Removing "Ads by Salus"

Reply

  #1  
Old 03-27-15, 10:55 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
Removing "Ads by Salus"

This is the second time in two years I picked up some crap from a Firefox update. The page came up and said "loading updates" or something like that. Then an hour or two later I saw it again. I believe I clicked on the same thing twice. Now I have ads above the page and on the left.

Ad Blocker helps but slows the page loads to a crawl. I've tried every remedy I found on the net. This "bug" affects all three browsers just about the same.

I have Malaware pro which removed some things but didn't cure the problem.

I'm running microsoft security essentials which hasn't said a peep or picked up anything during a scan.

ADWcleaner, AVg, and a couple of others.

I keep seeing "powered by Salus" and "ads by Salus".

The biggest pain is when I click on the screen.... a new page will open for an ad.

Anyone fought this and one ?
 
Sponsored Links
  #2  
Old 03-27-15, 11:34 PM
Member
Join Date: Mar 2015
Location: Canada
Posts: 186
Bring up windows task manager and go through your processes and look at any running file which you don't recognize. This is what AVG secure search tool bar did to me. Even after I "uninstalled" it one process continued to run and would rebuild the file. If you don't recognize a running process then right click on it and have a look at its properties It'll tell you what folder its in which is a good hint on whether it should be running or not.

Run regedit and do a search through your registry for any processes that are questionable. Also search for "SALUS" or any other common name which keeps coming up with these ads.

Remeber to back up your registry before you delete things.
 
  #3  
Old 03-28-15, 12:35 AM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
Pete just about ready to hit the hay and sleep but I saw your post. See the little square on the right hand top side of Firefox? Click on that square and look for customize to your left and the question mark to your right. You want the question mark click on that and then look for Trouble Shooting Information now click on Refresh and that should clean out the bad stuff in your browser. You can also disable addons but try Refresh first and then disable addons if you need to. If that doesn't work let me know and be careful in the registry and only go into it if you have too.
 
  #4  
Old 03-28-15, 04:00 AM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Add the Noscript add-on to Firefox. Allow scripts site by site as needed. First see if you can uninstall it from the control panel, add & remove programs or programs & features. Depending on what version of windows you have, open the startup folder through msconfig & disable whatever you don't need to load into memory at boot time, which is all of it but you decide. Run regedit, click edit & find. Search for Salus & delete the entry. Press F3 & it will search for the next entry. Delete that & continue with F3 until all are gone. Update & run malwarebytes too. That should stop that & any other garbage that is attacking. The only problem that I ever had with Firefox updates had to do with FF using too much memory & CPU time.

For Windows 8, follow:

Remove "Ads by Salus" virus (Adware Removal Guide)

Other sites:

http://www.securitystronghold.com/ga...salus-ads.html
http://www.freefixer.com/b/remove-salus-adware/
 
  #5  
Old 03-28-15, 05:15 AM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
At first I was fighting this from the user side until I realized I needed to be in the admin side. I was a little vague last night.... burnt out.

Running Vista business ( may be on it's way out) I use this comp for programming alarm panels. The admin side doesn't go online just the user side does. I'm pretty careful what sites I go on so I don't know 100% how I got this redirect/ad virus.

I tried doing a system restore to before this all happened and it didn't help. I know the restore was attempted because a program I loaded was gone. I tried disabling the add ons. This virus affects FF, EI, and Chrome. Originally there was a redirect added to the shortcut address. I found how to remove that online.

I used refresh and even went back in FF restore and used previous version. I saw the Salus in the registry and it was removed by either ADWcleaner or malawarebytes. I don't want to mess with the registry. Interestingly the first time or two I looked at the registry I saw lists pf programs. Now I see HKEY_classes route, HKEY_current user, HKEY_local machine, HKEY_users, HKEY_current config. So I'm a little lost finding the program names I had seen previously. Is what I need to look at in one of those folders ?

No Salus found in Regedit search.

On edit.... just ran Noscript. That is 100% effective in FF. Everything looks and acts normally. I didn't have to allow DIY... and it seems to be ok. I did notice an info bar at the bottom of the page... It says "scripts currently forbidden I script> 37 I object> 0" and all the way to the right is an options button. I see a lot of choices in there. Is that where I would "allow" a script ?
 

Last edited by PJmax; 03-28-15 at 06:12 AM.
  #6  
Old 03-28-15, 05:44 AM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
I see the Noscript has affected the site. It removed or is not alllowing the text editor to work properly. I left paragraphs above.

Ok.... I'm starting to figure out the Noscript permissions

Since this fix only works with FF, I'm still going to look into removing the problem.

As always..... thanks for your help. You guys are the best.


Question.... is it possible to use Noscript to see what it's blocking and then knowing what to look for ? I haven't see any mention of Salus in the scripts.
 

Last edited by PJmax; 03-28-15 at 06:18 AM.
  #7  
Old 03-28-15, 06:55 AM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
You still have to remove Salus no matter what. On the DIY site, click the options box, in the lower right hand corner & click allow diy.com That will allow the basic scripts to run & the text editor will work. I don't allow all scripts to fully run.

In another thread I mentioned that the millionaire owners of this site collect money from other sites whom they allow to collect info from this site. With no script, you will see the list of those sites that are permitted, to run those scripts. Google alone is running about 7 scripts. Who needs it? We certainly don't. There is no wonder why all kinds of garbage is deposited on your PC, when you surf the net
 
  #8  
Old 03-29-15, 09:26 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
When I ran malawarebytes pro (I have the paid version) scan it came up with the Salus stuff in the registry along with some other money making crap and removed it.

When I use any of the three browsers as the admin they are 100% fine. When I log out as the admin and back in to my normal user section the adware problems are still present.

I tried resetting IE and Chrome with no change.

Any thoughts ?
Maybe kill my user account and start another ?
 
  #9  
Old 03-30-15, 01:11 AM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
This looks like a rather persistent add on I think what needs to be done now is a download of Hijackthis. Normally I wouldn't suggest it as it is a powerful program and if used wrong can damage your operating system but it will allow you to look at your registry and anywhere else that may be hiding. A log can be made and you can copy and paste that log directly here or put it into a word processor and then edit some things you don't want to show and then post the log. Here is the link http://sourceforge.net/projects/hjt/ just be careful and we will try to help you.
 
  #10  
Old 03-30-15, 03:18 AM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
PJmax What you are saying is that the admin profile is clean & the normal user isn't. You can either try to run malwarebytes while logged in as the normal user OR delete that user's profile completely, which is what I would do.

Before Facebook became popular, my youngest brother who was 40 at the time insisted on using My Space. He kept getting infected & I had to delete his profile & create a new one more than once. I kept telling him to stay off those stupid sites but he wanted his 15 minutes of fame.

You can also try to reset each of the browsers while logged into that profile. If you want to use Hijack This, run it while logged in as the user & post it or send it to me. I'll tell you what to delete.
 
  #11  
Old 03-30-15, 05:41 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
I had run malawarebytes pro on full scan and it turned up nothing. A full scan from Microsoft essentials turned up nothing.

After further research into what I have happening someone recommended running SpyNoMore so I ran it. It found two registry issues. I'll post them and you guys tell me what you think. SpyNoMore offered to remove the threats with a payment.

It's posted on photobucket so you can click on expand to read it.

[IMG][/IMG]
 
  #12  
Old 03-30-15, 06:42 PM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
I'll tell you how to fix them without paying. The easiest way is to edit the registry. Hold the windows key . That's between ctrl & alt. Press R while holding it. The run box will appear. Type regedit & press enter. The screen will be split into 2 windows. On the left side, click the following arrows or plus signs next to each of the following folders.
HKEY_LOCAL_MACHINE
Software
Microsoft
SecurtyCenter
Then you will see SVC.AntiVirusOveride. Left click on the folder itself. In the right window, right click on AntiVirusOverride, left click on Modify & change the value from (1) to (0). Press enter again to solidify it.

Second entry: Go back to the left window. Scroll up until you get to InternetExplorer & click on the arrow or plus sign to the left of it. Scroll down until you see ExtensionCompatibility. Click on the arrow to the left of that. Scroll down again until you get to the folder that starts with {74f47........} This time right click on the folder itself & left click on delete. It will as you for confirmation. You click YES.

Wasn't the easy?
 
  #13  
Old 03-30-15, 06:51 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
It wouldn't allow me to make either change. I'm guessing I need to sign in as admin... correct ?
 
  #14  
Old 03-30-15, 07:04 PM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Yes, try it logged in as administrator
 
  #15  
Old 03-30-15, 07:21 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
Ok... logged in as admin. The system allowed me to delete the 74f47 file but will not allow me to change the 1 to a 0.

I get this " Cannot edit antivirus override. Error writing the values new content"

I've also noticed this bug is again affecting the admin browsers also.
 

Last edited by PJmax; 03-30-15 at 08:07 PM.
  #16  
Old 03-30-15, 08:31 PM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
Pete I see what is not technically a virus but is adware and will add in ads it might though too have something riding piggyback alongside it. I would delete SuperfishIEAddon and if you can't delete in a regular boot mode I would go into safe mode and do that without networking then go into the registry and delete SuperfishIEAddon and delete antivirus override. However save your registry first before making any further changes to an empty flash drive. That way if you make a mistake you can restore what you need to restore, once deleted though you can't.
 
  #17  
Old 03-30-15, 09:07 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
The info in the right hand box is gone. I rescanned and it's no longer there.

Yeah.... I called it a virus for lack of a better word.... adware is correct.

Are you saying to delete antivirus override instead of changing the 1 to a 0 ?

Name:  regedit1.jpg
Views: 129
Size:  23.8 KB
 
  #18  
Old 03-30-15, 10:22 PM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
Actually Pete no I wouldn't do anything at first I thought it was spyware but now I see it isn't here is a link that explains what it does and it will also explain the (1) you see What Is Microsoft Window Security Center Antivirus Override? | eHow . I think though if me and Pulpo could see more with Hijackthis then we could advise you better. You could send it in a pm but the message might be too long so I think you should post it here or e-mail it. I am fairly well versed with the registry and what I am not sure of I look up like I did just now.

I think having three sets of eyes looking over the report would be best and what one person doesn't spot the other will. You can then either use regedit or Hijackthis to get rid of the problem. I also suggest SuperAntispyware if you don't have it already and the free version works great. Malwarebytes is a great program but I have found it can't find everything. I can't work on it much right now as my mom is having cataract surgery and things are kind of crazy but in my free time I will look it over.
 
  #19  
Old 03-31-15, 01:38 AM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Don't delete that one. Mine shows a value of 0. If you want us to look at Hijack This first, that's OK too.
 
  #20  
Old 03-31-15, 07:52 AM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
I was able to turn antivirus monitoring back on in the security control panel in the admin profile. That 1 is now a 0.

I've done the Hijack this scan and posted it in the next post.
 
  #21  
Old 03-31-15, 08:04 AM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
Running processes:
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Pete\AppData\Local\Amazon Music\Amazon Music Helper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Pete\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = msn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\RegistryController.exe"
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mmy2nwi1zti5zdz] C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Amazon Music] "C:\Users\Pete\AppData\Local\Amazon Music\Amazon Music Helper.exe"
O4 - HKUS\S-1-5-18\..\Run: [GarminExpressTrayApp] "C:\Program Files\Garmin\Express Tray\ExpressTray.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [GarminExpressTrayApp] "C:\Program Files\Garmin\Express Tray\ExpressTray.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\speedbit video accelerator\lsp3.3.7.5\sblsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/...Control_32.CAB
O16 - DPF: {A4199744-C60E-467B-B4DA-38C0729140F6} (Bosch Divar_MR WebViewer Control) - http://68.195.118.218/divar_mr_wv.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Garmin Core Update Service - Garmin Ltd or its subsidiaries - C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: RPSProxy (ProxyManager) - Bosch - C:\RPS\Lib\RPSProxy.exe
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sentinel Security Runtime (SentinelSecurityRuntime) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VideoAcceleratorService - SPEEDbit - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9456 bytes
 
  #22  
Old 03-31-15, 03:46 PM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
So far Pete everything looks good. I notice some Toshiba specific programs that I might not have recognized had I not already bought a used Toshiba fairly recently and used recovery media I bought from them. Some things I see I am not absolutely positive about so I will dig into this further by the third of April because of my moms cataract surgery. Just too much running to have to do and no internet available at the hospital tomorrow. The next day after the doctors office to have her eye checked.

Just one question though this doesn't look like it was edited but I am asking to confirm that. If it was edited did you see anything unusual in the area that was edited?
 
  #23  
Old 03-31-15, 04:14 PM
Member
Join Date: Mar 2006
Location: Wet side of Washington state.
Posts: 18,452
Likes Received: 12
Salus sounded like the company that put in a bid to take over Radio Shack so I did a search (either Google or Yahoo) on just that single word and the very first thing was this: Salus Removal Guide They say they are a Microsoft partner and it looks to be free but what do I know?
 
  #24  
Old 03-31-15, 05:11 PM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
It is a good idea Furd but all too often I have seen claims that a company is a Microsoft partner only to find out their removal tool is not a removal tool at all but another virus or a Trojan horse. Best to steer clear of those and stick with those things we are absolutely certain of. I unfortunately have had bad experiences going back to Windows 98 and actually being fooled by companies like that. You never know though it could be fine but maybe not.
 
  #25  
Old 03-31-15, 05:31 PM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Everything does not look good.
O4 - HKLM\..\Run: [mmy2nwi1zti5zdz] C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe

Especially that ^^^^.

What about the following entries? Did you install any of those? If not, uninstall them in the control panel or delete them here.

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O23 - Service: RPSProxy (ProxyManager) - Bosch - C:\RPS\Lib\RPSProxy.exe

O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: Sentinel Security Runtime (SentinelSecurityRuntime) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
 
  #26  
Old 03-31-15, 06:20 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
Log me in..... is the program you use to connect to a remote computer. I did use it but not any longer. I did load it originally but would not be heartbroken to remove.

Bosch is my alarm company. RPS is the name of the software.

Sentinel/Safe Net is a dongle that is registered with Bosch to allow only my computer to access my alarm panels.

I don't recognize the top line and I have not edited the log. This is the actual scan copy and pasted.

I'm seeing the same ads over and over. There is one by Reimage that I see constantly and is also listed as adware. 53.campaignism. com is another.


I went to the the Salus site. They have a whole spiel on terms of service and abuse of their service. How about abuse of my computer. I'd love to meet them in real life. I'd show them where my laptop could fit just perfectly.
 
  #27  
Old 03-31-15, 06:57 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
Pulpo.... I think you found it. When I search for that file it's in the program files.

Under that I see two headings..... SSL and nss. The nss stuff was imported in 2010 so that's probably ok. Under nss I see this...........


but under SSL I see this........hundreds of lines.......



I don't understand how this wasn't found in a scan. There are literally hundreds of lines.
 
  #28  
Old 03-31-15, 07:06 PM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
At first glance everything did look good but I found some things Pulpo didn't and agree with at least one that he found that doesn't look right. I copied and pasted those things I don't recognize but that does not mean I think these are viruses and further research is needed. So I suggest you do a Google search of those things you don't recognize.

Here is what I found
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe
C:\Windows\system32\wbem\unsecapp.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [mmy2nwi1zti5zdz] C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup

The one of most concern is this but I can't say for sure O4 - HKLM\..\Run: [mmy2nwi1zti5zdz] C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe . Just be sure if you delete anything more to make a copy of your registry beforehand. I wish I could help more and look some of those up for you but I can't I have to get up early.
 
  #29  
Old 03-31-15, 07:11 PM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
I think you found it too Pete make a back up though and then delete those in the registry. If you don't have problems then you can just delete the copy. Good luck Pete!
 
  #30  
Old 03-31-15, 08:04 PM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
https://technet.microsoft.com/en-us/.../cc732443.aspx

Certutil is for windows servers. I don't know why it's on you machine. Sometime virus writers use MS names as their own. Get rid of all that stuff. You don't need it.
 
  #31  
Old 03-31-15, 08:29 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
I made a copy of the registry and then using Hijack This I had it delete this.......

O4 - HKLM\..\Run: [mmy2nwi1zti5zdz] C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe


EUREKA........... my computer is back to normal.


Not following you with Certutil. Is that something further that needs to be removed ?

Apparently Salus is an actual company. How do they get away with this crap ?
 
  #32  
Old 03-31-15, 08:59 PM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
If certutil.exe is in the system32 folder, keep it. If it's anywhere else, delete it.

Whenever you see an entry with a name like mmi2n2i4zty5yjz.exe, delete it. MS would never have a file name like that.
 
  #33  
Old 03-31-15, 09:13 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
I got to program files and deleted SSL. While it's in the recycling bin I tried the browsers and they either won't connect or very slow.

When I try to delete the whole program file it won't let me.

Name:  folde.JPG
Views: 177
Size:  35.5 KB
 
  #34  
Old 03-31-15, 09:31 PM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Reset your browser - Restore your browser to default settings

Were the browsers opened when you tried to delete it? If so, close them & retry. If it still doesn't work, try to delete it in safe mode. At last resort, delete whatever you can find in the registry.

Reset all the browsers that you use using the link at the top of the post.
 
  #35  
Old 03-31-15, 09:37 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
The browsers were not open.
I've tried defaulting the browsers.... did not help.

I don't where to look in the registry..... the full file name is not there

O4 - HKLM\..\Run: [mmy2nwi1zti5zdz] C:\Program Files\Smmy2nwi1zti5zdz\mmi2n2i4zty5yjz.exe
I know it's HK local machine but where from there.... Run ? microsoft ? software ?
 
  #36  
Old 03-31-15, 10:26 PM
PJmax's Avatar
Group Moderator
Thread Starter
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 51,006
Likes Received: 166
I restarted in safe mode. Went to program files and deleted Smmy2nwi.....yjz.exe and at this time it looks like everything is back to normal.

That folder had 1086 files in it. It's currently sitting in the recycling bin and will be gone soon.
 
  #37  
Old 04-01-15, 04:00 AM
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
That's god news. I still wonder if it were really from the Firefox update or not.
I also use MJ Registry Watcher from:

Mark Jacobs' Evolution Philosophy WAVs OGGs MP3s FLPs MIDIs Music CDs
 
  #38  
Old 04-01-15, 04:29 AM
Member
Join Date: Jan 2011
Location: United States
Posts: 2,446
I agree Pete that is great news, I followed some of what is going on last night as I couldn't sleep much but didn't give further advice I just had too much to think about. I kind of doubt it was a Firefox update Mozilla watches out for things like that much more than Microsoft does with IE. You could have picked that up very easily by going to an unsafe website or from an e-mail. Which website it could have been who really knows it could have even been a bank you went to where it was picked up. Hackers don't discriminate either between big or little banks they just hack.
 
Reply

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread
Display Modes