krome Posted November 3, 2014 ID:901620 Share Posted November 3, 2014 Hello, It seems my parents have somehow gotten a virus. They said there were prompts to purchase something to remove all threats. I've seen this kind of virus before. It almost crippled any form of browsing with malware, pop-ups and prompts to purchase something to remove threats. A friend of the family removed the programs that were downloaded to their computer but I knew that wasn't the end of it so I did a MBAM scan and removed over 100 PUPs and 2 trojans if not mistaken. Still not convinced it's over though so I decided to do a FRBR scan and submit to my favorite malware fighting website . I'm posting the attachments as they are way too long. Also to note, google chrome starts up with astromenda.com now so I know that has to do with the infection. None of the symptoms have been showing up since we deleted files and scanned but still... Too, I think it installed the ASK toolbar on which I know is also no good. I won't delete anything else at the moment until I receive instructions to do so. Thanks,Keith Addition.txtFRST.txtmbam.txt Link to post Share on other sites More sharing options...
LiquidTension Posted November 6, 2014 ID:903851 Share Posted November 6, 2014 Hi Keith, Do you recognise this folder? C:\BIDWHIST STEP 1 Uninstall SoftwarePress the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.Search for the following programmes, right-click and click Uninstall.Note: Ensure you decline offers of additional software if applicable.Search App by Ask Follow the prompts.Reboot if necessary. STEP 2 Farbar Recovery Scan Tool (FRST) ScriptPress the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document.start(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exeC:\Program Files\AskPartnerNetworkHKLM\...\Run: [] => [X]HKU\S-1-5-21-3649622763-2251057654-2751203513-1000\...\MountPoints2: {cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)FF SelectedSearchEngine: Ask SearchFF Extension: SmartOnes - C:\Users\Rome\AppData\Roaming\Mozilla\Firefox\Profiles\guafjefl.default\Extensions\6@RKph.net [2014-11-01]CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=", "hxxp://www.google.com/"R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166296 2014-10-10] (APN LLC.)2014-11-01 13:31 - 2014-11-01 13:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\IsolatedStorage2014-11-01 13:27 - 2014-11-01 17:45 - 00000000 ____D () C:\Users\Rome\AppData\Roaming\Systweak2014-11-01 12:48 - 2014-11-01 12:48 - 00627776 _____ (CMI Limited) C:\Users\Rome\AppData\Local\nsh7A3.tmp2014-11-01 12:48 - 2014-11-01 12:48 - 00000000 __SHD () C:\Users\Rome\AppData\Roaming\AnyProtectEx2014-11-01 10:34 - 2014-11-01 10:34 - 00000000 ____D () C:\Users\Rome\Documents\Optimizer Pro2014-11-01 10:31 - 2014-11-01 18:15 - 00000000 ____D () C:\ProgramData\b8420324ef01ddac2014-11-01 10:31 - 2014-11-01 18:02 - 00000000 ____D () C:\ProgramData\SmartOnes2014-11-01 10:31 - 2014-11-01 17:49 - 00000000 ____D () C:\Program Files\XXXXSmartOnes2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser2014-11-01 10:29 - 2014-11-01 10:29 - 00000000 _____ () C:\END2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Users\Rome\AppData\Local\AskPartnerNetwork2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Program Files\AskPartnerNetwork2014-10-23 08:42 - 2014-10-23 08:42 - 00000000 ____D () C:\ProgramData\APNC:\Users\Rome\run.batC:\Users\Rome\setup.exeC:\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exereg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ApnTBMon" /fCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name. Important: The file must be saved in the same location as FRST.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.Right-Click FRST.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 3 AdwCleanerPlease download AdwCleaner and save the file to your Desktop.Right-Click AdwCleaner.exe and select Run as administrator to run the programme.Follow the prompts. Click Scan. Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. Ensure anything you know to be legitimate does not have a checkmark, and click Clean. Follow the prompts and allow your computer to reboot. After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt. STEP 4 Junkware Removal Tool (JRT)Please download Junkware Removal Tool and save the file to your Desktop.Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click JRT.exe and select Run as administrator to run the programme.Follow the prompts and allow the scan to run uninterrupted. Upon completion, a log (JRT.txt) will open on your desktop.Re-enable your anti-virus software.Copy the contents of JRT.txt and paste in your next reply. ======================================================STEP 5 LogsIn your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.Did the programme uninstall OK?Fixlog.txtAdwCleaner[s0].txtJRT.txt Link to post Share on other sites More sharing options...
LiquidTension Posted November 9, 2014 ID:905039 Share Posted November 9, 2014 Hello, Do you still require assistance? Link to post Share on other sites More sharing options...
krome Posted November 9, 2014 Author ID:905092 Share Posted November 9, 2014 Sorry for the late response I was super busy. So I guess we meet again haha. Ok so I'll try to scan the computer either tonight or tomorrow and send the info immediately. Link to post Share on other sites More sharing options...
LiquidTension Posted November 9, 2014 ID:905144 Share Posted November 9, 2014 OK Keith, I'll look out for your response. Link to post Share on other sites More sharing options...
krome Posted November 9, 2014 Author ID:905514 Share Posted November 9, 2014 Hello, Here's all of the info and yes everything worked out as far as the installation is concerned:Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-11-2014 01Ran by Rome at 2014-11-09 14:36:25 Run:1Running from C:\Users\Rome\DesktopLoaded Profile: Rome (Available profiles: Rome)Boot Mode: Normal==============================================Content of fixlist:*****************start(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exeC:\Program Files\AskPartnerNetworkHKLM\...\Run: [] => [X]HKU\S-1-5-21-3649622763-2251057654-2751203513-1000\...\MountPoints2: {cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)FF SelectedSearchEngine: Ask SearchFF Extension: SmartOnes - C:\Users\Rome\AppData\Roaming\Mozilla\Firefox\Profiles\guafjefl.default\Extensions\6@RKph.net [2014-11-01]CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=", "hxxp://www.google.com/"R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166296 2014-10-10] (APN LLC.)2014-11-01 13:31 - 2014-11-01 13:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\IsolatedStorage2014-11-01 13:27 - 2014-11-01 17:45 - 00000000 ____D () C:\Users\Rome\AppData\Roaming\Systweak2014-11-01 12:48 - 2014-11-01 12:48 - 00627776 _____ (CMI Limited) C:\Users\Rome\AppData\Local\nsh7A3.tmp2014-11-01 12:48 - 2014-11-01 12:48 - 00000000 __SHD () C:\Users\Rome\AppData\Roaming\AnyProtectEx2014-11-01 10:34 - 2014-11-01 10:34 - 00000000 ____D () C:\Users\Rome\Documents\Optimizer Pro2014-11-01 10:31 - 2014-11-01 18:15 - 00000000 ____D () C:\ProgramData\b8420324ef01ddac2014-11-01 10:31 - 2014-11-01 18:02 - 00000000 ____D () C:\ProgramData\SmartOnes2014-11-01 10:31 - 2014-11-01 17:49 - 00000000 ____D () C:\Program Files\XXXXSmartOnes2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser2014-11-01 10:29 - 2014-11-01 10:29 - 00000000 _____ () C:\END2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Users\Rome\AppData\Local\AskPartnerNetwork2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Program Files\AskPartnerNetwork2014-10-23 08:42 - 2014-10-23 08:42 - 00000000 ____D () C:\ProgramData\APNC:\Users\Rome\run.batC:\Users\Rome\setup.exeC:\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exereg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ApnTBMon" /fCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end*****************C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe => No running process found"C:\Program Files\AskPartnerNetwork" => File/Directory not found.HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully."HKU\S-1-5-21-3649622763-2251057654-2751203513-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}" => Key not found."HKCR\CLSID\{cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}" => Key not found.HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully."HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" => Key deleted successfully."HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" => Key deleted successfully.Firefox SelectedSearchEngine deleted successfully.C:\Users\Rome\AppData\Roaming\Mozilla\Firefox\Profiles\guafjefl.default\Extensions\6@RKph.net => Moved successfully.Chrome HomePage deleted successfully.Chrome StartupUrls deleted successfully.APNMCP => Service not found.C:\Users\Rome\AppData\Local\IsolatedStorage => Moved successfully.C:\Users\Rome\AppData\Roaming\Systweak => Moved successfully.C:\Users\Rome\AppData\Local\nsh7A3.tmp => Moved successfully.C:\Users\Rome\AppData\Roaming\AnyProtectEx => Moved successfully.C:\Users\Rome\Documents\Optimizer Pro => Moved successfully.C:\ProgramData\b8420324ef01ddac => Moved successfully.C:\ProgramData\SmartOnes => Moved successfully.C:\Program Files\XXXXSmartOnes => Moved successfully.C:\Users\Rome\AppData\Local\Torch => Moved successfully.C:\Users\Rome\AppData\Local\Comodo => Moved successfully.C:\Users\Rome\AppData\Local\Chromatic Browser => Moved successfully.C:\Users\HomeGroupUser$\AppData\Local\Torch => Moved successfully.C:\Users\HomeGroupUser$\AppData\Local\Google => Moved successfully.C:\Users\HomeGroupUser$\AppData\Local\Comodo => Moved successfully.C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser => Moved successfully.C:\Users\Guest\AppData\Local\Torch => Moved successfully.C:\Users\Guest\AppData\Local\Google => Moved successfully.C:\Users\Guest\AppData\Local\Comodo => Moved successfully.C:\Users\Guest\AppData\Local\Chromatic Browser => Moved successfully.C:\Users\Administrator\AppData\Local\Torch => Moved successfully.C:\Users\Administrator\AppData\Local\Google => Moved successfully.C:\Users\Administrator\AppData\Local\Comodo => Moved successfully.C:\Users\Administrator\AppData\Local\Chromatic Browser => Moved successfully.C:\END => Moved successfully."C:\Users\Rome\AppData\Local\AskPartnerNetwork" => File/Directory not found."C:\Program Files\AskPartnerNetwork" => File/Directory not found.C:\ProgramData\APN => Moved successfully.C:\Users\Rome\run.bat => Moved successfully.C:\Users\Rome\setup.exe => Moved successfully.C:\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exe => Moved successfully.========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ApnTBMon" /f =========ERROR: The system was unable to find the specified registry key or value.========= End of Reg: ================== ipconfig /flushdns =========Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.========= End of CMD: ================== netsh winsock reset all =========Sucessfully reset the Winsock Catalog.You must restart the computer in order to complete the reset.========= End of CMD: ================== netsh int ipv4 reset =========Reseting Global, OK!Reseting Interface, OK!Restart the computer to complete this action.========= End of CMD: ================== netsh int ipv6 reset =========Reseting Interface, OK!Restart the computer to complete this action.========= End of CMD: =========EmptyTemp: => Removed 279.3 MB temporary data.The system needed a reboot.==== End of Fixlog ==== ADW:# AdwCleaner v4.101 - Report created 09/11/2014 at 14:48:11# Updated 09/11/2014 by Xplode# Database : 2014-11-07.1 [Live]# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)# Username : Rome - ROME-PC# Running from : C:\Users\Rome\Desktop\AdwCleaner.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] *****Folder Deleted : C:\Users\Rome\AppData\LocalLow\Smartbar***** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] *****Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbhoKey Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe***** [ Browsers ] *****-\\ Internet Explorer v11.0.9600.17344-\\ Mozilla Firefox v33.0.3 (x86 en-US)-\\ Google Chrome v38.0.2125.111[C:\Users\Rome\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=*************************AdwCleaner[R0].txt - [1664 octets] - [09/11/2014 14:43:51]AdwCleaner[s0].txt - [1597 octets] - [09/11/2014 14:48:11]########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1657 octets] ########## JRT:~~~ Registry Keys~~~ Files~~~ Folders~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sun 11/09/2014 at 14:56:08.87End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
LiquidTension Posted November 10, 2014 ID:905655 Share Posted November 10, 2014 Good job. How is the PC performing? Are there any remaining issues? Link to post Share on other sites More sharing options...
krome Posted November 13, 2014 Author ID:907563 Share Posted November 13, 2014 Hello, Sorry again for the late reply, yes the computer is working fine now. I assume we're heading to the final cleaner removal? Link to post Share on other sites More sharing options...
LiquidTension Posted November 13, 2014 ID:907573 Share Posted November 13, 2014 Hi Keith, Two final scans to check for remnants. STEP 1 Malwarebytes Anti-Malware (MBAM)Open Malwarebytes Anti-Malware and click Update Now.Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.Click the Scan tab, ensure Threat Scan is checked and click Scan Now.Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.Click Copy to Clipboard and paste the log in your next reply. STEP 2 ESET Online ScanNote: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.Please download ESET Online Scan and save the file to your Desktop.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Double-click esetsmartinstaller_enu.exe to run the programme. Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.Agree to the Terms of Use once more and click Start. Allow components to download.Place a checkmark next to Enable detection of potentially unwanted applications.Click Hide advanced settings. Place a checkmark next to:Scan archivesScan for potentially unsafe applicationsEnable Anti-Stealth technologyEnsure Remove found threats is unchecked.Click Start.Wait for the scan to finish. Please be patient as this can take some time.Upon completion, click . If no threats were found, skip the next two bullet points. Click and save the file to your Desktop, naming it something such as "MyEsetScan".Push the Back button.Place a checkmark next to and click .Re-enable your anti-virus software.Copy the contents of the log and paste in your next reply. ====================================================== STEP 3 LogsIn your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.MBAM Scan logESET Online Scan log Link to post Share on other sites More sharing options...
LiquidTension Posted November 17, 2014 ID:909282 Share Posted November 17, 2014 How are you getting on, Keith? Link to post Share on other sites More sharing options...
krome Posted November 17, 2014 Author ID:909284 Share Posted November 17, 2014 Hey sorry its been a busy weekend. I did the MBAM scan and its clean, but of course I have to send it to you. The ESET scan I have to try that one out tomorrow. Thanks fpr the reminder. Link to post Share on other sites More sharing options...
LiquidTension Posted November 17, 2014 ID:909471 Share Posted November 17, 2014 No problem, Keith. Link to post Share on other sites More sharing options...
krome Posted November 20, 2014 Author ID:910500 Share Posted November 20, 2014 Ok so I'm FINALLY going to be able to scan today. I'm doing it right this minute so I'll send you the results this evening when I get off work. Sorry about this again and thanks for your patience. Link to post Share on other sites More sharing options...
LiquidTension Posted November 20, 2014 ID:910501 Share Posted November 20, 2014 That's quite alright, Keith. There's no rush. Link to post Share on other sites More sharing options...
krome Posted November 21, 2014 Author ID:910724 Share Posted November 21, 2014 Ok so I finally got it done lol. Here's the MBAM scan: Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 11/16/2014Scan Time: 7:24:56 PMLogfile: mbam2.txtAdministrator: YesVersion: 2.00.3.1025Malware Database: v2014.11.17.01Rootkit Database: v2014.11.12.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: RomeScan Type: Threat ScanResult: CompletedObjects Scanned: 330469Time Elapsed: 12 min, 36 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) ESET scan:C:\FRST\Quarantine\C\Users\HomeGroupUser$\AppData\Local\Torch\User Data\Default\Extensions\boaacifihcigebjglapanmcpafegiajp\4.0\content.js JS/Chromex.Agent.L trojanC:\FRST\Quarantine\C\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exe.xBAD a variant of Win32/InstallCore.QV potentially unwanted applicationC:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htm JS/Kryptik.AMG trojanC:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exe a variant of Win32/OpenCandy.A potentially unsafe application I did notice that I'm having problems connecting via WIFI ever since the virus. Forgot about that one issue. I can connect but it's really slow. Let me know what you think and thanks again for your patience. Link to post Share on other sites More sharing options...
LiquidTension Posted November 21, 2014 ID:910954 Share Posted November 21, 2014 Hi Keith, We can troubleshoot your connection issue. Let me know how you get on with Step 2. STEP 1 Farbar Recovery Scan Tool (FRST) ScriptPress the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document.startC:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htmC:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exeCMD: ipconfig /flushdnsCMD: netsh winsock reset allEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name. Important: The file must be saved in the same location as FRST.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.Right-Click FRST.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 2 Router Power Cycle Switch your computer off. Turn your router/modem off. Unplug your router/modem and all cables from the wall. Wait 60 seconds. Plug your router/modem back in and turn on. Switch your computer on. Check for issues. Link to post Share on other sites More sharing options...
krome Posted November 25, 2014 Author ID:912549 Share Posted November 25, 2014 Sorry again for the delay. This time I forgot my new password and then I wasn't allowed to create a new one for some odd reason. I'm able to get on now. I did do the scan but I'm not at my parents house. I'll try to have my sister email it to me. If not then I'll take care of it when I get off work. Also, how do you turn off an Xfinity modem? I didn't see an off button anywhere. Should I just unplug it instead, or is there another way? Link to post Share on other sites More sharing options...
krome Posted November 25, 2014 Author ID:912561 Share Posted November 25, 2014 Ok someone was home to email the log: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-11-2014Ran by Rome at 2014-11-24 19:15:17 Run:2Running from C:\Users\Rome\DesktopLoaded Profile: Rome (Available profiles: Rome)Boot Mode: Normal==============================================Content of fixlist:*****************startC:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htmC:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exeCMD: ipconfig /flushdnsCMD: netsh winsock reset allEmptyTemp:end*****************C:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htm => Moved successfully.C:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exe => Moved successfully.========= ipconfig /flushdns =========Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.========= End of CMD: ================== netsh winsock reset all =========Sucessfully reset the Winsock Catalog.You must restart the computer in order to complete the reset.========= End of CMD: =========EmptyTemp: => Removed 625.2 MB temporary data.The system needed a reboot.==== End of Fixlog ==== Link to post Share on other sites More sharing options...
LiquidTension Posted November 26, 2014 ID:912693 Share Posted November 26, 2014 Hi Keith, Your router can be just be unplugged. Let me know if you're still experiencing connectivity issues after performing the router power cycle. Link to post Share on other sites More sharing options...
krome Posted November 27, 2014 Author ID:913313 Share Posted November 27, 2014 Hello, Yes, i'm still having connection problems. Link to post Share on other sites More sharing options...
LiquidTension Posted November 28, 2014 ID:913379 Share Posted November 28, 2014 Hello Keith, Please do the following. STEP 1 Router Reset Consult Router Passwords to find out what default username and password for your brand of router and make a note of that for future reference. Alternatively, your may find the username/password written on the base of your router. If neither options are applicable, please contact the manufacturer of your router. Reset Router to Factory Default Settings:Typically a reset can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)In order to get to the router's server, type http:\\192.168.1.1 in the address bar and click Enter. You should see the log in window.Fill in the password you have already found and you will get the configuration page.Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard.If you do not have a setup wizard you have to fill in the log in password your ISP has initially given to you. You can also call your ISP if you don't have your initial password.Don't forget to change the routers default password and set a stronger, more complex password. Note down the password and keep it somewhere for future reference. Please make sure of the following settings on your computer:Click Start, Control panel, then double-click Network and Sharing Center.In the left window select Manage Network Connection.In the right window right-click Local Area Connection and select Properties .Internet Protocol Version 6 (IP6v) should be checked. Double-click on it. Make sure of the following settings:The option Obtain an IP address automatically should be checked.The option Obtain DNS server address automatically should be checked.Click OK.Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.The option Obtain an IP address automatically should be checked.The option Obtain DNS server address automatically should be checked.Click OK twice.If you need to change any of these settings you will need to reboot your computer. STEP 2 MiniToolBoxPlease download MiniToolBox and save the file to your Desktop.Close any open windows.Right-Click MiniToolBox.exe and select Run as administrator to run the programme.Check the following items:Click GO.A log (Result.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply. STEP 3 Farbar Recovery Scan Tool (FRST) ScanRight-Click FRST.exe and select Run as administrator to run the programme.Click Yes to the disclaimer.Ensure the Addition.txt box is checked.Click the Scan button and let the programme run.Upon completion, click OK, then OK on the Addition.txt pop up screen.Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. ====================================================== STEP 4 LogsIn your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.Did your router reset OK?Result.txtFRST.txtAddition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 3, 2014 Root Admin ID:915043 Share Posted December 3, 2014 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 3, 2014 Root Admin ID:915301 Share Posted December 3, 2014 Topic reopened per user request Link to post Share on other sites More sharing options...
krome Posted December 4, 2014 Author ID:915678 Share Posted December 4, 2014 Thank for reopening! Ok so getting back to business, I will try to get it done today after I deal with my nearly stolen catalytic converter..crooks these days...can't live with them, CAN live without them lol. Also is there anything I need to do about this email notification issue I'm having? This is the second time that I didn't get an MBAM email notifying me of a new message. Let me know if there's anything I need to do about that. Link to post Share on other sites More sharing options...
LiquidTension Posted December 4, 2014 ID:915705 Share Posted December 4, 2014 Hi Keith, after I deal with my nearly stolen catalytic converterSorry to hear that. Best of luck! Also is there anything I need to do about this email notification issue I'm having? Try doing this.Click your username in the top right corner. Click Settings. Click Notification Options. Place a checkmark in each Email box. Link to post Share on other sites More sharing options...
Recommended Posts