-
Posts
4,182 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by LiquidTension
-
-
OK Bradley, thank you for letting me.
I will mark this topic for closure.
-
It's no problem at all, Wilson.
We're nearly done.
Please delete this file: C:\Users\Admin\Downloads\cbsidlm-cbsi145-USB20_Driverzip-ORG-163914.exe
Let me know if there are any outstanding issues after completing the following.
STEP 1
TDSSKiller Fix- Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
- Click Change parameters. Ensure a checkmark is placed next to:
- Loaded Modules
- Detect TDLFS file system
- Verify file digital signatures
- Click Start Scan. Do not use the computer during the scan.
- Upon completion, select Delete for the following items:
\Device\Harddisk0\DR0 ( TDSS File System )
- Click Continue and close the window.
- A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
STEP 2
Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.- Adobe Flash Player (uncheck the "Optional Offer")
- Adobe Shockwave Player
- Java (watch out for "Optional Offers" or bundled software)
- Follow these instructions to check for and download the latest Windows Updates.
STEP 3
Remove Outdated Software- Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
- Search for the following programmes, right-click and click Uninstall one at a time.
- Note: The programmes below may not be present. If this is the case, please skip to the next step.
- Adobe Shockwave Player 12.0
- Java 7 Update 65
- Follow the prompts, and reboot if necessary.
STEP 4
Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).- Click the Windows Start Button and type Java Control Panel (or javacpl) in the search bar.
- Click on the Java Control Panel. Once opened, click the Security tab.
- Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
- Click Apply. When the Windows User Account Control (UAC) appears, allow permissions to make the changes.
- Click OK in the Java Plug-in confirmation window.
- Restart your browser(s) for changes to take effect.
- More information can be found here and here.
STEP 5
Security Check- Please download SecurityCheck and save the file to your Desktop.
- Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
- A log (checkup.txt) will automatically open on your Desktop.
- Copy the contents of the log and paste in your next reply.
======================================================
STEP 6
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- TDSSKiller log (attached!)
- checkup.txt
- How is your computer performing? Are there any outstanding issues?
-
You're more than welcome, Maria. I'm very glad to hear things are back to normal!
I will be buying you a few beers!
Thank you very much.
All the best,
Adam -
You're more than welcome.
I sent paypal in the amount of 25.00 US. Hopefully that translated well into GBP!
Thank you very much!
I will mark this topic as solved.
All the best,
Adam -
Hi Wilson,
Please provide an update on your computer after completing the steps below.
STEP 1
Farbar Recovery Scan Tool (FRST) Script- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
start2014-10-30 15:43 - 2014-11-05 13:15 - 00000000 ____D () C:\Users\Admin\AppData\Local\Odics2014-10-30 15:43 - 2014-11-05 12:38 - 00000000 ____D () C:\Users\Admin\AppData\Local\IdsoftC:\Users\Admin\AppData\LocalLow\Sun\sezovopqwirvC:\Users\Admin\AppData\LocalLow\Unity\LzsnbjjxEmptyTemp:end
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
STEP 2
TDSSKiller Scan- Please download TDSSKiller and save the file to your Desktop.
- Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
- Click Change parameters. Place a checkmark next to:
- Loaded Modules
- Detect TDLFS file system
- Verify file digital signatures
- Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
- Click Start Scan. Do not use the computer during the scan.
- If objects are found, change the action to skip.
- Click Continue and close the window.
- A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
STEP 3
ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.- Please download ESET Online Scan and save the file to your Desktop.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Double-click esetsmartinstaller_enu.exe to run the programme.
- Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
- Agree to the Terms of Use once more and click Start. Allow components to download.
- Place a checkmark next to Enable detection of potentially unwanted applications.
- Click Hide advanced settings. Place a checkmark next to:
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Ensure Remove found threats is unchecked.
- Click Start.
- Wait for the scan to finish. Please be patient as this can take some time.
- Upon completion, click . If no threats were found, skip the next two bullet points.
