Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Help with virus/adware.
New Posts  All Forums:Forum Nav:

Help with virus/adware. - Page 2

post #11 of 14
Quote:
Originally Posted by Ysbl;15230497 
Rkill picked up vcheck as malicious, that's probably it.

I thought so too, especially since it's .e xe. What's the file path? If it's in c:\windows or c:\windows\system32 folder, it's definitely malware.
post #12 of 14
Quote:
Originally Posted by E-Peen View Post
I thought so too, especially since it's .e xe. What's the file path? If it's in c:\\windows or c:\\windows\\system32 folder, it's definitely malware.
It's in his temp folder, and definitely malicious. It's associated with Anwendung VCheck, a.k.a. Webgrabber MFC. Highjacker program for sure. There was something else I saw, but gimme a moment to sort through the HJT log. Nah, appears that is the only malicious process. There may be more running in superhidden, but you'll have to scan specifically for rootkits to find them.

OP: disable any virtual drives you have, and stop Alcohol (Starwind) services before attempting to remove the file from your Temp folder. IF it gives you any problems, dl Unlocker Assitant and you will be able to remove it. Keep an eye on the temp folder to see if it reappears mysteriously, as there is usually something else that piggybacks it in. Btw, run GMER as well and see what it comes up with.

Unlocker
Edited by Lucky 13 SpeedShop - 10/8/11 at 9:06pm
Pit Stop
(35 items)
 
  
CPUMotherboardGraphicsRAM
1090T Gigabyte 990FXA-UD5 MSi ref. 6950 2GB unlocked 4GB STT WX200UB2G7 
Hard DriveHard DriveOptical DriveCooling
Samsung F3 Crucial M4 Teac slim slot load DIYINHK Toshiba pwm pump controller upgrade 
CoolingCoolingCoolingCooling
Yate Loon D12SH-12 Silverstone SST-AP181 Koolance DDC pump housing/heasink Sunon 60 mm cooling fan for pump housing 
CoolingCoolingCoolingCooling
Bitspower 7/16" Black Sparkle compression fitt... Bitspower Black Sparkle 90 degree double rotary... Bitspower 45 degree rotary fittings Primochill LRT UV blue tubing 
CoolingCoolingCoolingCooling
XSPC Rasa cpu block XSPC RX-240 radiator XSPC DDC res. top Laing DDC-1  
OSMonitorKeyboardPower
7 Professional Samsung EX-2220 Das Professional Seasonic's dead :( 
CaseMouseMouse PadAudio
Lian Li T60-B PureTrak Valor Ratpadz GS Auzentech X-plosion 7.1 
AudioAudioAudioOther
AKG K701's Lil Dot MK.III hp amp Burr-Brown OPA627SM opamp upgrade Custom built MTM style transmission line 
OtherOtherOther
Various amps. Custom built MTM style transmission line 15" Dayton Titanic MK.III 
  hide details  
Reply
Pit Stop
(35 items)
 
  
CPUMotherboardGraphicsRAM
1090T Gigabyte 990FXA-UD5 MSi ref. 6950 2GB unlocked 4GB STT WX200UB2G7 
Hard DriveHard DriveOptical DriveCooling
Samsung F3 Crucial M4 Teac slim slot load DIYINHK Toshiba pwm pump controller upgrade 
CoolingCoolingCoolingCooling
Yate Loon D12SH-12 Silverstone SST-AP181 Koolance DDC pump housing/heasink Sunon 60 mm cooling fan for pump housing 
CoolingCoolingCoolingCooling
Bitspower 7/16" Black Sparkle compression fitt... Bitspower Black Sparkle 90 degree double rotary... Bitspower 45 degree rotary fittings Primochill LRT UV blue tubing 
CoolingCoolingCoolingCooling
XSPC Rasa cpu block XSPC RX-240 radiator XSPC DDC res. top Laing DDC-1  
OSMonitorKeyboardPower
7 Professional Samsung EX-2220 Das Professional Seasonic's dead :( 
CaseMouseMouse PadAudio
Lian Li T60-B PureTrak Valor Ratpadz GS Auzentech X-plosion 7.1 
AudioAudioAudioOther
AKG K701's Lil Dot MK.III hp amp Burr-Brown OPA627SM opamp upgrade Custom built MTM style transmission line 
OtherOtherOther
Various amps. Custom built MTM style transmission line 15" Dayton Titanic MK.III 
  hide details  
Reply
post #13 of 14
Check inside your Hosts file. With this guide. Unless you're using some Hosts file protection to block certain websites, it should have only 127.0.0.1 localhost or ::1 localhost in there. When finished close and then right click Host, properties, and make read-only.

These below are resource hogs and dodgy. Yontoo Layers is definitely hijacking your browser (mostly negative opinions of this program, best to delete it). AdobeARM.exe, jusched.exe, GoogleUpdate.exe, etc, these are safe but can be disabled, removed with HJT. They'll probably come back anyway. Seeing they're annoying f#c#ks.

O4 - HKLM\\..\\Run: [Adobe ARM] "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.d ll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\\Program Files (x86)\\Java\\jre6\\bin\\jp2ssv.dll
O4 - HKCU\\..\\Run: [Google Update] "C:\\Users\\Administrator\\AppData\\Local\\Google\ \Updat e\\GoogleUpdate.exe" /c
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\\Program Files (x86)\\Yontoo Layers Runtime\\YontooIEClient.dll
O4 - HKCU\\..\\Run: [vcheck] C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\vcheck. exe
O4 - HKCU\\..\\Run: [vcheck] C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\vcheck. exe
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\\Windows\\system32\\browseui.dll
)
post #14 of 14
Thread Starter 
I removed vCheck, there's another MFC program in my SysWOW64 folder, HsMgr.exe, which seems dubious. I uninstalled Yontoo as well, and the adware is gone, as far as I can tell. Thanks, guys!
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Help with virus/adware.