Webhelper infection
Shunt
Posted messages
7
Status
Member
-
Malekal_morte- Posted messages 178136 Registration date Status Moderator, Security Contributor Last intervention -
Malekal_morte- Posted messages 178136 Registration date Status Moderator, Security Contributor Last intervention -
Hello,
My PC has Windows Defender and Malwarebytes Premium. In the processes, when I open uTorrent, two processes utorrentie.exe appear. Signature RemotelE.exe, description Webhelper, located in AppData/Roaming/utorrent/updates/3.4.5_41372. I can't seem to get rid of them; I have tried with Malwarebytes, Avira, then Defender, CCleaner, Roguekiller... I used OTL to create reports, if anyone can help me to kill this.
Thank you,
Shunt
My PC has Windows Defender and Malwarebytes Premium. In the processes, when I open uTorrent, two processes utorrentie.exe appear. Signature RemotelE.exe, description Webhelper, located in AppData/Roaming/utorrent/updates/3.4.5_41372. I can't seem to get rid of them; I have tried with Malwarebytes, Avira, then Defender, CCleaner, Roguekiller... I used OTL to create reports, if anyone can help me to kill this.
Thank you,
Shunt
5 answers
-
No antivirus:
install Avast!: https://www.malekal.com/tutoriel-antivirus-avast/
(Especially enable LPI detections to detect pesky and adware programs)
Here is the correction to perform with FRST.
You can refer to this explanatory note with screenshots to help you: https://www.malekal.com/tutoriel-farbar-recovery-scan-tool-frst/#fix
Open Notepad: Windows Key + R, in the run field, type notepad and OK.
Copy/paste the following into it:
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
2016-01-20 01:27 - 2016-01-20 01:27 - 00000000 ____D C:\Program Files (x86)\SEARCH~1
ProxyServer: [S-1-5-21-753848071-1856887396-2643092716-1000] => localhost:8080
2016-01-20 01:39 - 2016-01-21 17:49 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-01-20 01:39 - 2016-01-21 17:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-01-20 01:39 - 2016-01-20 01:39 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
Once the text is pasted in Notepad.
File menu then Save As.
On the left, navigate to the desktop.
In the bottom field, for the file name, enter: fixlist.txt
Click Save - this will create a fixlist.txt file on the desktop.
Restart FRST and click the Fix button
Depending on how it goes, a restart may be necessary (not mandatory).
A text file will appear, copy/paste its content here in a new message.
Restart your computer
then reset your browsers:
==================================
Reset your browsers and/or manually reconfigure your WEB browsers (homepage, search engine, etc.) as well as removing/disabling unnecessary/rogue extensions:- Firefox: https://www.malekal.com/reparer-firefox/?t=36057&start=
- Google Chrome: https://www.malekal.com/reparer-google-chrome/?t=35837&start=
- Internet Explorer and add-ons/search engines: https://forum.malekal.com/viewtopic.php?t=41399&start=
--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left -
Re-
Results of the Farbar Recovery Scan Tool (x64) Version:18-01-2016
Executed by DS (2016-01-21 22:41:50) Run:1
Executed from C:\Users\DS\Desktop
Loaded Profiles: DS (Available Profiles: DS)
Boot Mode: Normal
==============================================
fixlist contents:
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
2016-01-20 01:27 - 2016-01-20 01:27 - 00000000 ____D C:\Program Files (x86)\SEARCH~1
ProxyServer: [S-1-5-21-753848071-1856887396-2643092716-1000] => localhost:8080
2016-01-20 01:39 - 2016-01-21 17:49 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-01-20 01:39 - 2016-01-21 17:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-01-20 01:39 - 2016-01-20 01:39 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking-
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotPostWindows10UpgradeReInstall => value(s) deleted successfully
C:\Program Files (x86)\SEARCH~1 => moved successfully
HKU\S-1-5-21-753848071-1856887396-2643092716-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value(s) deleted successfully
C:\Program Files (x86)\Spybot - Search & Destroy 2 => moved successfully
C:\ProgramData\Spybot - Search & Destroy => moved successfully
C:\Windows\System32\Tasks\Safer-Networking => moved successfullyEnd of Fixlog 22:41:50
I have Windows Defender as my antivirus! Isn't that good?
-
-
-
ok utorrentie.exe
you can't see anything with the task manager.
Use Process Explorer
look for utorrentie.exe - webhelper
double-click on it here in response, copy/paste the content of the PATH field. -
I can't find the PATH field?? So the only copyable field is the String tab, which created a .txt file that is as follows:
jjj
jjh
jjjj
Djh
jjj
jjj
jjj
jjjjh
jjjj
Cjjjj
!This program cannot be run in DOS mode.
