caroleparker Posted June 30, 2014 ID:847689 Share Posted June 30, 2014 Hi. I need help. I can't open Malwarebytes, and have tried using Chameleon twice, with no success. What is my next step? Per your instructions, I've downloaded both farbar and rogue killer, and have attached the logs for farbar. Below is the roguekiller log: ***RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Carole [Admin rights]Mode : Scan -- Date : 06/30/2014 15:59:24 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤ ¤¤¤ Antirootkit : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT3 ATA Device +++++--- User ---[MBR] 5596925c5bc53c5056d46e16cb9f343f[bSP] 4c81a6565b554e0c7643e9c6ec98577e : Windows Vista/7/8 MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 461478 MBUser = LL1 ... OKUser = LL2 ... OK ============================================RKreport_SCN_06302014_154857.log - RKreport_SCN_06302014_155252.log *** I look forward to your response, and thank you in advance for your help. Thanks,Carole ParkerAddition.txtFRST.txt Link to post Share on other sites More sharing options...
MrCharlie Posted June 30, 2014 ID:847699 Share Posted June 30, 2014 Make sure you have created a restore point and..... Download Delfix from Here and save it to your desktop.Place a check mark in front of .......Create registry backup <---only!Uncheck the rest!Click the Run button. Close the tool out when it's done....we'll use it later. -------------------------------------------- Download the attached fixlist.txt to the same folder as FRST.exe. Run FRST.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. ------------------------------------------------------------------------------- Please download AdwCleaner from HERE or HERE to your desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.When it's done you'll see: Pending: Please uncheck elements you don't want removed.Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.Look over the log especially under Files/Folders for any program you want to save.If there's a program you may want to save, just uncheck it from AdwCleaner.If you're not sure, post the log for review. (all items found are adware/spyware/foistware)If you're ready to clean it all up.....click the Clean button.After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\QuarantineTo restore an item that has been deleted:Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.Next.................. Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.```````````````````````````````````````````````````````` Do a clean install of Malwarebytes: https://forums.malwarebytes.org/index.php?showtopic=122284 (If you need to find your id and key....download, unzip and run the attached MB64.zip) MrC Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847709 Share Posted June 30, 2014 Thank you again for all your help, and for responding so quickly. Per your instructions, attached is the fixlog.txt. Here is the report from ADWcleaner: # AdwCleaner v3.214 - Report created 30/06/2014 at 16:33:35# Updated 29/06/2014 by Xplode# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)# Username : Carole - CAROLE-PC# Running from : C:\Users\Carole\Desktop\AdwCleaner.exe# Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** File Found : C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\q7oqgsd3.default\user.jsFile Found : C:\Users\Carole\AppData\LocalLow\SkwConfig.binFile Found : C:\Windows\System32\dmwu.exeFile Found : C:\Windows\System32\ImhxxpComm.dllFolder Found : C:\Program Files (x86)\ConduitFolder Found : C:\Program Files (x86)\MyPC BackupFolder Found : C:\ProgramData\ConduitFolder Found : C:\ProgramData\FileCureFolder Found : C:\SearchProtectFolder Found : C:\Users\Carol\AppData\Local\blekkotb_031Folder Found : C:\Users\Carol\AppData\Roaming\DriverCureFolder Found : C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\q7oqgsd3.default\blekkotb_031Folder Found : C:\Users\Carole\AppData\Local\ConduitFolder Found : C:\Users\Carole\AppData\Local\iLividFolder Found : C:\Users\Carole\AppData\LocalLow\ConduitFolder Found : C:\Users\Carole\AppData\LocalLow\MixiDJ_V30Folder Found : C:\Users\Carole\AppData\LocalLow\PriceGongFolder Found : C:\Users\Carole\AppData\Roaming\24x7 helpFolder Found : C:\Users\Carole\AppData\Roaming\DriverCureFolder Found : C:\Users\Carole\AppData\Roaming\SearchProtectFolder Found : C:\Users\Carole\AppData\Roaming\SystweakFolder Found : C:\Windows\SysWOW64\ARFCFolder Found : C:\Windows\SysWOW64\jmdpFolder Found : C:\Windows\SysWOW64\WNLT ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\APN PIPKey Found : HKCU\Software\AppDataLow\Software\ConduitKey Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopesKey Found : HKCU\Software\AppDataLow\Software\SmartBarKey Found : HKCU\Software\AppDataLow\ToolbarKey Found : HKCU\Software\Classes\iLivid.torrentKey Found : HKCU\Software\ConduitKey Found : HKCU\Software\Google\Chrome\Extensions\fdkednngfjmpnljkolbapdednncafhenKey