malwareprotectionclient??? How to get rid of?

How do I get rid of it.  It's not on my control panel!
I didn't install it at all.  How did it get into my pc?
err
brothertruffle880Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior EngineerCommented:
Install Malwarebytes and do a thorough scan and clean.

https://www.malwarebytes.org/

Also have your AV do a deep scan and clean.

How did it get on there?  Possibly clicking on an errant link, visiting a site that got through your current protection, etc...it's hard to know for sure.
0
brothertruffle880Author Commented:
Malwarebytes did NOT get rid of it.
Is there another tool that would?
0
Scott CSenior EngineerCommented:
Try AVG.

http://free.avg.com/us-en/homepage

With virus/malware the only 100% guarantee is to backup the data, wipe the machine and reinstall.

I'll see if there is anything else that MIGHT work.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Gerwin Jansen, EE MVETopic Advisor Commented:
Can you check add-ons / extensions for your browsers? It may be 'hidden' there. If you find any unknown extras, remove them.
0
brothertruffle880Author Commented:
I don't it in MSCONFIG either.  Ugggh.
0
Scott CSenior EngineerCommented:
This says it will get rid of it.

http://greatis.com/blog/how-to-remove-malware/malwareprotectionclient-exe.htm

I have no way to know for sure as I have no way to test it.

But your first order of business is to make a backup of your data now.

Can you do a system restore to a time before this appeared?

And be prepared to do a bare metal rebuild.
0
brothertruffle880Author Commented:
Gerwin.  I checked the add-ins and I don't have anything that I can't identify.

This is in my systray.  Where in the registry is the list of programs shown in the systray?
0
Scott CSenior EngineerCommented:
Try here...

[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify]
0
Gerwin Jansen, EE MVETopic Advisor Commented:
Can you find it in task manager (view all processes), then properties of the process and find out where it is installed?

hijackthis will show you just about all locations that auto start applications: http://sourceforge.net/projects/hjt/
1
brothertruffle880Author Commented:
Hi Scott:
Here's what I have in my tray notify.
Can you explain or give me a link to explain the various lines?
I'm trying to find where this MalwareProtectionClient is located.
err
0
brothertruffle880Author Commented:
Gerwin:
I don't see Malware Protection Client anywhere in my task manager all processes screen. (See graphic of my processes)
err
0
brothertruffle880Author Commented:
Hi Gerwin:
Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 8:48:29 PM, on 8/18/2015
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17937)


Boot mode: Normal

Running processes:
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\TechSmith\Snagit 11\TSCHelp.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\TechSmith\Snagit 11\snagiteditor.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Users\brant\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\22.5.2.15\coIEPlg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\22.5.2.15\coIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~2\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Policies\Explorer\Run: [BtvStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe"
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: Snagit 11.lnk = C:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.dell.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AtherosSvc - Windows (R) Win 7 DDK provider - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\SysWOW64\brsvc01a.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: Intel(R) Capability Licensing Service Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: Intel(R) Capability Licensing Service TCP IP Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
O23 - Service: Intel(R) ME Service - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\22.5.2.15\NIS.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: ZAtheros Wlan Agent - Atheros - C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe

--
End of file - 11584 bytes

Open in new window

0
Scott CSenior EngineerCommented:
Trust me on this.  You are going to wind up doing a full wipe and restore of your computer.

When it comes down to MalwareBytes and your AV not getting rid of something it is so imbedded, you will never be 100% sure you got rid of it.
0
MereteCommented:
brothertruffle880 your hijack-this log is fine other than IE is a bit outdated.
According to file.net What is Client.exe?
Description: Client.exe is not essential for Windows and will often cause problems.
The file Client.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows 8/7/XP are 1,437,696 bytes (11% of all occurrences), 5,812,224 bytes
It is not a Windows core file.
There is no description of the program. The program has no visible window.
Client.exe is able to record keyboard and mouse inputs, monitor applications, hide itself and connect to the Internet.
Therefore the technical security rating is 44% dangerous; however you should also read the user reviews.
If any problems with RocketTab or “RocketTab” occur, you can also uninstall it from your computer using the Control Panel applet "Add/Remove programs".
read for more description
http://www.file.net/process/client.exe.html
Try this removal tool
Remove RocketTab\Client.exe startup error (Client.exe search extensions)
http://nabzsoftware.com/types-of-threats/rockettab-client-exe
0
Gerwin Jansen, EE MVETopic Advisor Commented:
@merete - Where do you see "client.exe"? I don't see it in tasklist nor hjt log?
0
Gerwin Jansen, EE MVETopic Advisor Commented:
This 'application' is usually located in your user profile under:
c:\users\<your username>\appdata\local\malwareprotectionlive (the executable will be here)

A common startup location for this would be in the registry under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run (look for a key with malware.. in it)

Can you see if you have that registry key and if so, remove it. Then reboot and see whether it returns. If it doesn't remove it from the appdata\local folder (you probably won't be able to while it is running).
1
brothertruffle880Author Commented:
Gerwin:
I don't see the registry key entry for malware.  Here's what I got:
errI sent into the folder tree you specified and the malwareprotectionclient folder had no files but did have a subfolder called quarantine.  Nothing in there either.
I deleted both folders.  I'm going to reboot and see what happens.
0
brothertruffle880Author Commented:
Scott Cha:
How can I decipher this?
err
I want to try to get rid of this malware thing by any available means.  If all avenues fail, then I'll start from scratch.
Re-formatting/re-imaging, etc my pc is a multi-day process given all the apps I have loaded on my pc.  I also have to do a data backup. This is a multi-hour task.
I also have to locate all my license/product ID numbers, etc.  These are not pleasant activities.  I'm hoping I can clean this out without the soul-sucking task of starting from scratch.
0
brothertruffle880Author Commented:
Thanks Merete.   I had a feeling my  overall status was okay.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
It looks like the malwareprotectionclient has been removed but only the entry in the notification area is remaining. Deleting both iconstreams and pasticonstreams should fix that. Export that part of the registry as a backup to be safe. After removing the 2 keys and restarting explorer (kill it through task manager and start a new one using new task, typing explorer.exe) your issue should be fixed.
1
brothertruffle880Author Commented:
Hi Gerwin Jansen:
Here are the four entries for iconstreams:
Which one should I delete?
HKCR?  
Question:  At boot time doesn't HKCU get created based on the contents of HKCR and HKLM?
Thanks again!
BR

err
0
Gerwin Jansen, EE MVETopic Advisor Commented:
HKCU (current user) would be the place to remove the 2 keys (backup them just in case). Note that you should delete both iconstreams and pasticonstreams under HKCU.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brothertruffle880Author Commented:
Hi Gerwin:
I removed the two keys and rebooted.  The entry re-appeared when I logged on again.
Uggggh.
IMPORTANT QUESTION:  
Where is the information inside iconstreams and pasticonstreams retrieved from? There must be a registry key where this data is coming from.

Prior to the icons appearing in the systray, the entry must exist somewhere.  What is that location.  I can delete it at its source.

 
0
MereteCommented:
brothertruffle880 to answer a little, have a look in your start-up list,
go to your start Orb> in the run
 type msconfig press enter
lookin startup and untick them if present, anything in this list starts with windows when you bootup.
Another place to look in is C:\ProgramData
C:\Users\User\AppData
C:\Users\User\AppData\Local
C:\Users\User\AppData\Local\Microsoft
C:\Users\User\AppData\Roaming
You need to have show hidden files enabled.
C:\Program Files\Common Files also in the x86 windows 7 x 64
1
brothertruffle880Author Commented:
Dear All:
Well, I turned on my pc yesterday and when I checked the systray the malwareprotectionclient app was gone.  I don't know which of the above actions was responsible because, as you saw from my reporting, it apparently stuck around after performing each of the above steps.
BUT it's gone now and I wanted to equitably assign points to everyone who assisted.

Thanks to everyone.  

I'm one of those users who likes to thoroughly get to the root of why something happens and I appreciate you helping me with registry keys and other avenues other than the usual shallow "reinstall, reboot and reformat" solution used by 99% of the tech support desks out there..

Have a good weekend.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
Thanks for your detailed and nice feedback ;)
1
MereteCommented:
Thankyou  brothertruffle880 glad to have helped,  I feel the same with thoroughly getting to the root of the problem where possible.
All the best
Merete
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.