- Click and save the file to your Desktop, naming it something such as "MyEsetScan".
- Push the Back button.
- Place a checkmark next to and click .
- Re-enable your anti-virus software.
- Copy the contents of the log and paste in your next reply.
======================================================
STEP 4
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Fixlog.txt
- TDSSKiller log (attached!)
- ESET Online Scan log
- Update on computer
-
You're more than welcome, Marc.
I will mark this topic as solved.
All the best,
Adam
-
Could you try attaching again please, Wilson. Looks like it didn't go through in your previous post.
Thank you again for all your help, Adam.
No problem at all.
This step is to ensure any malware hiding in your Appdata folder is removed. -
Hi Marc,
ESET not finding anything is very good.
----------------
Update Java (watch out for "Optional Offers" or bundled software) to reduce the risk of reinfection.
Ensure the following programmes are not installed.- J2SE Runtime Environment 5.0
- Java 6 Update 23 (64-bit)
Now for the good news!
All Clean!
Congratulations, your computer appears clean!
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful.
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation.
STEP 1
ComboFix Uninstall- Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
ComboFix /Uninstall
- Click OK.
- Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
STEP 2
DelFix- Please download DelFix and save the file to your Desktop.
- Double-click DelFix.exe to run the programme.
- Place a checkmark next to the following items:
- Activate UAC
- Remove disinfection tools
- Create registry backup
- Purge system restore
- Reset system settings
- Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
======================================================
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.- Answers to common security questions - Best Practices by quietman7, MVP
- How Malware Spreads - How did I get infected? by quietman7, MVP
- Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
- How to Prevent Malware by miekiemoes, MVP
- How to backup and restore your data using Cobian Backup by YourHighness
- Slow Computer/browser? It May Not Be Malware by quietman7, MVP
The following programmes come highly recommended in the security community.
- AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
- CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
- Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
- Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
- NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
- Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
- Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
- SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
- Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
======================================================
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread.
Thank you for using Malwarebytes.
Safe Surfing.
Adam (LiquidTension). -
Hi Larry,
You're more than welcome. I'm glad to hear things are running well.
A donation is on the way too.
Thank you.
I will mark this topic as solved.
All the best,
Adam -
Hi Kat,
I'm glad to hear the Service Pack installed without issue.
At some point I suggest you run a defrag if you do not have a SSD (Solid State Drive). Instructions here.
Now for the good news!
All Clean!
Congratulations, your computer appears clean!
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful.
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation.
STEP 1
ComboFix Uninstall- Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
ComboFix /Uninstall
- Click OK.
- Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
STEP 2
DelFix- Please download DelFix and save the file to your Desktop.
- Double-click DelFix.exe to run the programme.
- Place a checkmark next to the following items:
- Activate UAC
- Remove disinfection tools
- Create registry backup
- Purge system restore
- Reset system settings
- Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
======================================================
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.- Answers to common security questions - Best Practices by quietman7, MVP
- How Malware Spreads - How did I get infected? by quietman7, MVP
- Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
- How to Prevent Malware by miekiemoes, MVP
- How to backup and restore your data using Cobian Backup by YourHighness
- Slow Computer/browser? It May Not Be Malware by quietman7, MVP
The following programmes come highly recommended in the security community.
- AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
- CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
- Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
- Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
- NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
- Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
- Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
- SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
- Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
======================================================
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread.
Thank you for using Malwarebytes.
Safe Surfing.
Adam (LiquidTension). - Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
-
Strange.
Lets try it a different way.
Batch File
- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
@echo offdir C:\Users\Admin\AppData /s > "%userprofile%\desktop\dirlook.txt"del %0
- Click Format. Ensure Wordwrap is unchecked.
- Click File, Save As and name the file batchfile.bat.
- Select All Files as the Save as type.
- Save the file to your Desktop.
- Locate batchfile.bat (W8/7/Vista) on your Desktop. Right-click the icon and click Run as administrator.
