Basics11 Posted May 16, 2013 ID:680408 Share Posted May 16, 2013 Just from reading other threads on this issue I've ran the initial test, and tried to figure out the software or files that are affected but I am not sure what to look for. But attached are the logs for the FRST and Search. Thanks!FRST.txtSearch.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 16, 2013 ID:680413 Share Posted May 16, 2013 Looking at it now.....MrC Link to post Share on other sites More sharing options...
MrCharlie Posted May 16, 2013 ID:680415 Share Posted May 16, 2013 OK, here you go......this should get you going:Please download the attached fixlist.txt and copy it to your flashdrive.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7: Now please enter System Recovery Options. (as you did before)Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.See if the computer boots normally now.MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 16, 2013 Author ID:680435 Share Posted May 16, 2013 Fixlog attached, I am able to boot the computer normally now.Fixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 16, 2013 ID:680437 Share Posted May 16, 2013 Good, it's important to run a couple of additional scans to ensure you're clean: Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed:Bottom right corner of this page.New window that comes up.~~~~~~~~~~~~~~~~~~~~~~~Note:If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:Internet accessWindows UpdateWindows FirewallIf there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.Just run fixdamage.exe.Verify that your system is now functioning normally.MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 16, 2013 Author ID:680454 Share Posted May 16, 2013 First scan found some addware, and second scan came up clean.system-log.txtmbar-log-2013-05-16 (16-45-41).txtmbar-log-2013-05-16 (17-05-39).txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 16, 2013 ID:680456 Share Posted May 16, 2013 Well Done, lets run ComboFix to clear up any leftovers.Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681815 Share Posted May 20, 2013 Hey Mr.C I apologize for the delay. After the scan I Internet Explorer became inoperable. When you pull the browser up all that is seen is a white screen, no text or anything. Alternatively, I tried using Google Chrome (browser that I an currently using) and the browser seems hijacked. There is a program/toolbar called Xvidly on it with a coinciding "WhiteSmoke" toolbar. They both look suspicious and neither are under the program directory if you would want to manually remove them. I hope this information helps. Attached is the logs for ComboFix.ComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681830 Share Posted May 20, 2013 OK, ComboFix creates a restore point just before it runs, so get to system restore and use that restore point.Let me know when you've completed that.MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681834 Share Posted May 20, 2013 I re-ran combofix this morning is there a way to go to the restore point created by ComboFix from Thursday? Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681835 Share Posted May 20, 2013 You'll have to look and see what restore points are there. MBAR should have created one on Thursday. MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681843 Share Posted May 20, 2013 OK, the system restore has completed and I ran the restore through the MBAR created point. Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681845 Share Posted May 20, 2013 OK, If it's OK now........Please download AdwCleaner from here and save it on your Desktop. AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.AdwCleaner is a tool that deletes :· Adwares (software ads)· PUP/LPI (Potentially Undesirable Program)· Toolbars· Hijacker (Hijack of the browser's homepage)It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.Now click on the Search tab.Please post the contents of the log-file created in your next post.Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.Note:Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:/DisableAskDetection - This option disables Ask Toolbar detection.MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681848 Share Posted May 20, 2013 Here is the logs for Adwcleaner. The other suspicious programs are MyPC Backup, and optimizer pro. Waiting for further instructions.AdwCleanerR1.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681849 Share Posted May 20, 2013 MyPC Backup, and optimizer pro <------look in your add/remove programs and see if you can uninstall them.~~~~~~~~~~~~~~~~~~~Lots of adware found....lets clear it out.....Please re-run AdwCleanerClick on Delete button.Confirm each time with OK if asked.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.Then......let me know what is still there. MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681853 Share Posted May 20, 2013 I was able to uninstall the MyPC Backup, but was unable to remove Optimizer Pro. The error message that I received from Optimizer Pro was "File 'C:\Program Files (x86)\Optimizer Pro\unins000.dat' does not exist. Cannot uninstall."AdwCleanerS1.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681855 Share Posted May 20, 2013 We'll manually delete it:Please download OTL from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://www.itxassociates.com/OT-Tools/OTL.exehttp://oldtimer.geekstogo.com/OTL.com (<---renamed version)Save it to your desktop.Double click on the icon on your desktop.Click the Scan All Users checkbox.Push the Quick Scan button.The scan will take about 10 minutes...depends on your hard drive size.Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedMrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681864 Share Posted May 20, 2013 Here are the two text files.Extras.TxtOTL.Txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681883 Share Posted May 20, 2013 I see you have this on the system: (not sure if you want it)PRC - [2012/12/12 20:46:36 | 000,216,208 | ---- | M] (Smart PC Solutions) -- C:\Program Files (x86)\PC Speed Maximizer\SPMReminder.exe~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Chrome is showing Conduit:CHR - default_search_provider: Conduit (Enabled)--------To fix it > For Chrome...........First make sure you have the latest version of Chrome:Open up Chrome > Click on the 3 bars in the upper right hand cornerClick on About Google ChromeIf there's an update available it will automatically updateNext:Go to Tools > Clear Browser DataPut a check next to all of these:Clear browsing historyClear download historyEmpty the cacheClick "Clear Browsing Data"-------------------------------Next:Click the Chrome menu on the browser toolbar.Select Settings.In the "Search" section, click Manage search engines.Check if (Default) is displayed next to your preferred search engine. If not, mouse over it and click Make default.Mouse over any other suspicious search engine entries that are not familiar and click X to remove them.