Jump to content

Recommended Posts

Hello,

 

It seems my parents have somehow gotten a virus.  They said there were prompts to purchase something to remove all threats.  I've seen this kind of virus before.  It almost crippled any form of browsing with malware, pop-ups and prompts to purchase something to remove threats.  A friend of the family removed the programs that were downloaded to their computer but I knew that wasn't the end of it so I did a MBAM scan and removed over 100 PUPs and 2 trojans if not mistaken.  Still not convinced it's over though so I decided to do a FRBR scan and submit to my favorite malware fighting website :).  I'm posting the attachments as they are way too long.

 

Also to note, google chrome starts up with astromenda.com now so I know that has to do with the infection.  None of the symptoms have been showing up since we deleted files and scanned but still... Too, I think it installed the ASK toolbar on which I know is also no good.  I won't delete anything else at the moment until I receive instructions to do so.

 

Thanks,

Keith

 

Addition.txt

FRST.txt

mbam.txt

Link to post
Share on other sites
  • Staff

Hi Keith, 
 
Do you recognise this folder? C:\BIDWHIST
 
STEP 1
EtQetiM.png Uninstall Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall.
  • Note: Ensure you decline offers of additional software if applicable.
    • Search App by Ask 
  • Follow the prompts.
  • Reboot if necessary.
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exeC:\Program Files\AskPartnerNetworkHKLM\...\Run: [] => [X]HKU\S-1-5-21-3649622763-2251057654-2751203513-1000\...\MountPoints2: {cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)FF SelectedSearchEngine: Ask SearchFF Extension: SmartOnes - C:\Users\Rome\AppData\Roaming\Mozilla\Firefox\Profiles\guafjefl.default\Extensions\6@RKph.net [2014-11-01]CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=", "hxxp://www.google.com/"R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166296 2014-10-10] (APN LLC.)2014-11-01 13:31 - 2014-11-01 13:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\IsolatedStorage2014-11-01 13:27 - 2014-11-01 17:45 - 00000000 ____D () C:\Users\Rome\AppData\Roaming\Systweak2014-11-01 12:48 - 2014-11-01 12:48 - 00627776 _____ (CMI Limited) C:\Users\Rome\AppData\Local\nsh7A3.tmp2014-11-01 12:48 - 2014-11-01 12:48 - 00000000 __SHD () C:\Users\Rome\AppData\Roaming\AnyProtectEx2014-11-01 10:34 - 2014-11-01 10:34 - 00000000 ____D () C:\Users\Rome\Documents\Optimizer Pro2014-11-01 10:31 - 2014-11-01 18:15 - 00000000 ____D () C:\ProgramData\b8420324ef01ddac2014-11-01 10:31 - 2014-11-01 18:02 - 00000000 ____D () C:\ProgramData\SmartOnes2014-11-01 10:31 - 2014-11-01 17:49 - 00000000 ____D () C:\Program Files\XXXXSmartOnes2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser2014-11-01 10:29 - 2014-11-01 10:29 - 00000000 _____ () C:\END2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Users\Rome\AppData\Local\AskPartnerNetwork2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Program Files\AskPartnerNetwork2014-10-23 08:42 - 2014-10-23 08:42 - 00000000 ____D () C:\ProgramData\APNC:\Users\Rome\run.batC:\Users\Rome\setup.exeC:\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exereg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ApnTBMon" /fCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 4
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

======================================================

STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did the programme uninstall OK?
  • Fixlog.txt
  • AdwCleaner[s0].txt
  • JRT.txt
Link to post
Share on other sites

Hello,

 

