?
Take care
Chrome did not show on your ZHP Diag log!!!
Folder Deleted : C:\Program Files (x86)\download Manager
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\madakpajlmcpaodhfbekojajlhbdklol
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog
Folder Deleted : C:\Users\Bears\AppData\Roaming\SoftwareUpdater
Could you please check in your Chrome extensions to see if:
lhoahihokddepjlegpenefeaahdkojog
madakpajlmcpaodhfbekojajlhbdklol
gngocbkfmikdgphklgmmehbjjlfgdemm
Are still there; if they are, we may need to remove them manually.
Did you find that the virus returned after you launched Chrome?
Take care
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 5, 2015 at 04:44 PM
Dec 5, 2015 at 04:44 PM
I do not see those extensions in there, and at the moment, the virus has not returned after I launched chrome.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 5, 2015 at 04:49 PM
Dec 5, 2015 at 04:49 PM
Did you, in the past, find that the virus returned after you launched Chrome?
Out of curiosity, can you tell me what is this C:\Users\Bears\AppData\Roaming\SoftwareUpdater
Thanks
Out of curiosity, can you tell me what is this C:\Users\Bears\AppData\Roaming\SoftwareUpdater
Thanks
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 5, 2015 at 05:02 PM
Dec 5, 2015 at 05:02 PM
Yes, It has returned before, after I launched chrome, and I'm not too sure what "SoftwareUpdater" is for but I've seen it. And about "download manager", I downloaded that when I was trying to download something a long time ago because I thought it would help me download faster.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 5, 2015 at 05:16 PM
Dec 5, 2015 at 05:16 PM
Okay, I believe we have resolved the problem.
It's getting ever popular for many to include adware or spyware in the sofware package. Recently, in case of browser applications, they are added to the browser extensions.
Should this occur to you again, first start to disinfect with adwcleaner, it is much more efficient than malwarebyte in the case of adware and spyware where you get pop-ups or browser redirecting.
Take care in Dixieland VA.
It's getting ever popular for many to include adware or spyware in the sofware package. Recently, in case of browser applications, they are added to the browser extensions.
Should this occur to you again, first start to disinfect with adwcleaner, it is much more efficient than malwarebyte in the case of adware and spyware where you get pop-ups or browser redirecting.
Take care in Dixieland VA.
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 6, 2015 at 05:45 PM
Dec 6, 2015 at 05:45 PM
Thanks a lot for helping me solve this problem. But I have a question, how would I uninstall software updater and download manager if I would want to uninstall them since they don't clearly show up as programs in Programs and Features?
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
>
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 6, 2015 at 05:57 PM
Dec 6, 2015 at 05:57 PM
You are most welcome.
They were deleted by adwcleaner. Othewise, you would have to follow the paths
C:\Program Files (x86)\download Manager
C:\Users\Bears\AppData\Roaming\SoftwareUpdater
and delete them, like any other file.
Then I would CCleaner to see if they are still in the registry and delete also from there.
They were deleted by adwcleaner. Othewise, you would have to follow the paths
C:\Program Files (x86)\download Manager
C:\Users\Bears\AppData\Roaming\SoftwareUpdater
and delete them, like any other file.
Then I would CCleaner to see if they are still in the registry and delete also from there.
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 14, 2015 at 08:37 PM
Dec 14, 2015 at 08:37 PM
Hello again,
The the virus has come back and I followed your instructions to disinfect it with adwcleaner. However, today it came back once I opened chrome, and after I disinfected it again with adwcleaner, I checked my extensions folder for chrome and I didn't find those three extensions you mentioned about. Could it be other extensions that's making it come back after a couple of days?
The the virus has come back and I followed your instructions to disinfect it with adwcleaner. However, today it came back once I opened chrome, and after I disinfected it again with adwcleaner, I checked my extensions folder for chrome and I didn't find those three extensions you mentioned about. Could it be other extensions that's making it come back after a couple of days?
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 15, 2015 at 06:45 AM
Dec 15, 2015 at 06:45 AM
Hi,
Yes it could very well be those extensions.
Why don't you remove Chrome completely, you can always get a fresh copy.
Care to upload another ZHP Diag log, just in case something else got infected?
Yes it could very well be those extensions.
Why don't you remove Chrome completely, you can always get a fresh copy.
Care to upload another ZHP Diag log, just in case something else got infected?
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 21, 2015 at 03:49 PM
Dec 21, 2015 at 03:49 PM
Sorry for the late reply, I've been busy. Anyways, I've reinstalled google chrome and ran zhp so here's the log:
http://speedy.sh/B2Pe5/ZHPDiag.txt
http://speedy.sh/B2Pe5/ZHPDiag.txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 21, 2015 at 04:39 PM
Dec 21, 2015 at 04:39 PM
Hi
Every time I analyse one of your reports I find new malware.
Where did you get this one?
PRIVOXY.EXE
It's a proxy hyjacker.
If you see it in your Chrome extensions, remove it.
Run ZHP Fix with this script:
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
O45 - LFCP:[MD5.1A5C72CAB3A96378BAAA227801876896] 14/12/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
Every time I analyse one of your reports I find new malware.
Where did you get this one?
PRIVOXY.EXE
It's a proxy hyjacker.
If you see it in your Chrome extensions, remove it.
Run ZHP Fix with this script:
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
O45 - LFCP:[MD5.1A5C72CAB3A96378BAAA227801876896] 14/12/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
Ezpz
Posts
35
Registration date
Wednesday November 25, 2015
Status
Member
Last seen
August 15, 2016
Dec 21, 2015 at 06:37 PM
Dec 21, 2015 at 06:37 PM
I checked my chrome extensions but I don't know which extensions to look for? I can list what extensions I currently have:
aapocclcgogkmnckokdopfmhonfmgoek
aohghmighlieiainnegkcijnfilokake
apdfllckaahabafndbhieahigkjlhalf
blpcfgokakmgnkcojhhkbfbldkacnbeo
cmeakgjggjdlcpncigglobpjbkabhmjl
coobgpohoikkiipiblmjeljniedjpjpf
eahebamiopdhefndnmappcihfajigkka
felcaaldnbdncclmgdcncolpebgiejap
ghbmnnjooekpmoecnnnilnnbdlolhkhi
nmmhkkegccagdldgiimedpiccmgmieda
pjkljhegncpnkpknbcohdijeoejaedia
aapocclcgogkmnckokdopfmhonfmgoek
aohghmighlieiainnegkcijnfilokake
apdfllckaahabafndbhieahigkjlhalf
blpcfgokakmgnkcojhhkbfbldkacnbeo
cmeakgjggjdlcpncigglobpjbkabhmjl
coobgpohoikkiipiblmjeljniedjpjpf
eahebamiopdhefndnmappcihfajigkka
felcaaldnbdncclmgdcncolpebgiejap
ghbmnnjooekpmoecnnnilnnbdlolhkhi
nmmhkkegccagdldgiimedpiccmgmieda
pjkljhegncpnkpknbcohdijeoejaedia
Nov 27, 2015 at 06:02 PM
Nov 27, 2015 at 06:12 PM
Nov 27, 2015 at 06:28 PM
Nov 28, 2015 at 05:41 AM
Nov 28, 2015 at 03:28 PM
http://speedy.sh/TKJzG/ZHPFixReport.txt