Yet another com surrogate 32 victim

[lparente]

Hi,

 

Like everyone else that's posted about it, a couple of days ago I started getting repeated messages from Norton saying it had blocked an attack, while my computer has allowed down and access to internet is spotty.

 

After reading about others' experiences, I too have several instances of com surrogate 32 in Task Manager. I'm able to end task for a while, but even before they pop up again, the computer problems persist.

 

I tried downloading Malwarebytes from Cnet, and get the message that my security settings don't allow me to install the file.

 

Can someone please help me?

 

I do OK with moving around the computer and finding/fixing things, but I'm not an expert.

 

I have a Toshiba Satelite S55-A laptop, windows 8, 64-bit.

 

Thank you!

 

Lenah

 

 

[MrCharlie]

Welcome to the forum. (Do what you can)

 

For your download problem:  
Under Tools - Internet Options - Security - Custom Level - Downloads - File Downloads - Enable

Download MB from the link below:

http://www.malwarebytes.org/mbam-download.php

General P2P/Piracy Warning:
 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

 
<====><====><====><====><====><====><====><====>
 
1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........
Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware
Same for PUM (Potentially Unwanted Modifications)
Quarantine all that's found
Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.
(use correct version for your system.....Which system am I using?)
FRST <----for 32 bit systems
FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.


New window that comes up.



Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.
When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:
%programdata%/RogueKiller/Logs <-------W7
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC
 

Note:
Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------
If I don't respond within 24 hours, please send me a PM

[lparente]

Thank you so much for your quick reply!

 

I've attached the malwarebytes scan log, as well as the RogueKiller report.

 

I can't download FRST, Norton Antivirus won't allow it, and with as many attack messages as I've been getting, I'm afraid to turn it off even for a few minutes. Do you have any suggestions?

 

Thanks again!

 

Lenah

RKreport_SCN_10302014_124855.log

Scan log.txt

[MrCharlie]

Please make sure system restore is running and you have created a new restore point.

===========================

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-722543489-3168160160-708674521-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

Now click Delete on the right hand column under Options

MrC

[lparente]

^MrC,

 

^{I ran the scan and deleted as listed in your reply. Four instances were highlighted in orange, one in red.}

 

^{After deletion, 2 of the orange ones were marked as Error, so I ran the scan again. This time only found one instance in red, I deleted it. Should I ran it again?}

 

^Thanks!

 

^Lenah

[MrCharlie]

Re-scan with RogueKiller and post or attach the new log.

MrC

[lparente]

Here it is:

 

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Lenah [Administrator]
Mode : Scan -- Date : 10/30/2014  16:22:06

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CFUACProxy_c2nplus ("C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\C2NPlus") -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SacNetAgentService_C57C4F854F53 (C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe) -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CFUACProxy_c2nplus ("C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\C2NPlus") -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SacNetAgentService_C57C4F854F53 (C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe) -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-722543489-3168160160-708674521-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 17 (Driver: Loaded) ¤¤¤
[iAT:Addr] (explorer.exe @ KERNELBASE.dll) ext-ms-win-gpapi-grouppolicy-l1-1-0.dll - RegisterGPNotificationInternalWorker : C:\windows\SYSTEM32\gpapi.dll @ 0x7ffb4bc14a0
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\windows\SYSTEM32\clbcatq.dll @ 0x7ffb66c1e40
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\windows\SYSTEM32\clbcatq.dll @ 0x7ffb66c1b70
[iAT:Addr] (iexplore.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\windows\SYSTEM32\clbcatq.dll @ 0x7ffb66c1e40
[iAT:Addr] (iexplore.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\windows\SYSTEM32\clbcatq.dll @ 0x7ffb66c1b70
[iAT:Addr] (iexplore.exe @ KERNELBASE.dll) ext-ms-win-gpapi-grouppolicy-l1-1-0.dll - RegisterGPNotificationInternalWorker : C:\windows\SysWOW64\gpapi.dll @ 0x72301dac
[iAT:Addr] (iexplore.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\windows\SysWOW64\clbcatq.dll @ 0x76be2622
[iAT:Addr] (iexplore.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\windows\SysWOW64\clbcatq.dll @ 0x76be1f51
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x70800d0
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x70800b0
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x7080030
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x7080050
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x70800f0
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x7080110
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x7080130
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x7080070
[iAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x7080090

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] 30etfuzu.default : user_pref("browser.startup.homepage", "https://us-mg4.mail.yahoo.com/neo/launch?.rand=0ohfkjibh3kfu"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 3a1b6b0a2d3bf5cd92c902c762b36036
[bSP] 2b083228d998dd9a87e3af9616c34504 : Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953647 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_10302014_155545.log - RKreport_DEL_10302014_160108.log - RKreport_SCN_10302014_124855.log - RKreport_SCN_10302014_155403.log
RKreport_SCN_10302014_160037.log

[MrCharlie]

You didn't get it.....

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-722543489-3168160160-708674521-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

Now click Delete on the right hand column under Options

MrC

[lparente]

I think it's gone now!

 

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Lenah [Administrator]
Mode : Scan -- Date : 10/30/2014  16:52:33

¤¤¤ Processes : 2 ¤¤¤
[suspicious.Path] (SVC) CFUACProxy_c2nplus -- "C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\C2NPlus"[7] -> Stopped
[suspicious.Path] (SVC) SacNetAgentService_C57C4F854F53 -- C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe[7] -> Stopped

¤¤¤ Registry : 10 ¤¤¤
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CFUACProxy_c2nplus ("C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\C2NPlus") -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SacNetAgentService_C57C4F854F53 (C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe) -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CFUACProxy_c2nplus ("C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe" -s "-pC:\ProgramData\Clickfree\C2NPlus") -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SacNetAgentService_C57C4F854F53 (C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe) -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[iAT:Addr] (explorer.exe @ KERNELBASE.dll) ext-ms-win-gpapi-grouppolicy-l1-1-0.dll - RegisterGPNotificationInternalWorker : C:\windows\SYSTEM32\gpapi.dll @ 0x7fce46214a0
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\windows\SYSTEM32\clbcatq.dll @ 0x7fce6441e40
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\windows\SYSTEM32\clbcatq.dll @ 0x7fce6441b70

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] 30etfuzu.default : user_pref("browser.startup.homepage", "https://us-mg4.mail.yahoo.com/neo/launch?.rand=0ohfkjibh3kfu"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Clikfree Backup Drive USB Device +++++
--- User ---
[MBR] 3a1b6b0a2d3bf5cd92c902c762b36036
[bSP] 2b083228d998dd9a87e3af9616c34504 : Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953647 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_10302014_155545.log - RKreport_DEL_10302014_160108.log - RKreport_DEL_10302014_164204.log - RKreport_SCN_10302014_124855.log
RKreport_SCN_10302014_155403.log - RKreport_SCN_10302014_160037.log - RKreport_SCN_10302014_162206.log - RKreport_SCN_10302014_164046.log

[MrCharlie]

Yes it's gone, now see if you can scan with FRST now, even if you have to disable Norton.

 

MrC

[lparente]

Here are the attached logs.

Addition.txt

FRST.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then............

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unsafe applications is checked

Click Advanced settings and select the following:

Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

[lparente]

Even though it said the logs would be filed in the same location as the FRST.exe/FRST64.exe, I see the logs, but not the .exe - I even ran a search on my c: drive and it can't find it. Could Norton have removed it after installation, when it was enabled again?

 

Suggestions?

[lparente]

I disable Norton again, reinstalled FRST and was able to find it.

 

When I try to run ESET, it says "An add on from this website failed to run".

 

Norton is disabled, MB's instructions are for the registered version only (not my case), and I see no way of disabling RogueKiller. That's all I have.

[MrCharlie]

I disable Norton again, reinstalled FRST and was able to find it.

Did you run the fix???? Log????

When I try to run ESET, it says "An add on from this website failed to run".
Run Internet Explorer without add-ons:
Click the Start button. Click All Programs, click Accessories, click System Tools, and then click Internet Explorer (No Add-ons).

Norton is disabled, MB's instructions are for the registered version only (not my case),
and I see no way of disabling RogueKiller.
You don't have to disable RK

 

MrC

[lparente]

Good morning,

 

I've attached the fix log.

 

I tried running ESET without add-ons, and nothing happens, the window just goes blank.

 

Thanks.

 

Lenah

Fixlog.txt

[MrCharlie]

Update and run a scan with your Norton.

Let me know how it is.

MrC

[lparente]

MrC,

 

Norton found no threats.

 

Just out of curiosity, I ran RogueKiller again, and it didn't detect any [Tr.Poweliks].

 

That sounds like good news!

[MrCharlie]

Good..........if there's no other problems:

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[lparente]

Here it is:

 

 Results of screen317's Security Check version 0.99.89 
   x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton Internet Security  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player  15.0.0.152 
 Adobe Reader XI 
 Mozilla Firefox (33.0)
 Google Chrome 38.0.2125.104 
 Google Chrome 38.0.2125.111 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

[MrCharlie]

Looks Good.........

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[lparente]

Ok, it looks like they're all gone.

 

Thank you so much for your help!

 

Lenah

[MrCharlie]

OK...Take Care MrC

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!