Here's all of the info and yes everything worked out as far as the installation is concerned:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-11-2014 01
Ran by Rome at 2014-11-09 14:36:25 Run:1
Running from C:\Users\Rome\Desktop
Loaded Profile: Rome (Available profiles: Rome)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\AskPartnerNetwork
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-3649622763-2251057654-2751203513-1000\...\MountPoints2: {cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
FF SelectedSearchEngine: Ask Search
FF Extension: SmartOnes - C:\Users\Rome\AppData\Roaming\Mozilla\Firefox\Profiles\guafjefl.default\Extensions\6@RKph.net [2014-11-01]
CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=
CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=", "hxxp://www.google.com/"
R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166296 2014-10-10] (APN LLC.)
2014-11-01 13:31 - 2014-11-01 13:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\IsolatedStorage
2014-11-01 13:27 - 2014-11-01 17:45 - 00000000 ____D () C:\Users\Rome\AppData\Roaming\Systweak
2014-11-01 12:48 - 2014-11-01 12:48 - 00627776 _____ (CMI Limited) C:\Users\Rome\AppData\Local\nsh7A3.tmp
2014-11-01 12:48 - 2014-11-01 12:48 - 00000000 __SHD () C:\Users\Rome\AppData\Roaming\AnyProtectEx
2014-11-01 10:34 - 2014-11-01 10:34 - 00000000 ____D () C:\Users\Rome\Documents\Optimizer Pro
2014-11-01 10:31 - 2014-11-01 18:15 - 00000000 ____D () C:\ProgramData\b8420324ef01ddac
2014-11-01 10:31 - 2014-11-01 18:02 - 00000000 ____D () C:\ProgramData\SmartOnes
2014-11-01 10:31 - 2014-11-01 17:49 - 00000000 ____D () C:\Program Files\XXXXSmartOnes
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Torch
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Comodo
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Rome\AppData\Local\Chromatic Browser
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Torch
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Google
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Comodo
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo
2014-11-01 10:31 - 2014-11-01 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser
2014-11-01 10:29 - 2014-11-01 10:29 - 00000000 _____ () C:\END
2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Users\Rome\AppData\Local\AskPartnerNetwork
2014-10-23 08:43 - 2014-11-01 18:15 - 00000000 ____D () C:\Program Files\AskPartnerNetwork
2014-10-23 08:42 - 2014-10-23 08:42 - 00000000 ____D () C:\ProgramData\APN
C:\Users\Rome\run.bat
C:\Users\Rome\setup.exe
C:\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exe
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ApnTBMon" /f
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************

C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe => No running process found
"C:\Program Files\AskPartnerNetwork" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-3649622763-2251057654-2751203513-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}" => Key not found.
"HKCR\CLSID\{cfb0fe0a-e53c-11e3-afff-0019b9006f7f} - F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02B07 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" => Key deleted successfully.
"HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" => Key deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
C:\Users\Rome\AppData\Roaming\Mozilla\Firefox\Profiles\guafjefl.default\Extensions\6@RKph.net => Moved successfully.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
APNMCP => Service not found.
C:\Users\Rome\AppData\Local\IsolatedStorage => Moved successfully.
C:\Users\Rome\AppData\Roaming\Systweak => Moved successfully.
C:\Users\Rome\AppData\Local\nsh7A3.tmp => Moved successfully.
C:\Users\Rome\AppData\Roaming\AnyProtectEx => Moved successfully.
C:\Users\Rome\Documents\Optimizer Pro => Moved successfully.
C:\ProgramData\b8420324ef01ddac => Moved successfully.
C:\ProgramData\SmartOnes => Moved successfully.
C:\Program Files\XXXXSmartOnes => Moved successfully.
C:\Users\Rome\AppData\Local\Torch => Moved successfully.
C:\Users\Rome\AppData\Local\Comodo => Moved successfully.
C:\Users\Rome\AppData\Local\Chromatic Browser => Moved successfully.
C:\Users\HomeGroupUser$\AppData\Local\Torch => Moved successfully.
C:\Users\HomeGroupUser$\AppData\Local\Google => Moved successfully.
C:\Users\HomeGroupUser$\AppData\Local\Comodo => Moved successfully.
C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser => Moved successfully.
C:\Users\Guest\AppData\Local\Torch => Moved successfully.
C:\Users\Guest\AppData\Local\Google => Moved successfully.
C:\Users\Guest\AppData\Local\Comodo => Moved successfully.
C:\Users\Guest\AppData\Local\Chromatic Browser => Moved successfully.
C:\Users\Administrator\AppData\Local\Torch => Moved successfully.
C:\Users\Administrator\AppData\Local\Google => Moved successfully.
C:\Users\Administrator\AppData\Local\Comodo => Moved successfully.
C:\Users\Administrator\AppData\Local\Chromatic Browser => Moved successfully.
C:\END => Moved successfully.
"C:\Users\Rome\AppData\Local\AskPartnerNetwork" => File/Directory not found.
"C:\Program Files\AskPartnerNetwork" => File/Directory not found.
C:\ProgramData\APN => Moved successfully.
C:\Users\Rome\run.bat => Moved successfully.
C:\Users\Rome\setup.exe => Moved successfully.
C:\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exe => Moved successfully.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ApnTBMon" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


=========  netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========

EmptyTemp: => Removed 279.3 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

 

ADW:

# AdwCleaner v4.101 - Report created 09/11/2014 at 14:48:11
# Updated 09/11/2014 by Xplode
# Database : 2014-11-07.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : Rome - ROME-PC
# Running from : C:\Users\Rome\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Rome\AppData\LocalLow\Smartbar

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Mozilla Firefox v33.0.3 (x86 en-US)


-\\ Google Chrome v38.0.2125.111

[C:\Users\Rome\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_cmi_14_44_ff&cd=2XzuyEtN2Y1L1QzutDtDtCzy0BzytDtDyC0FyB0FzyzztCtCtN0D0Tzu0StCtDtAyCtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0EtD0FtCtAtBtGyBtB0ByDtGtB0FzyyDtGyC0CtDzytGyEyDyEyByBzy0DtDtAtC0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyEtAyC0AtC0A0CtGzzzz0CtAtGyEtCyByCtGzyzyyBzytGzz0CyEyCtAzy0E0EtAtC0Dzz2Q&cr=778705164&ir=

*************************

AdwCleaner[R0].txt - [1664 octets] - [09/11/2014 14:43:51]
AdwCleaner[s0].txt - [1597 octets] - [09/11/2014 14:48:11]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1657 octets] ##########
 

JRT:

~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 11/09/2014 at 14:56:08.87
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Link to post
Share on other sites
  • Staff

Hi Keith, 
 
Two final scans to check for remnants. 
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM Scan log
  • ESET Online Scan log
Link to post
Share on other sites

Ok so I finally got it done lol.  Here's the MBAM scan:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/16/2014
Scan Time: 7:24:56 PM
Logfile: mbam2.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.17.01
Rootkit Database: v2014.11.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Rome

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 330469
Time Elapsed: 12 min, 36 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

ESET scan:

C:\FRST\Quarantine\C\Users\HomeGroupUser$\AppData\Local\Torch\User Data\Default\Extensions\boaacifihcigebjglapanmcpafegiajp\4.0\content.js    JS/Chromex.Agent.L trojan
C:\FRST\Quarantine\C\Users\Rome\AppData\Local\Temp\ICReinstall_CCleaner_Setup.exe.xBAD    a variant of Win32/InstallCore.QV potentially unwanted application
C:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htm    JS/Kryptik.AMG trojan
C:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exe    a variant of Win32/OpenCandy.A potentially unsafe application
 

I did notice that I'm having problems connecting via WIFI ever since the virus.  Forgot about that one issue.  I can connect but it's really slow.  Let me know what you think and thanks again for your patience.

Link to post
Share on other sites
  • Staff

Hi Keith, 

 

We can troubleshoot your connection issue. Let me know how you get on with Step 2. 

 

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startC:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htmC:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exeCMD: ipconfig /flushdnsCMD: netsh winsock reset allEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
xKOtu1Ft.png.pagespeed.ic.ONB4zWgOQ_.jpg Router Power Cycle 

  • Switch your computer off. 
  • Turn your router/modem off. 
  • Unplug your router/modem and all cables from the wall. 
  • Wait 60 seconds. 
  • Plug your router/modem back in and turn on. 
  • Switch your computer on. 
  • Check for issues. 
Link to post
Share on other sites

Sorry again for the delay.  This time I forgot my new password and then I wasn't allowed to create a new one for some odd reason.  I'm able to get on now.  I did do the scan but I'm not at my parents house.  I'll try to have my sister email it to me.  If not then I'll take care of it when I get off work.

 

Also, how do you turn off an Xfinity modem?  I didn't see an off button anywhere.  Should I just unplug it instead, or is there another way?

Link to post
Share on other sites

Ok someone was home to email the log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-11-2014
Ran by Rome at 2014-11-24 19:15:17 Run:2
Running from C:\Users\Rome\Desktop
Loaded Profile: Rome (Available profiles: Rome)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htm
C:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exe
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
EmptyTemp:
end
*****************

C:\Users\Rome\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGLMR7B4\TN4V8CGY.htm => Moved successfully.
C:\Users\Rome\Downloads\FoxitReader620.0429_enu_Setup.exe => Moved successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========

EmptyTemp: => Removed 625.2 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

Link to post
Share on other sites
  • Staff

Hello Keith, 

 

Please do the following. 

 

STEP 1
KOtu1Ft.png Router Reset
 
Consult Router Passwords to find out what default username and password for your brand of router and make a note of that for future reference. Alternatively, your may find the username/password written on the base of your router. If neither options are applicable, please contact the manufacturer of your router. 

Reset Router to Factory Default Settings:

  • Typically a reset can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)
  • In order to get to the router's server, type http:\\192.168.1.1 in the address bar and click Enter. You should see the log in window.
  • Fill in the password you have already found and you will get the configuration page.
  • Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard.
  • If you do not have a setup wizard you have to fill in the log in password your ISP has initially given to you. You can also call your ISP if you don't have your initial password.
  • Don't forget to change the routers default password and set a stronger, more complex password. Note down the password and keep it somewhere for future reference.
     

Please make sure of the following settings on your computer:

  • Click StartControl panel, then double-click Network and Sharing Center.
  • In the left window select Manage Network Connection.
  • In the right window right-click Local Area Connection and select Properties .
  • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it. Make sure of the following settings:
  • The option Obtain an IP address automatically should be checked.
  • The option Obtain DNS server address automatically should be checked.
  • Click OK.
  • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.
  • The option Obtain an IP address automatically should be checked.
  • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you need to change any of these settings you will need to reboot your computer.
     

STEP 2
rzqZvBe.png MiniToolBox

  • Please download MiniToolBox and save the file to your Desktop.
  • Close any open windows.
  • Right-Click MiniToolBox.exe and select Run as administrator to run the programme.
  • Check the following items:
    • njvAG80.png
    • 6N6QY9z.png
    • zmWTIXg.png
    • VAFn5gg.png
    • AtULTyM.png
    • kLju9nY.png
    • chxHkm0.png
  • Click GO.
  • A log (Result.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
     

STEP 3
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST.exe and select Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did your router reset OK?
  • Result.txt
  • FRST.txt
  • Addition.txt
Link to post
Share on other sites
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Thank for reopening!

 

Ok so getting back to business, I will try to get it done today after I deal with my nearly stolen catalytic converter..crooks these days...can't live with them, CAN live without them lol.

 

Also is there anything I need to do about this email notification issue I'm having?  This is the second time that I didn't get an MBAM email notifying me of a new message.  Let me know if there's anything I need to do about that.

Link to post
Share on other sites
  • Staff

Hi Keith, 
 

after I deal with my nearly stolen catalytic converter

Sorry to hear that. Best of luck!
 

Also is there anything I need to do about this email notification issue I'm having? 

Try doing this.

  • Click your username in the top right corner. 
  • Click Settings. 
  • Click Notification Options. 
  • Place a checkmark in each Email box. 
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.