Java Adware

swillesden · August 16, 2014

Hi there,

I hope all is well. I've recently received my sons old laptop to replace my old one and I have been getting issues when trying to use Google Chrome. Sometimes I will get a popup saying "The page at 69.162.111.227 says: It is recommended that you update java to the latest version to view this page. Please update to continue." Clicking okay will hijack the current tab and take me to a page which says: "Outdated java plugin detected. Your JAVA Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your java plugin now!" then it will automatically download a file named "Setup".

I have tried the Malwarebytes Free Scan and a few other options but it does not seem to go away and it is very annoying as every two or three tabs are interrupted by this.

I would greatly appreciate your help.

I have attached the two FRST files below.

Thanks in advance!

FRST.txt

Addition.txt

deeprybka · August 16, 2014

Hi & :welcome:
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully. :excl:

My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Step 1

Scan with Malwarebytes Antimalware

Please update the database by clicking on the "Update Now" button.
Following the update and click "Settings" and go to "Detection and Protection"
Make sure "Scan for Rootkits" is checked.
Click on Dashboard, then click on Scan Now to start the scan.
(If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.)
A window with an option to view the detailed log will appear. Click on "View Detailed Log".
After viewing the results, please click on the "Copy to Clipboard" button and then OK.
Return to our forum. Paste your log into your next reply.

Step 2

Upload File(s) to
I want you to upload the following file(s) to an online virus-scanner to scan.

Please go to https://www.virustotal.com/
Click the Choose File button.
Please copy/paste the following text into the 'File name:' box:
```
 C:\Users\Dr.Do\Downloads\setup (3).exe
```
Click Open then click the Scan it! button just below.
This will scan the file. Please be patient.
If you get a message saying File already analyzed: click Reanalyse
Copy and Paste the link of the result page in your reply;

swillesden · August 16, 2014

Here is the log from malwarebytes:

OS: Windows 8

CPU: x64

File System: NTFS

User: Dr.Do

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 327285

Time Elapsed: 15 min, 53 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Warn

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

Physical Sectors: 0

(No malicious items detected)

(end)

swillesden · August 16, 2014

Here is the link to the results page:

https://www.virustotal.com/en/file/6afa29b532dd1ac557c793e7f63c1f60ac47a56e237fc46fcfde07f3e8eb304e/analysis/1408213623/

deeprybka · August 16, 2014

Hi,

as you can see, you did right to decline this "setup".

Step 1

Please download and install Revo Uninstaller Free
note: there is no need to click anything on that page, the download will start automatically
Double click Revo Uninstaller to run it
From the list of programs double click on the listed program(s), or anything similar, to remove it:
```
Vuze Remote Toolbar v9.6
```
When prompted if you want to uninstall click Yes
Be sure the Moderate option is selected then click Next
The program will run, If prompted again click Yes
When the built-in uninstaller is finished click on Next
Once the program has searched for leftovers click Next
Check the items in bold only on the list then click Delete
note: you may have to expand some folders by clicking the "+" mark
When prompted click on Yes and then on Next
Put a check on any folders that are found and select Delete
When prompted select Yes then Next
Once done click Finish

Step 2

Please run AdwCleaner (by Xplode).

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select "Run As Administrator"
Click on the Scan button.
After the scan has finished, click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
After rebooting, a log file (that is saved in C:\AdwCleaner[s#].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.

Step 3

Please start a scan with ESET Online Scanner.

Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
Start esetsmartinstaller_enu.exe with administartor privileges.
Select the option Yes, I accept the Terms of Use and click on Start.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Click on Start. The virus signature database will begin to download. This may take some time.
When completed the Online Scan will begin automatically.
Note: This scan might take a long time! Please be patient.
When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
Now click on Finish
A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste the content of this log file in your next reply.

Note: Do not forget to re-enable your antivirus application after running the above scan!

swillesden · August 16, 2014

Hi there,

Thanks for the reply.

What is a Vuze Remote Toolbar? Is it a virus?

I tried uninstalling it via the program but I get these errors: http://puu.sh/aVcMN/2345f704d9.png
http://puu.sh/aVcUc/0b1ad2eab3.png

I closed the errors and the uninstall finished and I deleted the bold folders.

(running the AdwCleaner now)

deeprybka · August 16, 2014

Hi, this is Adware.
I guess that in previous scans the "uninstaller" component has been deleted.

(running the AdwCleaner now)

OK!

swillesden · August 16, 2014

Here is the log from AdwCleaner:

# AdwCleaner v3.306 - Report created 16/08/2014 at 20:12:45

# Updated 15/08/2014 by Xplode

# Operating System : Windows 8 (64 bits)

# Username : Dr.Do - DRDO

# Running from : C:\Users\Dr.Do\Desktop\AdwCleaner (2).exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17054

-\\ Google Chrome v36.0.1985.143

[ File : C:\Users\Dr.Do\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [771 octets] - [16/08/2014 20:11:59]

AdwCleaner[s0].txt - [693 octets] - [16/08/2014 20:12:45]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [752 octets] ##########

deeprybka · August 17, 2014

OK. And ESET please.

swillesden · August 17, 2014

Here is the ESET log:

ESETSmartInstaller@High as downloader log:

all ok

ESETSmartInstaller@High as downloader log:

all ok

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.7623

# api_version=3.0.2

# EOSSerial=6b0678cf62d222429d9cd1d111b5a1d0

# engine=19694

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2014-08-16 09:04:15

# local_time=2014-08-16 10:04:15 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=6.2.9200 NT

# compatibility_mode_1=''

# compatibility_mode=5893 16776573 100 94 18389 12613944 0 0

# scanned=346876

# found=11

# cleaned=0

# scan_time=6075

sh=7477F17DB08C6A9FD899B3018FF658E3C73E31E2 ft=0 fh=0000000000000000 vn="a variant of Win32/Toolbar.Widgi.G potentially unwanted application" ac=I fn="C:\Program Files\Vuze\spg.zip"

sh=B20B0BD8E5CDD280C5DC922FFD896DF50D208CB7 ft=1 fh=59ddf8c2c6946d84 vn="a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application" ac=I fn="C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe"

sh=860EFD5893E4DD4E820227B7DEAD144F974456AC ft=1 fh=c0b9ed8dfe12ffb8 vn="a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application" ac=I fn="C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat"

sh=E5AEA132717DC028CA04E18E22CCC63A21069F39 ft=1 fh=c00377609a38d16f vn="a variant of Win32/HackTool.Crack.BQ potentially unsafe application" ac=I fn="C:\Program Files (x86)\Torchlight II\steam_api.dll"

sh=3A2CB309B6CFCE58A9EF088FDB2991FCD310BD51 ft=1 fh=c71c001198f425ea vn="Win32/InstalleRex.M potentially unwanted application" ac=I fn="C:\ProgramData\InstallMate\{8888C22F-5D14-4C61-AE8A-1536536BE0D9}\Custom.dll"

sh=3A2CB309B6CFCE58A9EF088FDB2991FCD310BD51 ft=1 fh=c71c001198f425ea vn="Win32/InstalleRex.M potentially unwanted application" ac=I fn="C:\Users\All Users\InstallMate\{8888C22F-5D14-4C61-AE8A-1536536BE0D9}\Custom.dll"

sh=9636E15DB2554D33F7A04F5CF2F7ED3C44EBEECB ft=0 fh=0000000000000000 vn="JS/Exploit.Agent.NHE trojan" ac=I fn="C:\Users\Dr.Do\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9VCFJBXZ\g4ogbcevp9[1].htm"

sh=C8ED85CBB679DFF0D72E7D8C79CE5E74B5EFADE0 ft=1 fh=37dd7ede875c1f3d vn="a variant of Win32/ClientConnect.A potentially unwanted application" ac=I fn="C:\Users\Dr.Do\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ORYLRWFV\spstub[1].exe"

sh=40CE0A58E99858007E5DCD0BB5BF6A122686A917 ft=1 fh=f92770b35775886c vn="Win32/Somoto.C potentially unwanted application" ac=I fn="C:\Users\Dr.Do\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QZEX0BYE\BiTool[1].dll"

sh=861BC6E83375DE59B304035C773469F510483931 ft=1 fh=c8c07ed958be4d81 vn="Win32/Somoto.G potentially unwanted application" ac=I fn="C:\Users\Dr.Do\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SM73GP0E\setup[1].exe"

sh=B77FD52500A486A3100CB3A578331C0D6C248E58 ft=1 fh=bffb84886b7392d4 vn="a variant of Win32/ClientConnect.A potentially unwanted application" ac=I fn="C:\Users\Dr.Do\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V4E9UBET\SPSetup[1].exe"

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.7623

# api_version=3.0.2

# EOSSerial=6b0678cf62d222429d9cd1d111b5a1d0

# engine=19694

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2014-08-17 10:15:33

# local_time=2014-08-17 11:15:33 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=6.2.9200 NT

# compatibility_mode_1=''

# compatibility_mode=5893 16776573 100 94 65867 12661422 0 0

# scanned=496353

# found=34

# cleaned=0

# scan_time=47416