- Once the black Command Prompt disappears, attach dirlook.txt (found on your Desktop) to your next post.
-
Great!
Now for the good news!
All Clean!
Congratulations, your computer appears clean!
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful.
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation.
DelFix- Please download DelFix and save the file to your Desktop.
- Double-click DelFix.exe to run the programme.
- Place a checkmark next to the following items:
- Activate UAC
- Remove disinfection tools
- Create registry backup
- Purge system restore
- Reset system settings
- Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
======================================================
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.- Answers to common security questions - Best Practices by quietman7, MVP
- How Malware Spreads - How did I get infected? by quietman7, MVP
- Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
- How to Prevent Malware by miekiemoes, MVP
- How to backup and restore your data using Cobian Backup by YourHighness
- Slow Computer/browser? It May Not Be Malware by quietman7, MVP
The following programmes come highly recommended in the security community.
- AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
- CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
- Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
- Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
- NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
- Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
- Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
- SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
- Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
======================================================
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread.
Thank you for using Malwarebytes.
Safe Surfing.
Adam (LiquidTension). -
Very good, Ted.
We need to update your vulnerable software to reduce the risk of reinfection.
STEP 1
Farbar Recovery Scan Tool (FRST) Script- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
startC:\Users\Ted Weiss\Downloads\cbsidlm-tr1_14-Free_FLAC_to_MP3_Converter-SEO-75206134.exeC:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlcEmptyTemp:end
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
STEP 2
Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.- Adobe Air
- Adobe Reader (uncheck the "Optional Offer")
- Adobe Shockwave Player
- Mozilla Firefox
- Follow these instructions to check for and download the latest Windows Updates.
STEP 3
Remove Outdated Software- Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
- Search for the following programmes, right-click and click Uninstall one at a time.
- Note: The programmes below may not be present. If this is the case, please skip to the next step.
- Adobe Reader 9.4.6
- Adobe Shockwave Player 11.5
- Follow the prompts, and reboot if necessary.
STEP 4
Security Check- Please download SecurityCheck and save the file to your Desktop.
- Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
- A log (checkup.txt) will automatically open on your Desktop.
- Copy the contents of the log and paste in your next reply.
======================================================
STEP 3
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Fixlog.txt
- How is your computer performing? Are there any outstanding issues?
-
Hello,
Those logs look very good.
Please provide an update on your computer after completing the instructions below.
ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.- Please download ESET Online Scan and save the file to your Desktop.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Double-click esetsmartinstaller_enu.exe to run the programme.
- Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
- Agree to the Terms of Use once more and click Start. Allow components to download.
- Place a checkmark next to Enable detection of potentially unwanted applications.
- Click Hide advanced settings. Place a checkmark next to:
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Ensure Remove found threats is unchecked.
- Click Start.
- Wait for the scan to finish. Please be patient as this can take some time.
- Upon completion, click . If no threats were found, skip the next two bullet points.
- Click and save the file to your Desktop, naming it something such as "MyEsetScan".
- Push the Back button.
- Place a checkmark next to and click .
- Re-enable your anti-virus software.
- Copy the contents of the log and paste in your next reply.
-
Good job, Tina.
Please do the following.
STEP 1
Browser Reset
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.- Internet Explorer: Backup Internet Explorer Favourites
- Firefox: Backup Firefox Bookmarks
- Chrome: Backup Chrome Bookmarks
Proceed with the reset once done.
- Internet Explorer: How to reset Internet Explorer settings
- Firefox: Reset Firefox
- Chrome: Chrome - Reset browser settings
STEP 2
AdwCleaner- Please download AdwCleaner and save the file to your Desktop.
- Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Click Scan.
- Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
- Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
- Follow the prompts and allow your computer to reboot.
- After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
STEP 3
Junkware Removal Tool (JRT)- Please download Junkware Removal Tool and save the file to your Desktop.
- Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Right-Click JRT.exe and select Run as administrator to run the programme.
- Follow the prompts and allow the scan to run uninterrupted.
- Upon completion, a log (JRT.txt) will open on your desktop.
- Re-enable your anti-virus software.
- Copy the contents of JRT.txt and paste in your next reply.
STEP 4
Farbar Recovery Scan Tool (FRST) Scan- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Yes to the disclaimer.
- Ensure the Addition.txt box is checked.
- Click the Scan button and let the programme run.
- Upon completion, click OK, then OK on the Addition.txt pop up screen.
- Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
======================================================
STEP 5
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Did your browsers reset OK?
- AdwCleaner[s0].txt
- JRT.txt
- FRST.txt
- Addition.txt
-
Hi Tina,
Attach the large TDSSKILLER log when you're ready.
-
OK Kat, let me know how you get on with the Service Pack.
-
Hello Rob1987, welcome to Malwarebytes' Malware Removal forum!
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.
General P2P/Piracy Notice:
If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.
======================================================
Please read through the points below to ensure this process moves as quickly and efficiently as possible.- Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
- Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
- Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
- Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
- If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
- Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
- Ensure you are following this topic. Click at the top of the page.
======================================================
STEP 1
Farbar Recovery Scan Tool (FRST) Script- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
startHKU\S-1-5-21-2594571719-4226981117-547971859-1001\...\MountPoints2: {db0d3b7e-e5f2-11df-be42-806e6f6e6963} - E:\SETUP.EXEHKU\S-1-5-21-2594571719-4226981117-547971859-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-2594571719-4226981117-547971859-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll (Google Inc.)BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No FileBHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File2014-11-08 02:05 - 2014-11-08 02:05 - 00000000 ____D () C:\ProgramData\Windows Genuine AdvantageC:\ProgramData\4477985.padC:\ProgramData\frbbvzjj.bxxC:\ProgramData\frbbvzjj.fvvC:\Users\Home\AppData\Local\Temp\399408923.exeC:\Users\Home\AppData\Local\Temp\400026234.exeC:\Users\Home\AppData\Local\Temp\uninstall.exeC:\Users\Home\AppData\Local\Temp\_is7545.exeCustomCLSID: HKU\S-1-5-21-2594571719-4226981117-547971859-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?AlternateDataStreams: C:\ProgramData\Temp:52DBE86FCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
STEP 2
Malwarebytes Anti-Malware (MBAM)- Open Malwarebytes Anti-Malware and click Update Now.
- Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
- Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
- Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
- If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
- Upon completion of the scan (or after the reboot), click the History tab.
- Click Application Logs and double-click the Scan Log.
- Click Copy to Clipboard and paste the log in your next reply.
STEP 3
ComboFix- Note: Please read through these instructions before running ComboFix.
- Please download ComboFix and save the file to your Desktop. << Important!
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Right-Click ComboFix.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
- Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
- Re-enable your anti-virus software.
Important Notes:
- Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
- Do NOT use your computer whilst ComboFix is running.
- Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
- If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
- ComboFix will disconnect your machine from the Internet as soon as it starts.
- Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
- If you are unable to access the Internet after running ComboFix, please reboot your computer.
STEP 4
TDSSKiller Scan- Please download TDSSKiller and save the file to your Desktop.
- Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
- Click Change parameters. Place a checkmark next to:
- Loaded Modules
- Detect TDLFS file system
- Verify file digital signatures
- Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
- Click Start Scan. Do not use the computer during the scan.
- If objects are found, change the action to skip.
- Click Continue and close the window.
- A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
======================================================
STEP 5
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Fixlog.txt
- MBAM log
- ComboFix.txt
- TDSSKiller log (attached!)
-
Hello dhm24, welcome to Malwarebytes' Malware Removal forum!
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.
General P2P/Piracy Notice:
If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.
======================================================
Please read through the points below to ensure this process moves as quickly and efficiently as possible.- Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
- Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
- Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
- Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
- If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
- Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
- Ensure you are following this topic. Click at the top of the page.
======================================================
Please consider the following suggestion, and proceed with the instructions below.
Spybot S&D No Longer Recommended
------------------------------
MVPS.org is no longer recommending Spybot S&D due to poor testing results (scroll down and read under Freeware Antispyware Products).
I would advise uninstalling Spybot S&D. The presence of this programme can make the cleaning of your computer more difficult. You can uninstall the programme by:- Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
- Search for Spybot, right-click the entry and click Uninstall.
STEP 1
Uninstall Software- Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
- Search for the following programmes, right-click and click Uninstall.
- Note: Ensure you decline offers of additional software if applicable.
- Coupon Printer for Windows
- Follow the prompts.
- Reboot if necessary.
STEP 2
Farbar Recovery Scan Tool (FRST) Script- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-18\...\RunOnce: [{90150000-00A1-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HHKU\S-1-5-18\...\RunOnce: [{90150000-0016-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HHKU\S-1-5-18\...\RunOnce: [{90150000-0018-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HHKU\S-1-5-18\...\RunOnce: [{90150000-001B-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HHKU\S-1-5-18\...\RunOnce: [{90150000-012B-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HHKU\S-1-5-18\...\RunOnce: [{90150000-00BA-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HHKU\S-1-5-18\...\RunOnce: [{90150000-001A-0439-1000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:HProxyServer: http=127.0.0.1:49171;https=127.0.0.1:49171SearchScopes: HKLM - DefaultScope {C73C2370-213D-47C6-9A9A-A3542D907956} URL = http://www.bing.com/...IE9TR&pc=MDDSJSSearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =SearchScopes: HKLM - {C73C2370-213D-47C6-9A9A-A3542D907956} URL = http://www.bing.com/...IE9TR&pc=MDDSJSSearchScopes: HKLM-x32 - DefaultScope {C73C2370-213D-47C6-9A9A-A3542D907956} URL = http://www.bing.com/...IE9TR&pc=MDDSJSSearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =SearchScopes: HKLM-x32 - {C73C2370-213D-47C6-9A9A-A3542D907956} URL = http://www.bing.com/...IE9TR&pc=MDDSJSSearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =SearchScopes: HKCU - {C73C2370-213D-47C6-9A9A-A3542D907956} URL =SearchScopes: HKCU - {FC949C7C-4A0D-4396-8333-579A54BB6DA3} URL = https://search.yahoo...p={SearchTerms}FF SearchEngineOrder.1: Secure SearchFF Keyword.URL: https://search.yahoo...550D20131024&p=FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)FF SearchPlugin: C:\Users\Parmesh\AppData\Roaming\Mozilla\Firefox\Profiles\5dpvzlky.default\searchplugins\trovi-search-1.xmlFF Extension: No Name - web2pdfextension@web2pdf.adobedotcom [Not Found]FF Extension: No Name - {4ED1F68A-5463-4931-9384-8FFF5ED91D92} [Not Found]CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M09CFA02A-5B16-4CBC-9848-EA00418D9DE7&SearchSource=55&CUI=&UM=6&UP=SPB6EE7D0C-6C5D-4B1A-9DA7-FA96A7BD6C2B&SSPV=CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M09CFA02A-5B16-4CBC-9848-EA00418D9DE7&SearchSource=55&CUI=&UM=6&UP=SPB6EE7D0C-6C5D-4B1A-9DA7-FA96A7BD6C2B&SSPV="S2 0015011414253287mcinstcleanup; C:\Windows\TEMP\001501~1.EXE -cleanup -nolog [X]2014-11-08 14:37 - 2014-11-08 14:37 - 00880272 _____ (Google Inc.) C:\Users\Parmesh\Downloads\ChromeSetup(1).exe2014-11-08 14:06 - 2014-11-08 14:06 - 00004028 _____ () C:\Windows\System32\Tasks\LaunchSignup2014-11-08 14:06 - 2014-11-08 14:06 - 00000000 ____D () C:\Users\Parmesh\AppData\Roaming\DriverFinderTask: {F3ADC4C5-7868-4CDA-9AED-571BB82D84E9} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTIONC:\Program Files (x86)\MyPC BackupCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
STEP 3
AdwCleaner- Please download AdwCleaner and save the file to your Desktop.
- Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Click Scan.
- Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
- Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
- Follow the prompts and allow your computer to reboot.
- After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
STEP 4
Junkware Removal Tool (JRT)- Please download Junkware Removal Tool and save the file to your Desktop.
- Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Right-Click JRT.exe and select Run as administrator to run the programme.
- Follow the prompts and allow the scan to run uninterrupted.
- Upon completion, a log (JRT.txt) will open on your desktop.
- Re-enable your anti-virus software.
- Copy the contents of JRT.txt and paste in your next reply.
STEP 5
Farbar Recovery Scan Tool (FRST) Scan- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Yes to the disclaimer.
- Ensure the Addition.txt box is checked.
- Click the Scan button and let the programme run.
- Upon completion, click OK, then OK on the Addition.txt pop up screen.
- Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
======================================================
STEP 6
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Did you uninstall Spybot?
- Did the programme uninstall OK?
- Fixlog.txt
- AdwCleaner[s0].txt
- JRT.txt
- FRST.txt
- Addition.txt
-
Post up the logs when you're ready.
-
Hi Adam, thank you for your continued assistance.
It's my pleasure, Kat.
Most of what ESET detected are files we've already quarantined, and so are not a threat.
We now need to update your vulnerable software to reduce the risk of reinfection.
STEP 1
Farbar Recovery Scan Tool (FRST) Script
- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
startC:\Users\Kathryn\AppData\Local\AgworksC:\Users\Kathryn\AppData\Local\YSPackC:\Program Files (x86)\Veoh Networks\VeohWebPlayer\OCSetupHlp.dllC:\Users\Kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\gnuq7cib.default-1373174393507\extensions\{9C3BAE2B-4D25-2032-9C52-287A96DC3C3D}C:\Users\Kathryn\Downloads\ccsetup402.exeC:\Users\Kathryn\Downloads\ccsetup403.exeC:\Users\Kathryn\Downloads\Shockwave_Installer_Slim(1).exeC:\Users\Kathryn\Downloads\Shockwave_Installer_Slim.exeC:\WINDOWS\System32\Adobe\Shockwave 12\gt.exeC:\WINDOWS\SysWOW64\Adobe\Shockwave 12\gt.exeEmptyTemp:end
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
STEP 2
Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.
- Adobe Air
- Adobe Flash Player (uncheck the "Optional Offer")
- Adobe Shockwave Player
- Java (watch out for "Optional Offers" or bundled software)
- Follow these instructions to check for and download the latest Windows Updates.
- I recommend installing the latest version of Internet Explorer for added security. The latest version IE can be installed via Windows Update.
STEP 3
Remove Outdated Software
- Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
- Search for the following programmes, right-click and click Uninstall one at a time.
- Note: The programmes below may not be present. If this is the case, please skip to the next step.
- Adobe Shockwave Player 12.0
- Java 7 Update 71
- JavaFX 2.1.1
- Follow the prompts, and reboot if necessary.
STEP 4
Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).
- Click the Windows Start Button and type Java Control Panel (or javacpl) in the search bar.
- Click on the Java Control Panel. Once opened, click the Security tab.
- Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
- Click Apply. When the Windows User Account Control (UAC) appears, allow permissions to make the changes.
- Click OK in the Java Plug-in confirmation window.
- Restart your browser(s) for changes to take effect.
- More information can be found here and here.
STEP 5
Security Check
- Please download SecurityCheck and save the file to your Desktop.
- Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
- A log (checkup.txt) will automatically open on your Desktop.
- Copy the contents of the log and paste in your next reply.
======================================================
STEP 6
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.
- Fixlog.txt
- checkup.txt
- How is your computer performing? Are there any outstanding issues?
-
Hello Wilson,
Those logs are looking much better.
But the Script did not complete.
Please run this. There's more than likely malware hiding in your AppData folder, and we need to find it. Allow this to run for as long as it needs.
Farbar Recovery Scan Tool (FRST) Script- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
startFolder: C:\Users\Admin\AppDataend
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. This log will be very large. Ensure you attach the file in your next reply.
-
Hi Jerry,
Please work your way through the following. Let me know how your PC is performing afterwards.
STEP 1
Browser Reset
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.- Internet Explorer: Backup Internet Explorer Favourites
- Chrome: Backup Chrome Bookmarks
Proceed with the reset once done.
- Internet Explorer: How to reset Internet Explorer settings
- Chrome: Chrome - Reset browser settings
STEP 2
Reset Download Settings- Press the Windows Key + r on your keyboard at the same time. Type inetcpl.cpl and click OK.
- Click Security.
- Click Custom level....
- Click Reset.
- Click OK.
- In the Security tab, click Reset all zones to default level.
STEP 3
AdwCleaner- Please download AdwCleaner and save the file to your Desktop.
- Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Click Scan.
- Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
- Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
- Follow the prompts and allow your computer to reboot.
- After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
STEP 4
Junkware Removal Tool (JRT)- Please download Junkware Removal Tool and save the file to your Desktop.
- Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Right-Click JRT.exe and select Run as administrator to run the programme.
- Follow the prompts and allow the scan to run uninterrupted.
- Upon completion, a log (JRT.txt) will open on your desktop.
- Re-enable your anti-virus software.
- Copy the contents of JRT.txt and paste in your next reply.
STEP 5
Farbar Recovery Scan Tool (FRST) Scan- (!) Switch profile to Powell Family II, and then back to Optiplex-755 just as you did before.
- Right-Click FRST.exe and select Run as administrator to run the programme.
- Click Yes to the disclaimer.
- Ensure the Addition.txt box is checked.
- Click the Scan button and let the programme run.
- Upon completion, click OK, then OK on the Addition.txt pop up screen.
- Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
======================================================
STEP 6
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Did your browsers reset OK?
- Did you reset your download settings?
- AdwCleaner[s0].txt
- JRT.txt
- FRST.txt
- Addition.txt
-
Hello,
This is a leftover from RogueKiller, and is associated with Poweliks:HKU\S-1-5-21-740854939-596749143-33656547-1000\...A8F59079A8D5}\localserver32: <==== ATTENTION!
It's important Poweliks is completely removed from the system.
Please work your way through the following.
STEP 1
Revo Uninstaller- Please download and install Revo Uninstaller Free.
- Double-click Revo Uninstaller to run the programme.
- From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.
- Coupon Printer for Windows
- Game Booster 3
- MyFreeCodec
- Pando Media Booster
- Double-click the programme.
- When prompted if you want to uninstall click Yes.
- Ensure the Moderate option is selected and click Next.
- The programme uninstaller will run. If prompted again click Yes.
- Work your way through the uninstaller, ensuring you read each page thoroughly.
- Note: Ensure you decline offers of additional software if applicable.
- Once the built-in uninstaller is finished click Next.
- Once the programme has searched for leftovers click Next.
- Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.
- When prompted click Yes, followed by Next.
- Click Select all, followed by Delete.
- When prompted click Yes, followed by Next.
- Once done click Finish.
STEP 2
Farbar Recovery Scan Tool (FRST) Script- Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
- Copy the entire contents of the codebox below and paste into the Notepad document.
startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-740854939-596749143-33656547-1000\...A8F59079A8D5}\localserver32: <==== ATTENTION!CHR HKU\S-1-5-21-740854939-596749143-33656547-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONHKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.co...t&type=avastbclURLSearchHook: HKCU - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - No FileHKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKLM - {4D021B5E-94AC-4CD7-A431-73D1FD7744BD} URL = SearchScopes: HKLM-x32 - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}SearchScopes: HKLM-x32 - {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://www.bing.com/...=AVASDF&PC=AV01SearchScopes: HKLM-x32 - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =SearchScopes: HKCU - {4D021B5E-94AC-4CD7-A431-73D1FD7744BD} URL = http://search.condui...4517046259&UM=2SearchScopes: HKCU - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}SearchScopes: HKCU - {F63B837C-EBDD-4BDA-9439-FA5D2BB93167} URL = http://www.search.as...archTerms}&psv=BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No FileToolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No FileToolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No FileToolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No FileHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No FileWinsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll File Not found ()FF SelectedSearchEngine: Yahoo! (Avast)FF DefaultSearchEngine: Yahoo! (Avast)FF DefaultSearchUrl: https://search.yahoo.com/yhs/searchFF SearchEngineOrder.1: Yahoo! (Avast)FF Keyword.URL: https://search.yahoo.com/yhs/searchFF Homepage: user_pref("browser.startup.homepage", "about:home"about:home);FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileFF Plugin HKU\S-1-5-21-740854939-596749143-33656547-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileFF SearchPlugin: C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\9f1iknzs.default\searchplugins\yahoo-avast.xmlCHR HomePage: Default -> https://www.yahoo.co...t&type=avastbclCHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileC:\Program Files (x86)\Pando NetworksCHR Extension: (McAfee Security Scan+) - C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh [2014-02-23]CHR HKLM-x32\...\Chrome\Extension: [bpfboklmeiefoedekjeigdcnfbpjeaii] - C:\Users\Bill\AppData\Local\CRE\bpfboklmeiefoedekjeigdcnfbpjeaii.crx []S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [X]C:\Users\Bill\AppData\Local\Temp\dllnt_dump.dllTask: {405F6C1F-060D-4E73-8D1E-CCE54B8BB521} - \DealPlyLiveUpdateTaskMachineCore No Task File <==== ATTENTIONTask: {EE16559A-9A22-4CCA-B643-C1C6A243F351} - \DealPlyLiveUpdateTaskMachineUA No Task File <==== ATTENTIONTask: {F93A3EFE-7D76-44AF-B6A2-37C65EFAE482} - \Scheduled Update for Ask Toolbar No Task File <==== ATTENTIONreg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /fC:\Program Files (x86)\Ask.comCMD: type C:\Combofix.txtFolder: C:\32788R22FWJFWCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
- Click File, Save As and type fixlist.txt as the File Name.
- Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
- Right-Click FRST64.exe and select Run as administrator to run the programme.
- Click Fix.
- A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
STEP 3
Browser Reset
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.- Internet Explorer: Backup Internet Explorer Favourites
- Firefox: Backup Firefox Bookmarks
- Chrome: Backup Chrome Bookmarks
Proceed with the reset once done. Internet Explorer must be reset, even if you do not use the browser.
- Internet Explorer: How to reset Internet Explorer settings
- Firefox: Reset Firefox
- Chrome: Chrome - Reset browser settings
STEP 4
AdwCleaner- Please download AdwCleaner and save the file to your Desktop.
- Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Click Scan.
- Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
- Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
- Follow the prompts and allow your computer to reboot.
- After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
STEP 5
Junkware Removal Tool (JRT)- Please download Junkware Removal Tool and save the file to your Desktop.
- Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Right-Click JRT.exe and select Run as administrator to run the programme.
- Follow the prompts and allow the scan to run uninterrupted.
- Upon completion, a log (JRT.txt) will open on your desktop.
- Re-enable your anti-virus software.
- Copy the contents of JRT.txt and paste in your next reply.
======================================================
STEP 6
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.- Did the programmes uninstall OK?
- Fixlog.txt
- Did your browsers reset OK?
- AdwCleaner[s0].txt
- JRT.txt
malicious website blocked messages dllhost.exe
in Resolved Malware Removal Logs
Posted
You're welcome, Lisa.
I will mark this topic as solved.
All the best,
Adam