Found : HKCU\Software\ilividKey Found : HKCU\Software\IMKey Found : HKCU\Software\ImInstallerKey Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Found : HKCU\Software\ParetoLogicKey Found : HKCU\Software\SmartBarKey Found : HKCU\Software\systweakKey Found : HKCU\Software\WEDLMNGRKey Found : [x64] HKCU\Software\APN PIPKey Found : [x64] HKCU\Software\ConduitKey Found : [x64] HKCU\Software\ilividKey Found : [x64] HKCU\Software\IMKey Found : [x64] HKCU\Software\ImInstallerKey Found : [x64] HKCU\Software\ParetoLogicKey Found : [x64] HKCU\Software\SmartBarKey Found : [x64] HKCU\Software\systweakKey Found : [x64] HKCU\Software\WEDLMNGRKey Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Found : HKLM\SOFTWARE\Classes\iLivid.torrentKey Found : HKLM\SOFTWARE\Classes\Prod.capKey Found : HKLM\SOFTWARE\Classes\Toolbar.CT3298566Key Found : HKLM\Software\ConduitKey Found : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\App24x7Help_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\App24x7Help_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancsKey Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\mconduitinstaller_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\mconduitinstaller_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasapi32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasmancsKey Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_download_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_download_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasapi32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasmancsKey Found : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasapi32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasmancsKey Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Found : HKLM\Software\ParetoLogicKey Found : HKLM\Software\PIPKey Found : HKLM\Software\systweakKey Found : HKLM\Software\UniblueKey Found : HKLM\Software\Uniblue\DriverScannerKey Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Found : [x64] HKLM\SOFTWARE\WNLT ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17126 -\\ Mozilla Firefox v [ File : C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\q7oqgsd3.default\prefs.js ] Line Found : user_pref("browser.search.defaultenginename", "Blekko");Line Found : user_pref("browser.search.order.1", "Blekko");Line Found : user_pref("browser.search.selectedEngine", "Blekko");Line Found : user_pref("browser.startup.homepage", "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=8A791F5FEE52B1F91529AB4FC00DF095&tbp=homepage");Line Found : user_pref("extentions.y2layers.defaultEnableAppsList", "Buzzdock,Buzzdock,");Line Found : user_pref("extentions.y2layers.installId", "5ba83848-b052-4774-a64a-fda7760275b0");Line Found : user_pref("extentions.y2layers.lastDnsTest", 371664);Line Found : user_pref("keyword.URL", "hxxp://blekko.com/ws/?source={SourceID}&tbp=url&toolbarid=blekkotb_031&u=USERGUID&q="); [ File : C:\Users\Carole\AppData\Roaming\Mozilla\Firefox\Profiles\2o56yfph.default\prefs.js ] -\\ Google Chrome v35.0.1916.153 [ File : C:\Users\Carol\AppData\Local\Google\Chrome\User Data\Default\preferences ] Found [search Provider] : hxxp://www.kcrw.com/sitesearch?submit.x=0&submit.y=0&SearchableText={searchTerms}&dosearch=1Found [search Provider] : hxxp://movies.netflix.com/WiSearch?oq=page+eight&ac_posn=-1&ac_rec=false&ac_count=-1&ac_match=false&v1={searchTerms}&search_submit=Found [search Provider] : hxxp://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=8A791F5FEE52B1F91529AB4FC00DF095&q={searchTerms}Found [search Provider] : hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=610&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=8204098915524023&q={searchTerms}Found [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbejFound [Extension] : kincjchfokkeneeofpeefomkikfkiedl [ File : C:\Users\Carole\AppData\Local\Google\Chrome\User Data\Default\preferences ] Found [Extension] : amfclgbdpgndipgoegfpkkgobahigbcl ************************* AdwCleaner[R0].txt - [7128 octets] - [30/06/2014 16:33:35] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [7188 octets] ########## *** Since I don't know what most of these files and folders are, I've left them all checked. Please advise what should be removed. I will wait for your reply before I run the junkware removal tool. Best,Carole Fixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted June 30, 2014 ID:847723 Share Posted June 30, 2014 BTW: I didn't notice that you're not the original topic starter. Have AdwCleaner delete all of those. MrC Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847725 Share Posted June 30, 2014 MrC: I figured it would be better to continue a thread than start a new one. If this was inappropriate, please forgive me. I'm new to this forum. Will clean all of those files and continue with your instructions. And thanks again! Carole Link to post Share on other sites More sharing options...
