Need help

[rockineagle10]

I've got a trojan that takes over google and installed an extension called YouTubeBookmark V0.9.  I've tried scanning in safe mode with malwarebytes and avast.   Also i've tried running dds but an error saying it can't run in compatibility mode keeps popping up. I read a post saying to run Farbar Recovery Security tool and have a log from it.   I also downloaded a few tools (rkill, tdsskiller) but only have run rkiller. I am a bit out of my depth on this one.. lol.

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

 

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

 

Double click zip file and extract to your  Desktop:

 

 

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

 

 

Copy and paste the following script from the code box and paste into the field.

standardsearch;autoruns;autoclean;emptyclsid;emptyalltemp;installedprogs;  

Select the "Run Script" tab. The following window will open:

 

 

 

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

 

Post the produced log in your next reply…..

 

Kevin

[rockineagle10]

i tried posting the text of the results but it wouldn't upload so i attached the text file

zoek-results.txt

[kevinf80]

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

• Double click on AdwCleaner.exe to run the tool.
  
• Vista/Windows 7/8 users right-click and select Run As Administrator
  
• Click on the Scan button.
  
• AdwCleaner will begin...be patient as the scan may take some time to complete.
  
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  
• Look over the log especially under Files/Folders for any program you want to save.
  
• If there's a program you want to save, just uncheck it from AdwCleaner.
  
• If you're not sure, post the log for review.
  
• If you're ready to clean it all up.....click the Clean button.
  
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  
• Copy and paste the contents of that logfile in your next reply.
  
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  
• To restore an item that has been deleted (if necessary):
  
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs, also give an update on current issues/concerns...

 

Kevin

[rockineagle10]

# AdwCleaner v3.016 - Report created 23/12/2013 at 11:30:55

# Updated 23/12/2013 by Xplode

# Operating System : Windows 8.1  (64 bits)

# Username : Alex - AWESOME-8000

# Running from : C:\Users\Alex\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\PCFixSpeed

Folder Deleted : C:\Program Files (x86)\PCFixSpeed

Folder Deleted : C:\Users\Alex\AppData\Roaming\24x7 help

Folder Deleted : C:\Users\Alex\AppData\Roaming\PCFixSpeed

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Classes\and

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16384

 

 

-\\ Mozilla Firefox v

 

[ File : C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\6cka3ec6.default\prefs.js ]

 

 

-\\ Google Chrome v31.0.1650.63

 

[ File : C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [1918 octets] - [23/12/2013 11:13:03]

AdwCleaner[s0].txt - [1863 octets] - [23/12/2013 11:30:55]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1923 octets] ##########

 

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.12.21.07

 

Windows 8 x64 NTFS

Internet Explorer 11.0.9600.16476

Alex :: AWESOME-8000 [administrator]

 

12/23/2013 11:36:33 AM

mbam-log-2013-12-23 (11-36-33).txt

 

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 439862

Time elapsed: 55 minute(s), 19 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

[kevinf80]

You do not mention if any issues/concerns remain, please do so in next reply....

 

We continue:

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that we may have missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report in next reply

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Cheers,

 

Kevin

[rockineagle10]

I haven't noticed any other problems.  Thank you very much for the help!

 

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=4f5e1c03573ad042a2b3a7c3f13dcd21

# engine=16412

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=false

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-12-27 04:10:30

# local_time=2013-12-26 10:10:30 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.2.9200 NT 

# compatibility_mode=774 16777213 85 83 2960968 163905702 0 0

# compatibility_mode=5893 16776574 100 94 6681740 12077123 0 0

# scanned=245146

# found=4

# cleaned=4

# scan_time=16793

sh=FF9AB7B47E07055D920B10C5EAEDCDDD4633CE1C ft=1 fh=ea5e65e19efc518c vn="a variant of Win32/AdWare.MultiPlug.K.gen application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Alex\AppData\Local\Microsoft\Windows\INetCache\IE\Y02APKSZ\AV5gnbFJ[1].exe"

sh=F1E6FA670EAC49BE6D19D1A37974F165320FE385 ft=1 fh=cf26c6be537af1aa vn="a variant of Win32/AdWare.MultiPlug.K.gen application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Alex\AppData\Local\Microsoft\Windows\INetCache\IE\Y02APKSZ\bfib5[1].exe"

sh=F09BD74510CD8A6D7186EB10C7A15469D2A65C06 ft=1 fh=8d488d7291c53f80 vn="a variant of Win32/AdWare.MultiPlug.K.gen application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Alex\AppData\Local\Microsoft\Windows\INetCache\IE\ZBEI20K5\8LFoQOkDx7[1].exe"

sh=EEAD4D9C529216DC4D1F9F36E31C640F2DE50F0A ft=1 fh=d464e32a88b26b51 vn="a variant of Win32/AdWare.MultiPlug.K.gen application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Alex\AppData\Local\Microsoft\Windows\INetCache\IE\ZBEI20K5\Xr26h[1].exe"

 

 

 Results of screen317's Security Check version 0.99.77  

   x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Windows Defender   

avast! Antivirus   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:````````` 

 Malwarebytes Anti-Malware version 1.75.0.1300  

 Java 7 Update 45  

 Adobe Flash Player 11.9.900.170  

 Adobe Reader 10.1.8 Adobe Reader out of Date!  

 Google Chrome 31.0.1650.57  

 Google Chrome 31.0.1650.63  

````````Process Check: objlist.exe by Laurent````````  

 AVAST Software Avast AvastSvc.exe  

 AVAST Software Avast AvastUI.exe  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  % 

````````````````````End of Log`````````````````````` 

 

[kevinf80]

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

 

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

 

Untick the option for any security scanner or toolbar if offered.

 

Download and install.

 

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

• 
     
• Activate UAC
     
• Remove disinfection tools
     
• Create registry backup
     
• Purge System Restore
     
• Reset system settings
  

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder, unless you want to keep it….

 

Let me know if any remaining issues or concerns...

 

Thanks,

 

Kevin

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!