Malicious Malware Computer Affected

Lesson_learned · May 20, 2014

Hi everyone!

This is my first time using this site and I heard really good things about the forums. I was hoping an expert might be able to advise and help me figure out my problem. I acquired malware while downloading a torrent which also downloaded a .exe called 'Privoxy.' I have ran malware bytes without being on the internet and also AVG. Nothing is detected, but there is still adware on my browsers. When I tried to delete and uninstall 'Privoxy,' it started deleting tons of files which were files that are very important to me because I am a game designer. These files were for the current video game that I am working on that is soon to be released.

I have a feeling that the program just hid them because it "deleted" them very quick and these were really big files. I am really hoping not only to get rid of 'Privoxy'/malware/adware, but also restore all my files back. I've tried to go back to previous versions of folders, system restores (which says that it will not do a restore unless I turn off my antivirus software programs), and I am now thinking about buying Prosoft Data Rescue for Windows or trying Recuva (which was recommended by a different forum) to recover those files.

I know I should have a backup for these files, but I never had this issue in the past.This is a lesson learned for sure and in the future, I am going to take precautions on backing up my files on a cloud/external hard drive completely.

Thank you in advanced for help and I appreciate any advice. Also, I apologize if this is the wrong thread that I am suppose to post this in.

USAFRet · May 20, 2014

1. eradicate the malware/virus/whatever
Create and boot from a good AV CD. Kaspesrky or similar.

2. Then, see about recovering whatever files there are. Recurva is pretty good with this.

3. Once everything is 'fixed', create a backup plan, and use it.
No one ever needs a backup, until that first time they do.

4. Lastly, never, ever run an exe you get in a torrent. . Be very wary of ALL torrents, unless you specifically know and trust the seed source.

aldan · May 20, 2014

privoxy is a proxy server not a malware.you need to go into your browser settings and set them to stop using a proxy server.if you post back with what browser you are using we can help.that having been said here are a couple of programs to run.delete what they come up with and post the logs in your next post.first download adwcleaner from bleeping computer.run a scan and let it get rid of anything it comes up with.next download and run a scan with junkware removal tool also from bleeping computer.let it get rid of anythiing it comes up with and post a log and we will take it from there.
http://www.bleepingcomputer.com/download/adwcleaner/

http://www.bleepingcomputer.com/download/junkware-removal-tool/

Lesson_learned · May 20, 2014

Ok I will try everything within the next day and see what works.

Also I keep hearing Privoxy is legit program, but why would it delete tons of files when I tried to uninstall it? What does Privoxy actually do when its on your computer? It also kept duplicating itself when it was deleted.

Aldan - I was using Google Chrome, Internet Explorer, and Firefox.

Lesson_learned · May 20, 2014

USAFRet :

Thank you for the help. Would you mind if I ask more questions here as I am still trying to fix this?

USAFRet · May 20, 2014

Yes, Privoxy is a legit proxy application.
But was what was in that torrent actually Privoxy ? It could have been any exe, just named that.

Lesson_learned · May 20, 2014

Yeah I am guessing it was just named that because it was all downloaded on the day I downloaded the torrent. I can give you all the information on the files that came with that folder. It also won't let me delete that folder and states "This file is being used by "privoxy.exe." I think it is just named "privoxy" and not actually what it is.

USAFRet · May 20, 2014

Lesson_learned :

The actual Privoxy, from SourceForge, is a regular install....not just an exe
http://sourceforge.net/projects/ijbswa/

To install it, you have to click next, next, etc. After allowing the install via the admin password.

aldan · May 20, 2014

agreed,were back to malware.run the scans and post the logs so we can get an idea of what we are dealing with.

Lesson_learned · May 21, 2014

aldan :

Hey guys! Thank you for taking the time in helping me again. I really appreciate it.