PRich
.text
`.rdata
@.data
.rsrc
@.reloc
hT[D
hT[D
hJ^D
QVWj
WSP
sLS
SPV
SVW
SQP
hd[D
SVWP
PVh
hp[D
@t(PVhH
PVh
PVh
PVh
PVW
PVW
KPR
?PSQ
sOS
PQV
SPS
SVW
PRQ
#EgWP
#EgP
#EgWP
tPV
SVWP
PVW
SVW
RPh
QPS
udh
SVW
SVWP
PWPSj
VWP
PVW
tpW
s3QW
VSj
PQVW
PQV
PQV
PQV
SVWh
PQSVW
D$XS
hP^D
D$ IQhX^D
PhX^D
D$0j@P
SVP
SVWP
SVW
SVWP
SVWP
hL^D
SVWP
QVQ
PhL^D
SVWP
SVWP
VWP
PQV
VWP
PQV
SVW
PQVW
SVW
wRS
PQV
QSV
PRQ
PRQ
SVW
PQV
SVW
VPQ
RQP
VRQ
SVW
SVWP
SVWP
u8RQQj
PQSVW
hp^D
PQSVW
SVW
QSVW
PVS
VSV
D$HSVW
Ph@_D
j\hp
hT_D
D$@Ph@_D
j\hp
hd_D
ht_D
L$8Qj
L$4QPV
L$8Qj
L$4QPV
SVW
SVWP
hJ^D
hJ^D
jPh
QPW
PRj
tBPh
jdh
SVW3
VWj
VINF
A8UDLL
A@NATI
AHFEAT
VWPh
PWVS
XrCj
PjX
VINFtJ
SVWP
SQVj
SQRj
VW=\t
hp^D
SVWP
SQRj
s*SQR
t'Vh
jtP
SVW
Phx
PQSVW
QSVW
SVW
hhaD
hL^D
hL^D
D$8Pj
D$dP
D$PPj
D$XP
PQVW
PQV
PQV
SVWP
TUU
tjtj
VWP
LSVW
<SVW
u[jD
QPj
peD
XjD
XjD
XjD
peD
XjD
peD
peD
DeD
VWP
SVWP
PhL^D
PWPSj
SVWP
hJ^D
hJ^D
QSP
SVWP
SVWP
h(fD
PhL^D
PVW
VWP
6Vh(fD
RPj#
h0fD
SVWP
hL^D
hHfD
VWP
DeD
DeD
PQV
dcD
djD
F(ddD
dcD
djD
G(ddD
wLP
SVW
SVW
SVWP
hPfD
hpfD
PhL^D
hL^D
PWj
VRh
SVWP
RhX
6PVW
SVW
VPj
hL^D
PhX
tTj
L$$hL^D
L$lhL^D
hL^D
D$HP
hL^D
uHV
L$$hL^D
D$LPj
SVW
T$dR
D$dP
D$dP
PhL^D
PhL^D
hL^D
w(Pj
D$\Pj
SVWP
xiV
VWP
PhL^D
hL^D
PVj
VWP
RhX
SVWP
SVW
h8gD
hLgD
hhgD
T$tR
Qhx
|LeD
D$ PhL^D
hL^D
D$HPj
DeD
DeD
L$DhL^D
hL^D
hL^D
L$xPW
D$hP
D$TPj
SVW
PhL^D
hL^D
L$xPS
D$PP
D$<Pj
T$LQ
VWS
hL^D
PQV
PQSV
PhL^D
SVWP
2Glj
G,WQP
HfD
9Gdt
VWP
h hD
FhPQ
vhQ
VWP
DeD
jjj
jjj
jjj
jjj
Cjjjj
jjj
jjj
Ajj
Cjj
jjjj
jjjj
jjh
Ajj
RRP
SVWP
hDhD
hPhD
DeD
VWP
QhX
DeD
VWP
SVWP
VWS
SVWP
h`hD
QhhhD
hthD
h|hD
PVS
SVWP
VWj
jdjdj
h4iD
PQSVW
SVWP
7hDiD
PhLiD
PhPiD
RPhXiD
RPhdiD
PQhliD
SVWP
DeD
SVWP
DeD
SVWP
DeD
(SVW
$SVW
SVW
SVW
SVW
PQVW
tCj
QSVW
xdD
xdD
xdD
WQS
Gh\dD
LeD
LeD
(SVW
A@PQ
lCA
$SVW
?QRS
wL+L$
DeD
DeD
DeD
DeD
DeD
DeD
DeD
DeD
PWV
SVW
HHtG
PVW
PWV
SVW
D$hSVW
D$@Pj
D$lP
D$dP
L$X9L$8t
SVWP
SVWP
SVWP
SVWP
D$8SVW
D$Pd
D$<PW
D$(9D$ t
L$Pd
D$8SVW
D$Pd
D$<PW
D$(9D$ t
L$Pd
D$XPQ
D$LP
D$@9D$8t
D$XPQ
D$LP
D$@9D$8t
D$XPQ
D$LP
D$@9D$8t
D$@SVW
D$Xd
D$@PV
D$,PV
D$09D$(t
L$Xd
PQVW
D$@SVW
D$Xd
D$8QP
D$$RP
PQS
L$Xd
D$PS
htiD
D$ j@P
D$PS
hxiD
D$ j@P
D$PS
h|iD
D$$j@P
D$PS
D$$j@P
D$XjlP
D$hS
t$TP
t$LjLPW
D$XjlP
D$hS
t$XP
WPh
D$@SVW
D$Xd
PWV
D$8QP
D$ RP
PQS
L$Xd
D$PS
htiD
D$ j@P
D$PS
hxiD
D$ j@P
D$PS
h|iD
D$$j@P
D$PS
D$$j@P
D$XjlP
D$hS
t$TP
t$LjLPW
D$XjlP
D$hS
t$XP
WPh
rlSVW
PQSVW
QSV
QSV
tpS
D$hSVW
QhjeD
hPeD
uf8F
:D$su
:D$ru
:D$ut
:D$tu
;D$(sX
PeD
uhj
t;Ot
SVWP
QWRVS
t6Ot
D$XSVW
D$pd
D$<PW
D$8SP
D$ PW
PRQ
D$8PW
PQSW
L$pd
D$HSVW
tAV
D$(SP
D$(SP
D$(SP
PRQ
D$(PS
PQVS
COu
tQS
D$XSVW
D$pd
D$<PW
D$8SP
D$ PW
XPRQ
D$8PW
PQSW
L$pd
D$HSVW
tAV
D$(SP
D$(SP
D$(SP
PRQ
D$(PS
PQVS
tYS
tRW
PVW
SVWP
uw8F
uej
t6Ot
SVWP
SVWP
QSVW
PVW
QVWj
PVW
$SVW
hLfD
SVW
SVW
SVW
QVWRj
PVW
$SVW
SVWP
SVWP
SVWP
SVWP
SVWP
D$8SVW
D$Pd
uW8C
L$Pd
8SVW
8SVW
8SVW
8SVW
8SVW
8SVW
SVWP
SVWP
RQVj
RQVj
SVW
SVWP
u.PQ
VQP
SVW
hp^D
SVWP
SQRj
SVW
hp^D
SVWP
QQj
SVW
SVW
tzVW
ttVW
PjYh
SVW
Cpt/
D$ SVW
RPQ
WRh
Rhh
SVP
VWS
Rhh
B4Iu
SVWP
WWh
PWVS
hdkD
Qhp
SVW
D$tPj
D$ph
plD
h,lD
SVW
VWP
YYhP
H(Qj
VWj
jjjjj
SVW
QVP
PSj
PSj
<xt"<Xu!
SPR
<xt"<Xu!
<it=<It9<0u-
<Nuj
Nuq
Iud
TuW
YuJ
<Eus
<Pus
QQS
tMj
tnW
YYf
WVQ
PVW
YYf
PVW
tnW
YYf
WVQ
PVW
YYf
PVW
SVW
tGj
tnW
YYf
WVQ
PVW
YYf
PVW
QSV
Xf!F
j Yf;
GXf;
Xf!F
Wj5_f;
oF f
oF f
oF f
XGB
XGB
lFB
hGB
XGB
XGB
XGB
OGB
XGB
hGB
pGB
THB
oV f
of@f
onPf
ov`f
o~pf
oPf
FGIu
FGIu
QSV
rvP
r>PS
ufW
Gpu
Apu
YYu
Vhq
SVWjA_jZ+
uBjAYjZ+
SVjA[jZ^+
jAZjZ^
ItDf
VHt
woSW
AQj
WSV
8csm
PPPPP
u}QQ
PQQ
PQQ
PQQ
PQQ
DAE
DAE
5DAE
;5DAE
tWPV
Hpu
PPPPPPPP
q?xD
VPj
oF f
oF f
oF f
hoB
PpB
dqB
hqB
pqB
xqB
oV f
of@f
onPf
ov`f
o~pf
oPf
FGIu
FGIu
VWj
SVW
SVW
QQSVWd
SVW
PPP
Jpu
Jpu
Jpu
PRQh
QPQ
WSS
SSSSS
WWWWW
VVVVV
PPPPP
QSV
8csm
PRSW
>csm
8csm
SVW
>csm
>csm
>csm
QQW
tHj
?MOC
?RCC
u Qj
QQSV
VRQ
Hu4j
YYP
YYP
tcj
YYPW
8RCC
8MOC
8csm
SVW
csm
ft!9q
rY9q
Jpu
QSV
WVPS
PP9E u
WVP
SVW
VWh
tQf
SVW3
SVW
jUS
PPPPP
QQQ
jA[jZZ+
jZZ
ineI
5ntel
5Genu
uCh
YYt
rWj
YYh
SVW
8csm
SVW
tcj
PSQR
VVVVV
C VP
C YY
PQQ
t/Ht
SVAW
tf=H
YYj
Npt"
FlP
VWh
FIu
AJu
WPW
WPW
Opt
9wlt
uGh
F\0CD
~pjCXf
VhD
SjU
PPPPP
WhL8D
VVVVV
QSVW
j.Yf;
hD8D
j.Yf;
tyPVj@W
_tcPVj@
sMf
uCPVj
u#j,Xf;
PPPPP
SSSSS
Wj.Y
jUP
>Cu/f9F
PWPt
GWVh
WVjU
@PVW
SSSSS
@PSjU
PPPPP
SSSSS
vlW
FlWP
vlhD
w$h<8D
QQQQQ
VPW
j;Yf9
j;Yf9
bPV
PjU
PVW
PPPPP
PjU
PVQ
VVVVV
jLj
PPPPP
QRW
SSW
@ucP
t/HHt
ItE
HHtVHHt
HHtp
itd
guV
RPWQ
PWj?
t/HHt
j*Xf;
j*Xf;
ItW
htHjlZ;
HHtXHHt
HHt
jiZ;
nt'joZ;
jgXf;
YYjgXf9
RPWQ
>0t<NAj0X
j-Xf
Wj0XP
j Zf
Wj XP
PWj?
PVhq|C
SVhq|C
Vhq|C
t/HHt
j*Xf;
j*Xf;
ItW
htHjlZ;
HHtXHHt
BADVAPI32.DLL
jiZ;
nt'joZ;
jgXf;
YYjgXf9
RPWQ
>0t<NAj0X
j-Xf
Wj0XP
-
-
you need to double-click on utorrentie.exe and you will see the PATH field.
--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left-
- Okay, I'm not too familiar with uTorrent but I would say it's not malicious.
Can you submit the file to https://www.virustotal.com/gui/ and provide the link?
-
Ce fichier a été analysé pour la dernière fois par VirusTotal le 2016-01-23 04:34:40 UTC (il y a 9 heures, 14 minutes) et a été analysé pour la première fois par VirusTotal le 2015-11-18 19:57:33 UTC.
Detection ratio: 0/54
Exactly, I think it's a free utorrent application!
In any case, thank you for the time spent helping me. Nothing serious after all!
-
-
Hello,
Start with this:
Follow the AdwCleaner tutorial (by Xplode)
This program allows you to remove adware and PUPs:- Download it to your desktop or downloads folder.
- Run AdwCleaner, click on [Scan].
- The scan may take several minutes, please be patient.
- Once the scan is complete, do not uncheck anything, click on [Clean].
- Once the cleaning is done, a report will open. Copy/paste the content of the report in your next response using copy/paste.
If that doesn't work, use the site http://pjjoint.malekal.com to host the report, give the link to the report in a new message.
Note: The report is also saved under C:\AdwCleaner[S1].txt
Then:
Follow the FRST tutorial.
(and take the time to read in order to apply it correctly - everything is explained there).
Download and run the FRST scan, it will generate three FRST reports:- FRST.txt
- Shortcut.txt
- Additional.txt
Send, as explained, these three reports to the site http://pjjoint.malekal.com and return with the three pjjoint links that lead to those reports here in a new response so that we can consult them.
--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left-
# AdwCleaner v5.030 - Report created on 01/21/2016 at 19:05:04
# Updated on 01/17/2016 by Xplode
# Database : 2016-01-19.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : DS - DS_ORD
# Executed from : C:\Users\DS\Desktop\Downloads\adwcleaner_5.030.exe
# Option : Clean
# Support : https://toolslib.net/forum- [ Services ] *****
- [ Folders ] *****
- [ Files ] *****
[-] File Deleted : C:\Users\DS\AppData\Roaming\Mozilla\Firefox\Profiles\mdxxlwi7.default-1429313510815\user.js- [ DLLs ] *****
- [ Shortcuts ] *****
- [ Scheduled Tasks ] *****
- [ Registry ] *****
- [ Browsers ] *****
:: "Tracing" keys deleted
:: Winsock settings reset
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [862 bytes] ##########
-
Re-
The three links to consult the FRST64 analysis:
https://pjjoint.malekal.com/files.php?id=20160121_s5x10m9w15o11
https://pjjoint.malekal.com/files.php?id=FRST_20160121_k14m11r13v14g15
https://pjjoint.malekal.com/files.php?id=20160121_s12n15h14j10g9
