Someone's FISHING on my computer

WinTenUser said:

Wow, lot's of stuff. I will do my best. I actually did a bunch of this. but will repeat.

Can you explain the Change the DNS servers on her NICs to Open DNS (its purpose)

Thanks for the details!

Brian

Yes, please, and be sure to post the logs for me.
Changing the DNS servers to Open DNS will force her NIC to use them for all internet requests (and not her ISP's DNS servers). OpenDNS actively blocks all known bad sites. You don't need to add the Marc's Updater part unless you create an account with OpenDNS to modify the blocking settings.

WinTenUser said:

That makes sense. She doesn't visit many sites, but it's a good safeguard.
Will get on this tomorrow!

Thanks

Will post logs

Brian

If you want to post the list of installed programs (using Ccleaner) feel free and I'll have a look at that as well.




Cheers Brian.

Took this capture before your suggestion. Didn't realize I could save a list via the prog!!

Brian

Getting ready to connect with my mother's computer.

CCleaner - Installed Programs

Weather Microsoft Corporation 4/22/2017 4.20.1102.0 All users
Mozilla Maintenance Service Mozilla 4/20/2017 256 KB 53.0.0.6312 All users
Mozilla Firefox 53.0 (x86 en-US) Mozilla 4/20/2017 88.8 MB 53.0 All users
Malwarebytes version 3.0.6.1469 Malwarebytes 4/20/2017 154 MB 3.0.6.1469 All users
Microsoft Solitaire Collection Microsoft Studios 4/13/2017 3.16.3302.0 All users
Groove Music Microsoft Corporation 4/13/2017 10.17022.10301.0 All users
Facebook Facebook Inc 4/13/2017 81.832.151.0 All users
Microsoft Sticky Notes Microsoft Corporation 4/13/2017 1.8.0.0 All users
Store Microsoft Corporation 4/13/2017 11701.1001.99.0 All users
Adobe Flash Player 25 NPAPI Adobe Systems Incorporated 4/12/2017 5.94 MB 25.0.0.148 All users
Stardock IconPackager Stardock Software, Inc. 4/11/2017 18.6 MB 10.02 All users
Canon MG3000 series User Registration *Canon Inc. 4/11/2017 All users
Canon MG3000 series On-screen Manual Canon Inc. 4/11/2017 8.81 MB 1.0.0 All users
Canon MG3000 series MP Drivers Canon Inc. 4/11/2017 1.00 All users
Canon Inkjet Printer/Scanner/Fax Extended Survey Program Canon Inc. 4/11/2017 5.2.0 All users
Canon IJ Scan Utility Canon Inc. 4/11/2017 75.6 MB 1.3.0.19 All users
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Corporation 4/9/2017 940 KB 10.0.40219 All users
TeamViewer 12 TeamViewer 3/25/2017 61.8 MB 12.0.75813 All users
IncrediMail 2.5 IncrediMail Ltd. 3/25/2017 6.6.0.5302 All users
Second Copy 9 Centered Systems 3/24/2017 43.9 MB 9.0.0.1 All users
Pandora Pandora Media Inc 3/23/2017 11.3.1.0 All users
gpedt.msc 1.0 Richard 3/22/2017 5.24 MB All users
Backgammon Classic 7.2 Microsys Com Ltd. 3/22/2017 28.9 MB All users
True Launch Bar Tordex 3/21/2017 17.1 MB 7.3.0.0 All users
SUPERAntiSpyware SUPERAntiSpyware.com 3/21/2017 10.4 MB 6.0.1236 All users
Second Nature - Light on the Water Second Nature Software, Inc. 3/21/2017 4.4 All users
Microsoft SQL Server Compact 3.5 SP2 x64 ENU Microsoft Corporation 3/21/2017 15.2 MB 3.5.8080.0 All users
Microsoft SQL Server Compact 3.5 SP2 ENU Microsoft Corporation 3/21/2017 12.2 MB 3.5.8080.0 All users
Heartwild Solitaire Classic 3/21/2017 All users
Heartwild Solitaire (Author's Edition) 3/21/2017 All users
Hallmark Card Studio 2017 Deluxe Creative Home 3/21/2017 145 MB 18.0.0.14 All users
Corel Paint Shop Pro Photo XI Corel Corporation 3/21/2017 197 MB 11.20.0000 All users
Bonus Pack 2017 Creative Home 3/21/2017 30.1 MB 1.0.0.7 Sheila
ACDSee 20 ACD Systems International Inc. 3/21/2017 618 MB 20.3.0.611 All users
Stardock Start10 Stardock Software, Inc. 3/20/2017 41.3 MB 1.53 All users
Shadow Defender ShadowDefender.com 3/20/2017 1.4.0.650 All users
Alarms & Clock Microsoft Corporation 3/19/2017 10.1703.602.0 All users
Calculator Microsoft Corporation 3/19/2017 10.1703.601.0 All users
Voice Recorder Microsoft Corporation 3/19/2017 10.1703.601.0 All users
App Installer Microsoft Corporation 3/19/2017 1.0.10332.0 All users
Store Purchase App Microsoft Corporation 3/19/2017 11608.1000.2431.0 All users
Xbox Identity Provider Microsoft Corporation 3/19/2017 11.19.19003.0 All users
NVIDIA Graphics Driver 342.01 NVIDIA Corporation 3/19/2017 476 MB 342.01 All users