-------------------------------------Click the Chrome menu .Select Settings.In the "On startup" section, select Open a specific page or set of pages.Click Set pages. (in blue to the right)Remove any unfamiliar pages.-----------------------Click the Chrome menu .Select Settings.In the "Appearance" section, if the "Show Home button" checkbox is selected, see if the page listed below is the home page you’d like to use.If the page isn't the home page you'd like to use, click Change and select your preferred page.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Please do this:Run OTL[*]Under the Custom Scans/Fixes box at the bottom, paste in bold::OTLO2 - BHO: (GetSavin 5.0) - {4F565DD7-8716-463B-8453-E1745A9E8093} - C:\Users\Jo\AppData\Local\getsavin\ie\getsavin_1364427001.dll File not foundO4 - HKLM..\Run: [] File not foundO4 - HKU\.DEFAULT..\Run: [searchProtect] \SearchProtect\bin\cltmng.exe File not foundO4 - HKU\S-1-5-18..\Run: [searchProtect] \SearchProtect\bin\cltmng.exe File not foundO4 - HKU\S-1-5-21-3726450246-2580802338-2658540461-1001..\Run: [PC Speed Maximizer] C:\Program Files (x86)\PC Speed Maximizer\SPMLauncher.exe (Smart PC Solutions)O4 - HKU\S-1-5-21-3726450246-2580802338-2658540461-1001..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not foundO4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not foundO4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not foundO8:64bit: - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm File not foundO8:64bit: - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm File not foundO8:64bit: - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm File not foundO8:64bit: - Extra context menu item: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm File not foundO8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm File not foundO8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm File not foundO8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm File not foundO8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm File not foundO21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.[2013/05/15 18:06:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup[2013/05/13 20:01:43 | 000,000,000 | ---D | C] -- C:\SearchProtect:Commands[EMPTYJAVA][emptytemp][EMPTYFLASH][*]Then click the Run Fix button at the top[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681890 Share Posted May 20, 2013 I tried to remove the first program you mentioned and I got the same error that I cannot remove it. Here is the content of the notepad message.All processes killed========== OTL ==========Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F565DD7-8716-463B-8453-E1745A9E8093}\ deleted successfully.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F565DD7-8716-463B-8453-E1745A9E8093}\ deleted successfully.Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect deleted successfully.Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect not found.Registry value HKEY_USERS\S-1-5-21-3726450246-2580802338-2658540461-1001\Software\Microsoft\Windows\CurrentVersion\Run\\PC Speed Maximizer deleted successfully.C:\Program Files (x86)\PC Speed Maximizer\SPMLauncher.exe moved successfully.Registry value HKEY_USERS\S-1-5-21-3726450246-2580802338-2658540461-1001\Software\Microsoft\Windows\CurrentVersion\Run\\RESTART_STICKY_NOTES deleted successfully.Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download all with Free Download Manager\ deleted successfully.64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download selected with Free Download Manager\ deleted successfully.64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download video with Free Download Manager\ deleted successfully.64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with Free Download Manager\ deleted successfully.Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download all with Free Download Manager\ not found.Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download selected with Free Download Manager\ not found.Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download video with Free Download Manager\ not found.Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with Free Download Manager\ not found.64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.C:\Program Files (x86)\MyPC Backup folder moved successfully.C:\SearchProtect\ffprotect folder moved successfully.C:\SearchProtect folder moved successfully.File PTYJAVA] not found.File ptytemp] not found.File PTYFLASH] not found.OTL by OldTimer - Version 3.2.69.0 log created on 05202013_142641Files\Folders moved on Reboot...PendingFileRenameOperations files...Registry entries deleted on Reboot... Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681893 Share Posted May 20, 2013 If any of those programs are still in your add/remove programs, you can use CCleaner to delete them:http://www.howtogeek...-9-tips-tricks/ <---CCleaner tutorial~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Using OTL as before, here's the script::OTLPRC - [2012/12/12 20:46:36 | 000,216,208 | ---- | M] (Smart PC Solutions) -- C:\Program Files (x86)\PC Speed Maximizer\SPMReminder.exePRC - [2012/12/11 20:37:32 | 000,197,504 | ---- | M] (Smart PC Solutions) -- C:\Program Files (x86)\PC Speed Maximizer\SPMSmartScan.exeO4 - HKU\S-1-5-21-3726450246-2580802338-2658540461-1001..\Run: [PC Speed Maximizer] C:\Program Files (x86)\PC Speed Maximizer\SPMLauncher.exe (Smart PC Solutions)MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681908 Share Posted May 20, 2013 Here is the notepad after the last OTL run. Working on uninstalling the programs through CCleaner now.05202013_151731.log Link to post Share on other sites More sharing options...
Basics11 Posted May 20, 2013 Author ID:681928 Share Posted May 20, 2013 I was able to clean the programs off of the computer. Link to post Share on other sites More sharing options...
MrCharlie Posted May 20, 2013 ID:681935 Share Posted May 20, 2013 Good......Lets check your computers security before you go and we have a little cleanup to do also:Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
Basics11 Posted May 21, 2013 Author ID:682153 Share Posted May 21, 2013 Results of screen317's Security Check version 0.99.63 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! AVG AntiVirus Free Edition 2013 Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Java 6 Update 30 Java version out of Date! Adobe Flash Player 11.7.700.202 Adobe Reader 10.1.7 Adobe Reader out of Date! Google Chrome 26.0.1410.43 Google Chrome 26.0.1410.64 Google Chrome Plugins... ````````Process Check: objlist.exe by Laurent```````` Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
Recommended Posts