Here was the Privoxy and what it looked like in the folder. AdwCleaner actually recognized the folder that is called "MSR" which Privoxy is in. http://imgur.com/Kuo4Om7

Here is AdwCleaner logs:

# AdwCleaner v3.210 - Report created 21/05/2014 at 13:09:12
# Updated 19/05/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Tizzy - TIZZY-PC
# Running from : C:\Users\Tizzy\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Program Files (x86)\MSR
Folder Found : C:\ProgramData\AVG Security Toolbar
Folder Found : C:\Users\Tizzy\AppData\Local\Ilivid Player
Folder Found : C:\Users\Tizzy\AppData\Local\PackageAware

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetimsetup_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetimsetup_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041

-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Users\Tizzy\AppData\Roaming\Mozilla\Firefox\Profiles\sa369xfh.default\prefs.js ]

Line Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");

*************************

AdwCleaner[R0].txt - [2556 octets] - [21/05/2014 13:09:12]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2616 octets] ##########

Here is Junkware Removal logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Ultimate x64
Ran by Tizzy on Wed 05/21/2014 at 13:09:27.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\scripthelper.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\adawarebp
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3908131341-2984194670-2582034417-1000\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\freeze.com
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\applications\ilividsetupv1.exe
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\ilividsetupv1_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\ilividsetupv1_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\sweetim_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\sweetim_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\sweetimsetup_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\sweetimsetup_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

~~~ FireFox

Emptied folder: C:\Users\Tizzy\AppData\Roaming\mozilla\firefox\profiles\sa369xfh.default\minidumps [2 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 05/21/2014 at 13:33:45.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What would be my next steps? Shall I go ahead and click clean on AdwCleaner? Also I am curious why Malwarebytes and AVG didn't recognize any of this. I knew there was something wrong with that .exe named Privoxy.

USAFRet · May 21, 2014

Lesson_learned :

Yes, clean with AdwCleaner. (although I've never heard of it)
Sometimes, though....nuke it from orbit and reinstall everything is the best solution.

Lesson_learned · May 21, 2014

Also question about Recuva. When I do use it because I would love to try to get my other files back, will it bring back all this stuff after I've cleaned/deleted it?

USAFRet · May 21, 2014

Lesson_learned :

Maybe. No guarantees.

aldan · May 21, 2014

adwcleaner is a pretty good tool usaf.ive used it for some time and its as good as ive seen.as to getting your files back,hard to say.get rid of the malware first tho and then we will see.by the way,this may not be over yet so keep an eye on your computer for strange behaviour.if all is not well we have some other solutions.

Lesson_learned · May 21, 2014

Thank you sooo much and I will keep cautious on my computer for the next few days! You guys are so amazing in answering questions and have been super helpful. I really appreciate all the time you have given me.

I hope that this thread will help someone in the future.

Here was the solution to my problem: so AdwCleaner wasn't getting rid of it even with internet not on, it kept duplicating itself.

So I had to go into msconfig and turn on safe mode because my motherboard wouldn't allow me to go into safemode via f8 (http://www.tomshardware.com/forum/269257-30-safe-mode-shortcut-gigabyte-ds3l). I searched the forums and found this to be the same issue I was having. Once I booted it up in safemode, I ran the AdwCleaner and it finally deleted it.

As far as my files go, I did a system restore and it gave me some of my files back (not all of them unfortunately). I searched for the files that were recently modified and I found most of them in folders of shortcuts, but it just stated that these shortcuts don't work anymore.

So I tried Recuva, and it found almost all of my items (567) that were lost. It said it recovered ~400 of them and partially recovered 98 of them. The virus that I had basically had deleted them and then tried to overwrite them.

Also I redid Malwarebytes and started a scan which found infected registry keys. Adware is officially gone from my browsers.

Thank you again!

aldan · May 22, 2014

good deal.keep an eye out for awhile.also run ccleaner to get rid of any bits in the registry.be sure to backup the registry either with ccleaner or (my choice),registry backup by tweaking.com.cheers.

Search

Malicious Malware Computer Affected

Lesson_learned

Reputable

aldan

USAFRet

Titan

aldan

Splendid

Lesson_learned

Reputable

Lesson_learned

Reputable

USAFRet

Titan

Lesson_learned

Reputable

USAFRet

Titan

aldan

Splendid

Lesson_learned

Reputable

USAFRet

Titan

Lesson_learned

Reputable

USAFRet

Titan

aldan

Splendid

Lesson_learned

Reputable

aldan

Splendid

TRENDING THREADS

Latest posts

Moderators online

Share this page