CCleaner - Startup Items

Yes HKCU:Run IncrediMail IncrediMail, Ltd. Sheila C:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
Yes HKCU:Run SUPERAntiSpyware SUPERAntiSpyware Sheila C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Yes HKLM:Run Malwarebytes TrayApp Malwarebytes All users C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe
Yes HKLM:Run MouseDriver Pixart Imaging Inc All users TiltWheelMouse.exe
Yes HKLM:Run WindowsDefender All users "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Yes Startup Common Snsicon.lnk Second Nature Software, Inc. All users C:\Program Files (x86)\Second Nature\Snsicon.exe
Yes Startup User USBNavFix.lnk Microsoft Corporation Sheila C:\Windows\regedit.exe

Note:
1. Malwarebytes was installed as a trial just for troubleshooting
2. Second Nature Software - been using this screen saver for years
3. USBNAVFix - created a batch file to update the registry to remove the 2x removable drive icons from File Managers Navigation Pane
Seems every time Windows updates that the default is restored.

Yes, okay. A Ccleaner list would be more helpful for me, and complete.

WinTenUser said:

RKill Log

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* agp440 [Missing Service]
* gagp30kx [Missing Service]
* IEEtwCollectorService [Missing Service]
* IoQos [Missing Service]
* nv_agp [Missing Service]
* TimeBroker [Missing Service]
* uagp35 [Missing Service]
* uliagpkx [Missing Service]
* WcsPlugInService [Missing Service]
* wpcfltr [Missing Service]
* WSService [Missing Service]

* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 04/22/2017 11:21:11 AM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)

-------------------------------------------------------------------------------------------------------

RKILL log looks fine; those missing services and other things are nothing to worry about.

WinTenUser said:

ADWCleaner log

WinTenUser said:

# AdwCleaner v6.045 - Logfile created 21/04/2017 at 21:01:25
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-21.1 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (X86)
# Username : Brian - DELL-LAPTOP
# Running from : C:\Users\Brian\Desktop\MOM\02. AdWCleaner 6.045\adwcleaner_6.045.exe
# Mode: Scan
# Support : Malwarebytes | Customer Support & Help Center
Note: Operating System is "mis-listed" It is Windows 10 Home (x64) Updated to April 18th

Got it.

WinTenUser said:

***** [ Services ] *****
No malicious services found.

***** [ Folders ] *****
Folder Found: C:\Users\Brian\AppData\Roaming\Wise Euask
Folder Found: C:\ProgramData\Auslogics
Folder Found: C:\ProgramData\IObit\Advanced SystemCare
Folder Found: C:\ProgramData\Application Data\Auslogics
Folder Found: C:\ProgramData\Application Data\IObit\Advanced SystemCare
Folder Found: C:\Windows\system32\Tasks\WiseCleaner
Folder Found: C:\Windows\system32\config\systemprofile\AppData\Local\LavasoftTcpService
Note: Not sure where this stuff comes from, I ran this prog on my laptop last night and it found the same stuff!

I will guess that most of this junk is a result of IOBit software. I would not trust anything from them. They were caught stealing proprietary virus-detection databases from Malwarebytes.

Auslogics is now considered a PUP, as they try to install all kinds of other stuff when you install their program, plus they open your web browser and take you to a Giveaway page - very annoying. Until they clean up their act, I would not use them. Defraggler (free) by Piriform is a good replacement.

WinTenUser said:

***** [ Files ] *****
File Found: C:\spyhunter.fix
File Found: C:\Windows\system32\lavasofttcpservice.dll
File Found: C:\Windows\system32\LavasoftTcpServiceOff.ini
Note: Again, all these items were also found on my laptop!

Do not ever, under any circumstances, install SpyHunter on a system!

WinTenUser said:

***** [ DLL ] *****
No malicious DLLs found.

***** [ WMI ] *****
No malicious keys found.

***** [ Shortcuts ] *****
No infected shortcut found.

***** [ Scheduled Tasks ] *****
Task Found: WiseCleaner

Need to get rid of this as well.

WinTenUser said:

***** [ Registry ] *****
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController.1
Key Found: HKLM\SOFTWARE\Classes\AppID\{2CE0F1DC-C504-4B7B-A385-D94A2531DFFB}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{D4EF86C3-77D7-4F82-BBB8-6DFFAB6E2D32}
Key Found: HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
Key Found: HKLM\SOFTWARE\Tarma Installer often used to install unwanted packed/bundled/questionable software.
Key Found: HKLM\SOFTWARE\WISECLEANER
Key Found: HKLM\SOFTWARE\Auslogics
Value Found: HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION [WISEREGCLEANER.EXE]
Key Found: HKLM\SOFTWARE\Classes\AppID\LavasoftTcpService.exe
Note: Much the same as my laptop!

***** [ Web browsers ] *****
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************
C:\AdwCleaner\AdwCleaner[S0].txt - [3861 Bytes] - [21/04/2017 21:01:25]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3934 Bytes] ##########

...restarting computer...

Lavasoft needs to go.

When you're in Ccleaner, please save to text file, the list of installed programs, and upload here so I can have a looksee.

Looks good.
I know Driver Magician - I use the Lite version all the time. I've never had it come up in a scan (perhaps because it's the portable version - I've never used that?).

EDIT: No wait - it's a task - that's why it's flagged.