MrCharlie Posted June 30, 2014 ID:847726 Share Posted June 30, 2014 Too late now, I'll just have the posts split. MrC Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847733 Share Posted June 30, 2014 Again, so sorry. Won't happen again. Before I run the next cleaner, I see I need to disable my protection. I use Microsoft security essentials, and can't figure out how to temporarily shut it down. I assume you know how to do that, being the computer expert you are. What do I need to do. Thx,Carole Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847734 Share Posted June 30, 2014 Not to worry. I just figured it out. Sorry. Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847736 Share Posted June 30, 2014 Sorry to be a pest, but I was wrong. Please advise how to temporarily shut down windows security essentials. Thanks SO much. Carole Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847737 Share Posted June 30, 2014 Finally figured it out. So sorry. (This malware issue has me more than a little stressed. Thank you for your patience.) Link to post Share on other sites More sharing options...
caroleparker Posted June 30, 2014 Author ID:847745 Share Posted June 30, 2014 Mr. C -- I have finished the remaining steps, and am now running a malwarebytes scan. THANK YOU SO MUCH. You are a tech GOD. I'm speechless. Great job. (And thank you for putting up with my temporary meltdown.) I assume there's nothing left to do, but if there is, please let me know. I will not hesitate to recommend malwarebytes and their incredible support team to all my friends and business associates. Best regards,Carole Parker Link to post Share on other sites More sharing options...
MrCharlie Posted June 30, 2014 ID:847751 Share Posted June 30, 2014 We're not done yet, MrC Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:847997 Share Posted July 1, 2014 MrC: Apologies for jumping the gun. I'm ready to continue the cleanup. What's the next step? Thanks again for your help. Best,Carole Link to post Share on other sites More sharing options...
MrCharlie Posted July 1, 2014 ID:848004 Share Posted July 1, 2014 Lets check your computers security before you go and we have a little cleanup to do also: Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.If you get Unsupported operating system. Aborting now, just reboot and try again.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:848140 Share Posted July 1, 2014 Sorry for the delay in getting back to you. Am running the security check now ... Link to post Share on other sites More sharing options...
MrCharlie Posted July 1, 2014 ID:848141 Share Posted July 1, 2014 OK......MrC Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:848143 Share Posted July 1, 2014 ... and here are the results! <3 Results of screen317's Security Check version 0.99.85 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` MVPS Hosts File Secunia PSI (3.0.0.7009) Java 7 Update 55 Java version out of Date! Adobe Flash Player 13.0.0.214 Flash Player out of Date! Adobe Reader XI Google Chrome 35.0.1916.114 Google Chrome 35.0.1916.153 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Malwarebytes Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted July 1, 2014 ID:848150 Share Posted July 1, 2014 Out dated programs on the system are vulnerable to malware.Please update or uninstall them:-----------------------------------------------Java 7 Update 55 <----please update, should be Update 60Java version out of Date! <--------Go to control panel > Java > Update Tab > Update NowUncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".If there's no update tab in Java, uninstall it and Download and install the latest version from HereUncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".----------------------------------------Adobe Flash Player 13.0.0.214 Flash Player out of Date!Flash Player:Check for an update if availableDownloads are at the top of the page. (don't install the McAfee toolbar)----------------------------------------A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter. (it may look like CF is re-installing but it's not)This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)---------------------------------Download Delfix from here and save it to your desktop. (you may already have this)Ensure Remove disinfection tools is checked.Click the Run button.RebootAny other programs or logs that are still remaining, you can manually delete. (right click.....Delete)IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.Note:If you used FRST and can't delete the quarantine folder:Download the fixlist.txt to the same folder as FRST.exe.Run FRST.exe and click Fix only once and waitThat will delete the quarantine folder created by FRST.The rest you can manually delete.-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again. (My Preventive Maintenance also found HERE)Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:848151 Share Posted July 1, 2014 Just updated Java. Now updating the flash player ... Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:848156 Share Posted July 1, 2014 Didn't use Combofix, so it wouldn't uninstall ... Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:848158 Share Posted July 1, 2014 Ran delfix, got these results: # DelFix v10.7 - Logfile created 01/07/2014 at 17:25:54# Updated 27/04/2014 by Xplode# Username : Carole - CAROLE-PC# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) ~ Removing disinfection tools ... Deleted : C:\FRSTDeleted : C:\AdwCleanerDeleted : HKLM\SOFTWARE\AdwCleaner ########## - EOF - ########## Now rebooting ... Link to post Share on other sites More sharing options...
caroleparker Posted July 1, 2014 Author ID:848160 Share Posted July 1, 2014 All done! removed EVERYTHING. Thanks so much, Mr. Tech Guru. Wish I could make a donation, but I'm a poor writer and need to pay my phone bill. (Which is why I came here instead of hiring someone to help me.) BUT, I will give great comments for all your hard work and expertise. You da bomb. Best,Carole Link to post Share on other sites More sharing options...
MrCharlie Posted July 2, 2014 ID:848191 Share Posted July 2, 2014 Take Care...MrC Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 8, 2014 Root Admin ID:850259 Share Posted July 8, 2014 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts