crlars67 Posted November 12, 2014 ID:906739 Share Posted November 12, 2014 Hello, It looks like the last time I tried to send this it didn't go through. If this is a duplicate, feel free to disregard. Otherwise it looks like my dad's laptop is infected. After installing MalwareBytesAntiMalware, we keep getting notices that a "malicious website is being blocked", these are outgoing and we did not have a browser open when they started coming in. I'm following the directions for fixing and infected computer. I downloaded and ran FRST and attached the log files that it produced. This is on my dad's laptop and he's not comfortable with most of this stuff so he'll need step-by-step help if possible. I can be available as a backup but only outside normal working hours. Any help would be greatly appreciated. ThanksMick LarsonAddition.txtFRST.txtAddition.txtFRST.txt Link to post Share on other sites More sharing options...
LiquidTension Posted November 12, 2014 ID:906831 Share Posted November 12, 2014 Hello crlars67, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed. ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible.Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== This is on my dad's laptop and he's not comfortable with most of this stuff so he'll need step-by-step help if possible. I can be available as a backup but only outside normal working hours. Any help would be greatly appreciated.That's no problem. If any issues arise, please stop and let me know. STEP 1 Revo UninstallerPlease download and install Revo Uninstaller Free.Double-click Revo Uninstaller to run the programme. From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.Coupon Printer for WindowsPlay PickleYahoo ToolbarYahoo! Install Manager Double-click the programme. When prompted if you want to uninstall click Yes.Ensure the Moderate option is selected and click Next.The programme uninstaller will run. If prompted again click Yes.Work your way through the uninstaller, ensuring you read each page thoroughly.Note: Ensure you decline offers of additional software if applicable. Once the built-in uninstaller is finished click Next.Once the programme has searched for leftovers click Next.Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.When prompted click Yes, followed by Next.Click Select all, followed by Delete.When prompted click Yes, followed by Next.Once done click Finish. STEP 2 Farbar Recovery Scan Tool (FRST) ScriptPress the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document.start() C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe() C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe() C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exeHKLM\...\Run: [] => [X]HKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\Run: [RegisterIEPKEYs] => C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe [101888 2014-03-04] ()HKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\RunOnce: [RegisterIEPKEYs] => C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe [101888 2014-03-04] ()HKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\Policies\Explorer: [Run] "C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe"HKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\MountPoints2: {43e2e7c9-6487-11e1-9276-806e6f6e6963} - E:\Start.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\MountPoints2: {8283127d-004b-11e4-b318-0ceee6f166a6} - E:\TL_Bootstrap.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\MountPoints2: {93c294fa-398d-11e4-83b3-0ceee6f166a6} - E:\VerizonWirelessUpgradeAssistantSetup.exe -aHKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\MountPoints2: {a446ed4b-b8ce-11e3-b567-0ceee6f166a6} - E:\TL_Bootstrap.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\MountPoints2: {b6d9bb5a-4ee1-11e4-8172-0ceee6f166a6} - E:\VerizonWirelessUpgradeAssistantSetup.exe -aHKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\MountPoints2: {f3d6b6c6-5075-11e4-84eb-0ceee6f166a6} - E:\VerizonWirelessUpgradeAssistantSetup.exe -aHKU\S-1-5-21-2284273313-1824147438-676432488-1000\...\Command Processor: "C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe" <===== ATTENTION!C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [RegisterIEPKEYs] => C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe [101888 2014-03-04] ()HKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\RunOnce: [RegisterIEPKEYs] => C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe [101888 2014-03-04] ()HKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\Explorer: [Run] "C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe"HKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {43e2e7c9-6487-11e1-9276-806e6f6e6963} - E:\Start.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {8283127d-004b-11e4-b318-0ceee6f166a6} - E:\TL_Bootstrap.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {93c294fa-398d-11e4-83b3-0ceee6f166a6} - E:\VerizonWirelessUpgradeAssistantSetup.exe -aHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {a446ed4b-b8ce-11e3-b567-0ceee6f166a6} - E:\TL_Bootstrap.exeHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {b6d9bb5a-4ee1-11e4-8172-0ceee6f166a6} - E:\VerizonWirelessUpgradeAssistantSetup.exe -aHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {f3d6b6c6-5075-11e4-84eb-0ceee6f166a6} - E:\VerizonWirelessUpgradeAssistantSetup.exe -aHKU\S-1-5-21-2284273313-1824147438-676432488-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Command Processor: "C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe" <===== ATTENTION!Startup: C:\Users\larson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegisterIEPKEYs.lnkShortcutTarget: RegisterIEPKEYs.lnk -> C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdate\RegisterIEPKEYs.exe ()HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie9URLSearchHook: HKCU - Yahoo Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKLM - DefaultScope {ECDE9A52-5442-4764-9825-2EC6520BED39} URL = SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJxdm035YYUS&ptb=i_WDtMFNgxaRI9K5s5Wlpw&psa=&ind=2010080600&ptnrS=ZJxdm035YYUS&si=&st=sb&n=77cf6558&searchfor={searchTerms}SearchScopes: HKCU - {1CEBA9F8-80D9-4269-8928-011CDF107F14} URL = SearchScopes: HKCU - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL =SearchScopes: HKCU - {5C6BDCF3-E39A-4FE6-A219-D60DE5DC610D} URL = https://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=retail&geo=US&ver=20&locale=en_US&gct=kwd&qsrc=2869SearchScopes: HKCU - {B6E77C8A-6692-4320-8AE2-F27402F7C676} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie9BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)BHO: Play Pickle Text -> {02F0243C-2E71-4a1a-A790-6C30888119D0} -> C:\Program Files\Play Pickle\pptl.dll ()C:\Program Files\Play PickleBHO: DownloadTerms -> {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} -> C:\Users\larson\AppData\Local\DownloadTerms\temp.dat No FileC:\Users\larson\AppData\Local\DownloadTermsBHO: Play Pickle -> {AEB04B5E-C981-47a9-B847-33EE4C92F6B9} -> C:\Program Files\Play Pickle\playpicklelib32.dll ()Toolbar: HKLM - Yahoo Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3294791&CUI=UN24118746397147106&UM=2&SearchSource=3&q={searchTerms}FF SearchEngineOrder.1: Ask SearchFF Plugin: @virtools.com/3DviaPlayer -> C:\Program Files\Virtools\3D Life Player\npvirtools.dll No FileFF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)FF SearchPlugin: C:\Users\larson\AppData\Roaming\Mozilla\Firefox\Profiles\vytki7k0.default\searchplugins\ask-search.xmlFF SearchPlugin: C:\Users\larson\AppData\Roaming\Mozilla\Firefox\Profiles\vytki7k0.default\searchplugins\Groovorio.xmlFF SearchPlugin: C:\Users\larson\AppData\Roaming\Mozilla\Firefox\Profiles\vytki7k0.default\searchplugins\safesearch.xmlFF Extension: Play Pickle TextLinks - C:\Users\larson\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com [2011-04-20]FF Extension: Groovorio - C:\Users\larson\AppData\Roaming\Mozilla\Firefox\Profiles\vytki7k0.default\Extensions\{73843edf-1075-4a55-947c-e13e0dc9349e} [2014-08-14]FF Extension: DownloadTerms - C:\Program Files\Mozilla Firefox\extensions\kgcngo@xmmomglptujvwxntife.org [2014-05-12]FF HKLM\...\Firefox\Extensions: [lesstabs@lesstabs.com] - C:\Program Files\Mozilla Firefox\extensions\lesstabs@lesstabs.comCHR HKLM\...\Chrome\Extension: [cbjibcbpmbcabnfnohhgjjmkgkimajko] - C:\Users\larson\AppData\Local\CRE\cbjibcbpmbcabnfnohhgjjmkgkimajko.crx [2013-05-13]CHR HKLM\...\Chrome\Extension: [fdkednngfjmpnljkolbapdednncafhen] - C:\Users\larson\AppData\Local\CRE\fdkednngfjmpnljkolbapdednncafhen.crx [2013-05-13]S3 NAVENG; \??\C:\Program Files\Norton 360\NortonData\21.4.0.13\Definitions\VirusDefs\20140303.018\NAVENG.SYS [X]S3 NAVEX15; \??\C:\Program Files\Norton 360\NortonData\21.4.0.13\Definitions\VirusDefs\20140303.018\NAVEX15.SYS [X]S3 PTUMWBus; system32\DRIVERS\PTUMWBus.sys [X]S3 PTUMWCDF; system32\DRIVERS\PTUMWCDF.sys [X]S3 PTUMWFLT; system32\DRIVERS\PTUMWFLT.sys [X]S3 PTUMWMdm; system32\DRIVERS\PTUMWMdm.sys [X]S3 PTUMWNET; system32\DRIVERS\PTUMWNET.sys [X]S3 PTUMWVsp; system32\DRIVERS\PTUMWVsp.sys [X]S3 usbbus; system32\DRIVERS\lgusbbus.sys [X]S3 UsbDiag; system32\DRIVERS\lgusbdiag.sys [X]S3 USBModem; system32\DRIVERS\lgusbmodem.sys [X]CustomCLSID: HKU\S-1-5-21-2284273313-1824147438-676432488-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No FileCustomCLSID: HKU\S-1-5-21-2284273313-1824147438-676432488-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No FileCustomCLSID: HKU\S-1-5-21-2284273313-1824147438-676432488-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No FileAlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1AlternateDataStreams: C:\Users\larson\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_0favicon-2079221766AlternateDataStreams: C:\Users\larson\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_1favicon1313128964AlternateDataStreams: C:\Users\larson\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_2favicon-2092717923Folder: C:\Users\larson\AppData\Roaming\Microsoft\Windows\IEUpdateCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name.Important: The file must be saved in the same location as FRST.exe.NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.Right-Click FRST.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 3 ComboFixNote: Please read through these instructions before running ComboFix. Please download ComboFix and save the file to your Desktop. << Important!Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click ComboFix.exe and select Run as administrator to run the programme.Follow the prompts. Allow ComboFix to complete it's removal routine (please refer to Important Notes:).Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.Re-enable your anti-virus software. Important Notes:Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.Do NOT use your computer whilst ComboFix is running.Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal. If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.ComboFix will disconnect your machine from the Internet as soon as it starts.Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.If you are unable to access the Internet after running ComboFix, please reboot your computer. STEP 4 TDSSKiller ScanPlease download TDSSKiller and save the file to your Desktop.Right-Click TDSSKiller.exe and select Run as administrator to run the programme.Click Change parameters. Place a checkmark next to:Loaded ModulesDetect TDLFS file systemVerify file digital signaturesNote: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.Click Start Scan. Do not use the computer during the scan.If objects are found, change the action to skip.Click Continue and close the window.A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply. ====================================================== STEP 5 LogsIn your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.Did the programmes uninstall OK?Fixlog.txtComboFix.txtTDSSKiller log (attached!) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 21, 2014 Root Admin ID:910874 Share Posted November 21, 2014 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts