Infected - buynsave, mystartsearch....probably more

[Dr_Jekyll]

Hi,

 

I would appreciate any assistance that you can give me to remove this malware - I've had little success with my suite of anti-malware/anti-virus software.

 

As per the "I'm Infected" topic I have installed and run FRST. Please find the requested logs attached.

 

I am a uTorrent user and I acknowledge your piracy policy - I am happy to remove it should you request it.

 

Thank you!

FRST.txt

Addition.txt

[LiquidTension]

Hello Dr_Jekyll, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
• If you are unable to copy/paste your logs directly into your post, please attach the file. 
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
   

======================================================
 

I am a uTorrent user and I acknowledge your piracy policy - I am happy to remove it should you request it.

As long as the programme isn't used during this process, it's OK.
 
Please consider the following suggestion, and proceed with the instructions below. 
 

Spybot S&D No Longer Recommended

------------------------------

MVPS.org is no longer recommending Spybot S&D due to poor testing results (scroll down and read under Freeware Antispyware Products).

I would advise uninstalling Spybot S&D. The presence of this programme can make the cleaning of your computer more difficult. You can uninstall the programme by:

• Press the Windows Key  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for Spybot, right-click the entry and click Uninstall.

Please inform me of your decision.

 
STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startWinlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]GroupPolicyUsers\S-1-5-21-1172636941-1685030803-3807005840-1002\User: Group Policy restriction detected <======= ATTENTIONCHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONToolbar: HKU\S-1-5-21-1172636941-1685030803-3807005840-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No FileFF SelectedSearchEngine: mystartsearchFF Extension: BuuyNsave - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\MJhfSm4XiU@V.net [2014-12-15]FF Extension: YoUTubeAadBloicke - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\V1@W1j.net [2014-12-15]CHR HomePage: Default -> hxxp://www.mystartsearch.com/?type=hp&ts=1418654373&from=wpc&uid=HITACHIXHTS545050B9A300_100907PBG40417JHT60VXCHR StartupUrls: Default -> "hxxp://www.mystartsearch.com/?type=hp&ts=1418654373&from=wpc&uid=HITACHIXHTS545050B9A300_100907PBG40417JHT60VX"CHR DefaultSearchKeyword: Default -> mystartsearchCHR DefaultSearchURL: Default -> http://www.mystartsearch.com/web/?type=ds&ts=1418654373&from=wpc&uid=HITACHIXHTS545050B9A300_100907PBG40417JHT60VX&q={searchTerms}CHR Extension: (BuuyNsave) - C:\ProgramData\peakpeijaognpadjiealgldjnoobajdc\ [2014-08-07]U3 BcmSqlStartupSvc; No ImagePathU2 IviRegMgr; No ImagePathU2 RichVideo; No ImagePathU3 SQLWriter; No ImagePathS3 wdmirror; system32\DRIVERS\WDMirror.sys [X]2014-12-15 22:42 - 2014-12-15 22:42 - 00004004 _____ () C:\windows\System32\Tasks\LaunchSignup2014-12-15 22:40 - 2014-12-16 12:45 - 00000000 ____D () C:\Users\Matt\AppData\Roaming\SkypEmoticons2014-12-15 22:34 - 2014-12-15 22:34 - 00000000 ____D () C:\ProgramData\peakpeijaognpadjiealgldjnoobajdc2014-12-15 22:34 - 2014-12-15 22:34 - 00000000 ____D () C:\ProgramData\16744844364087504394C:\Users\Matt\AppData\Local\Temp\8538.exeC:\Users\Matt\AppData\Local\Temp\OnlineBackup.exeC:\Users\Matt\AppData\Local\Temp\optprosetup.exeC:\Users\Matt\AppData\Local\Temp\vcredist_x64.exeTask: {04AF005F-4C65-4937-B062-C66BBC07035F} - \SomotoUpdateCheckerAutoStart No Task File <==== ATTENTIONTask: {3E77798E-8FBC-4151-B1EA-E7CE6579E7F5} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTIONC:\Program Files (x86)\MyPC BackupCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 Uninstall/Reinstall Chrome

• Follow these instructions on how to backup your Chrome bookmarks: Backup Chrome Bookmarks
• Press the Windows Key  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall.
  • Google Chrome
• Follow the prompts.
• Reboot if necessary.
• Download and install  Google Chrome.
   

STEP 3
 Malwarebytes Anti-Malware (MBAM)

• Open Malwarebytes Anti-Malware and click Update Now.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 4
 AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
• Follow the prompts. 
• Click Scan. 
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean. 
• Follow the prompts and allow your computer to reboot. 
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
STEP 5
 Junkware Removal Tool (JRT)

• Please download Junkware Removal Tool and save the file to your Desktop.
• Create a System Restore Point. For instructions, please refer to the following link (W7).
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click JRT.exe and select Run as administrator to run the programme.
• Follow the prompts and allow the scan to run uninterrupted. 
• Upon completion, a log (JRT.txt) will open on your desktop.
• Re-enable your anti-virus software.
• Copy the contents of JRT.txt and paste in your next reply.

 
======================================================
 
STEP 6
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Did you uninstall Spybot?
• Fixlog.txt
• Did Chrome uninstall/reinstall successfully?
• MBAM log
• AdwCleaner[s0].txt
• JRT.txt

[Dr_Jekyll]

Hi Adam,

 

Thanks for our prompt reply. My name is Matt BTW.

 

As recommended I have removed Spybot.

 

STEP 1 - Fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Matt at 2014-12-18 12:07:54 Run:1
Running from C:\Users\Matt\Desktop
Loaded Profile: Matt (Available profiles: Matt & Alana & Henry)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicyUsers\S-1-5-21-1172636941-1685030803-3807005840-1002\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1172636941-1685030803-3807005840-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF SelectedSearchEngine: mystartsearch
FF Extension: BuuyNsave - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\MJhfSm4XiU@V.net [2014-12-15]
FF Extension: YoUTubeAadBloicke - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\V1@W1j.net [2014-12-15]
CHR HomePage: Default -> hxxp://www.mystartsearch.com/?type=hp&ts=1418654373&from=wpc&uid=HITACHIXHTS545050B9A300_100907PBG40417JHT60VX
CHR StartupUrls: Default -> "hxxp://www.mystartsearch.com/?type=hp&ts=1418654373&from=wpc&uid=HITACHIXHTS545050B9A300_100907PBG40417JHT60VX"
CHR DefaultSearchKeyword: Default -> mystartsearch
CHR DefaultSearchURL: Default -> http://www.mystartsearch.com/web/?type=ds&ts=1418654373&from=wpc&uid=HITACHIXHTS545050B9A300_100907PBG40417JHT60VX&q={searchTerms}
CHR Extension: (BuuyNsave) - C:\ProgramData\peakpeijaognpadjiealgldjnoobajdc\ [2014-08-07]
U3 BcmSqlStartupSvc; No ImagePath
U2 IviRegMgr; No ImagePath
U2 RichVideo; No ImagePath
U3 SQLWriter; No ImagePath
S3 wdmirror; system32\DRIVERS\WDMirror.sys [X]
2014-12-15 22:42 - 2014-12-15 22:42 - 00004004 _____ () C:\windows\System32\Tasks\LaunchSignup
2014-12-15 22:40 - 2014-12-16 12:45 - 00000000 ____D () C:\Users\Matt\AppData\Roaming\SkypEmoticons
2014-12-15 22:34 - 2014-12-15 22:34 - 00000000 ____D () C:\ProgramData\peakpeijaognpadjiealgldjnoobajdc
2014-12-15 22:34 - 2014-12-15 22:34 - 00000000 ____D () C:\ProgramData\16744844364087504394
C:\Users\Matt\AppData\Local\Temp\8538.exe
C:\Users\Matt\AppData\Local\Temp\OnlineBackup.exe
C:\Users\Matt\AppData\Local\Temp\optprosetup.exe
C:\Users\Matt\AppData\Local\Temp\vcredist_x64.exe
Task: {04AF005F-4C65-4937-B062-C66BBC07035F} - \SomotoUpdateCheckerAutoStart No Task File <==== ATTENTION
Task: {3E77798E-8FBC-4151-B1EA-E7CE6579E7F5} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
C:\Program Files (x86)\MyPC Backup
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************

"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key not found.
C:\windows\system32\GroupPolicyUsers\S-1-5-21-1172636941-1685030803-3807005840-1002\User => Moved successfully.
C:\windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\S-1-5-21-1172636941-1685030803-3807005840-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value deleted successfully.
"HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}" => Key not found.
Firefox SelectedSearchEngine deleted successfully.
C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\MJhfSm4XiU@V.net => Moved successfully.
C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\V1@W1j.net => Moved successfully.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
Chrome DefaultSearchKeyword not detected.
Chrome DefaultSearchURL not detected.
C:\ProgramData\peakpeijaognpadjiealgldjnoobajdc\ => Moved successfully.
BcmSqlStartupSvc => Service deleted successfully.
IviRegMgr => Service deleted successfully.
RichVideo => Service deleted successfully.
SQLWriter => Service deleted successfully.
wdmirror => Service deleted successfully.
C:\windows\System32\Tasks\LaunchSignup => Moved successfully.
C:\Users\Matt\AppData\Roaming\SkypEmoticons => Moved successfully.
"C:\ProgramData\peakpeijaognpadjiealgldjnoobajdc" => File/Directory not found.
C:\ProgramData\16744844364087504394 => Moved successfully.
C:\Users\Matt\AppData\Local\Temp\8538.exe => Moved successfully.
C:\Users\Matt\AppData\Local\Temp\OnlineBackup.exe => Moved successfully.
C:\Users\Matt\AppData\Local\Temp\optprosetup.exe => Moved successfully.
C:\Users\Matt\AppData\Local\Temp\vcredist_x64.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{04AF005F-4C65-4937-B062-C66BBC07035F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04AF005F-4C65-4937-B062-C66BBC07035F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SomotoUpdateCheckerAutoStart" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3E77798E-8FBC-4151-B1EA-E7CE6579E7F5}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3E77798E-8FBC-4151-B1EA-E7CE6579E7F5}" => Key deleted successfully.
C:\Windows\System32\Tasks\LaunchSignup not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchSignup" => Key deleted successfully.
"C:\Program Files (x86)\MyPC Backup" => File/Directory not found.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


=========  netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========

EmptyTemp: => Removed 1.4 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====

 

STEP 2 - Chrome uninstalled/reinstalled successfully

 

STEP 3 - MBAM Log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18/12/2014
Scan Time: 12:27:21 PM
Logfile: 2014-12-18 MBAM.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.18.01
Rootkit Database: v2014.12.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Matt

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 408055
Time Elapsed: 26 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.Somoto, C:\Users\Matt\Desktop\Setups\DVDShrink_downloader_by_DVDShrink.exe, Quarantined, [44d910537ffdd561938e257347be17e9],
PUP.Optional.OpenCandy, C:\Users\Matt\Desktop\Setups\FreemakeVideoConverterSetup.exe, Quarantined, [9a8378eb7a022313a2be1c0f35ccbe42],

Physical Sectors: 0
(No malicious items detected)


(end)

 

STEP 4 - AdwCleaner[s0]

 

# AdwCleaner v4.105 - Report created 18/12/2014 at 13:02:34
# Updated 08/12/2014 by Xplode
# Database : 2014-12-16.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Matt - G560
# Running from : C:\Users\Matt\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : c2cautoupdatesvc
Service Deleted : c2cpnrsvc

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\sAvenshareo
Folder Deleted : C:\Users\Matt\AppData\Local\Bundled software uninstaller
Folder Deleted : C:\Users\Matt\AppData\Roaming\SendSpace
Folder Deleted : C:\Users\Alana\AppData\Roaming\Mozilla\Firefox\Profiles\ktpfomxm.default\Extensions\MJhfSm4XiU@V.net
Folder Deleted : C:\Users\Alana\AppData\Roaming\Mozilla\Firefox\Profiles\ktpfomxm.default\Extensions\V1@W1j.net
Folder Deleted : C:\Users\Alana\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Folder Deleted : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
File Deleted : C:\Users\Matt\AppData\Roaming\regsvr32.exe_log.txt

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Deleted : HKLM\SOFTWARE\Classes\BuyNsave.BuyNsave
Key Deleted : HKLM\SOFTWARE\Classes\BuyNsave.BuyNsave.9
Key Deleted : HKLM\SOFTWARE\Classes\.
Key Deleted : HKLM\SOFTWARE\Classes\..9
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0cb07d2e-45ef-44cf-9d7f-600c95822097}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9970f778-1004-4599-8a07-7811f6bda2ed}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0cb07d2e-45ef-44cf-9d7f-600c95822097}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9970f778-1004-4599-8a07-7811f6bda2ed}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{0cb07d2e-45ef-44cf-9d7f-600c95822097}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9970f778-1004-4599-8a07-7811f6bda2ed}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842C4394-47F7-60DE-480B-C09116B63559}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16476


-\\ Mozilla Firefox v34.0 (x86 en-US)

[ktpfomxm.default\prefs.js] - Line Deleted : user_pref("extensions.EJ67RPwvRCSezuKj.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]
[ktpfomxm.default\prefs.js] - Line Deleted : user_pref("extensions.kKFGiEoI40dApPB2.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]
[05vlc2e3.default-1375141258519\prefs.js] - Line Deleted : user_pref("extensions.EJ67RPwvRCSezuKj.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]
[05vlc2e3.default-1375141258519\prefs.js] - Line Deleted : user_pref("extensions.kKFGiEoI40dApPB2.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]

-\\ Google Chrome v39.0.2171.95

[C:\Users\Alana\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : jbolfgndggfhhpbnkgnpjkfhinclbigj

*************************

AdwCleaner[R0].txt - [4620 octets] - [18/12/2014 13:00:20]
AdwCleaner[s0].txt - [4611 octets] - [18/12/2014 13:02:34]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4671 octets] ##########
 

STEP 5 - JRT.txt

 

# AdwCleaner v4.105 - Report created 18/12/2014 at 13:02:34
# Updated 08/12/2014 by Xplode
# Database : 2014-12-16.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Matt - G560
# Running from : C:\Users\Matt\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : c2cautoupdatesvc
Service Deleted : c2cpnrsvc

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\sAvenshareo
Folder Deleted : C:\Users\Matt\AppData\Local\Bundled software uninstaller
Folder Deleted : C:\Users\Matt\AppData\Roaming\SendSpace
Folder Deleted : C:\Users\Alana\AppData\Roaming\Mozilla\Firefox\Profiles\ktpfomxm.default\Extensions\MJhfSm4XiU@V.net
Folder Deleted : C:\Users\Alana\AppData\Roaming\Mozilla\Firefox\Profiles\ktpfomxm.default\Extensions\V1@W1j.net
Folder Deleted : C:\Users\Alana\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Folder Deleted : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
File Deleted : C:\Users\Matt\AppData\Roaming\regsvr32.exe_log.txt

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Deleted : HKLM\SOFTWARE\Classes\BuyNsave.BuyNsave
Key Deleted : HKLM\SOFTWARE\Classes\BuyNsave.BuyNsave.9
Key Deleted : HKLM\SOFTWARE\Classes\.
Key Deleted : HKLM\SOFTWARE\Classes\..9
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0cb07d2e-45ef-44cf-9d7f-600c95822097}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9970f778-1004-4599-8a07-7811f6bda2ed}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0cb07d2e-45ef-44cf-9d7f-600c95822097}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9970f778-1004-4599-8a07-7811f6bda2ed}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{0cb07d2e-45ef-44cf-9d7f-600c95822097}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9970f778-1004-4599-8a07-7811f6bda2ed}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842C4394-47F7-60DE-480B-C09116B63559}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16476


-\\ Mozilla Firefox v34.0 (x86 en-US)

[ktpfomxm.default\prefs.js] - Line Deleted : user_pref("extensions.EJ67RPwvRCSezuKj.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]
[ktpfomxm.default\prefs.js] - Line Deleted : user_pref("extensions.kKFGiEoI40dApPB2.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]
[05vlc2e3.default-1375141258519\prefs.js] - Line Deleted : user_pref("extensions.EJ67RPwvRCSezuKj.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]
[05vlc2e3.default-1375141258519\prefs.js] - Line Deleted : user_pref("extensions.kKFGiEoI40dApPB2.scode", "try{(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.index[...]

-\\ Google Chrome v39.0.2171.95

[C:\Users\Alana\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : jbolfgndggfhhpbnkgnpjkfhinclbigj

*************************

AdwCleaner[R0].txt - [4620 octets] - [18/12/2014 13:00:20]
AdwCleaner[s0].txt - [4611 octets] - [18/12/2014 13:02:34]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4671 octets] ##########
 

 

Thank you for your help - just applying your FSRT fix seemed to eliminate my issues!

 

Regards,

 

Matt

[LiquidTension]

Hi Matt, 
 

Thank you for your help - just applying your FSRT fix seemed to eliminate my issues!

I'm pleased to hear.
 
Both AdwCleaner and MBAM flagged other files/folders/registry items - so I suggest running this online to check for remnants. 
 
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.

[Dr_Jekyll]

Thanks again Adam.

 

C:\AdwCleaner\Quarantine\C\Users\Alana\AppData\Roaming\Mozilla\Firefox\Profiles\ktpfomxm.default\Extensions\MJhfSm4XiU@V.net\content\bg.js.vir    JS/Kryptik.ATB trojan
C:\AdwCleaner\Quarantine\C\Users\Alana\AppData\Roaming\Mozilla\Firefox\Profiles\ktpfomxm.default\Extensions\V1@W1j.net\content\bg.js.vir    JS/Kryptik.ATB trojan
C:\FRST\Quarantine\C\Users\Matt\AppData\Local\Temp\8538.exe.xBAD    a variant of Win32/Adware.MultiPlug.ED application
C:\FRST\Quarantine\C\Users\Matt\AppData\Local\Temp\OnlineBackup.exe.xBAD    MSIL/MyPCBackup.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Matt\AppData\Local\Temp\optprosetup.exe.xBAD    a variant of Win32/OptimizerEliteMax.C potentially unwanted application
C:\FRST\Quarantine\C\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\MJhfSm4XiU@V.net\content\bg.js    JS/Kryptik.ATB trojan
C:\FRST\Quarantine\C\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\05vlc2e3.default-1375141258519\Extensions\V1@W1j.net\content\bg.js    JS/Kryptik.ATB trojan
C:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\MJhfSm4XiU@V.net\content\bg.js    JS/Kryptik.ATB trojan
C:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\V1@W1j.net\content\bg.js    JS/Kryptik.ATB trojan
C:\Users\Matt\Desktop\Old Firefox Data\extensions\iva4ee@wg-bqob.org\content\bg.js    Win32/Adware.MultiPlug.H application
C:\Users\Matt\Desktop\Old Firefox Data\extensions\nvlyiy@usjarrmc.edu\content\bg.js    Win32/Adware.MultiPlug.H application
C:\Users\Matt\Desktop\Setups\cbsidlm-cbsi183-Free_WMA_to_MP3-ORG-75758783.exe    a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\Matt\Desktop\Setups\ccsetup401.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Matt\Desktop\Setups\ccsetup411.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Matt\Desktop\Setups\PDFXVwer.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
 

[LiquidTension]

Hello Matt, 
 
Let me know how your PC is performing after doing the following.
 
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startC:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\MJhfSm4XiU@V.netC:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\V1@W1j.netC:\Users\Matt\Desktop\Old Firefox Data\extensions\iva4ee@wg-bqob.orgC:\Users\Matt\Desktop\Old Firefox Data\extensions\nvlyiy@usjarrmc.eduC:\Users\Matt\Desktop\Setups\cbsidlm-cbsi183-Free_WMA_to_MP3-ORG-75758783.exeC:\Users\Matt\Desktop\Setups\ccsetup401.exeC:\Users\Matt\Desktop\Setups\ccsetup411.exeC:\Users\Matt\Desktop\Setups\PDFXVwer.exeEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.

[Dr_Jekyll]

Hi Adam,

 

Nil obvious change in performance following this run of FRST.

 

As mentioned earlier, a major improvement was observed after the initial run.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Matt at 2014-12-19 13:01:26 Run:2
Running from C:\Users\Matt\Desktop
Loaded Profile: Matt (Available profiles: Matt & Alana & Henry)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
C:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\MJhfSm4XiU@V.net
C:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\V1@W1j.net
C:\Users\Matt\Desktop\Old Firefox Data\extensions\iva4ee@wg-bqob.org
C:\Users\Matt\Desktop\Old Firefox Data\extensions\nvlyiy@usjarrmc.edu
C:\Users\Matt\Desktop\Setups\cbsidlm-cbsi183-Free_WMA_to_MP3-ORG-75758783.exe
C:\Users\Matt\Desktop\Setups\ccsetup401.exe
C:\Users\Matt\Desktop\Setups\ccsetup411.exe
C:\Users\Matt\Desktop\Setups\PDFXVwer.exe
EmptyTemp:
end
*****************

C:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\MJhfSm4XiU@V.net => Moved successfully.
C:\Users\Henry\AppData\Roaming\Mozilla\Firefox\Profiles\xpqtgh7g.default\extensions\staged\V1@W1j.net => Moved successfully.
C:\Users\Matt\Desktop\Old Firefox Data\extensions\iva4ee@wg-bqob.org => Moved successfully.
C:\Users\Matt\Desktop\Old Firefox Data\extensions\nvlyiy@usjarrmc.edu => Moved successfully.
C:\Users\Matt\Desktop\Setups\cbsidlm-cbsi183-Free_WMA_to_MP3-ORG-75758783.exe => Moved successfully.
C:\Users\Matt\Desktop\Setups\ccsetup401.exe => Moved successfully.
C:\Users\Matt\Desktop\Setups\ccsetup411.exe => Moved successfully.
C:\Users\Matt\Desktop\Setups\PDFXVwer.exe => Moved successfully.
EmptyTemp: => Removed 651.5 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

[LiquidTension]

Hi Matt, 
 
Please update the following vulnerable software to reduce the risk of reinfection.

• Adobe Flash Player (uncheck the "Optional Offer")
• Adobe Reader (uncheck the "Optional Offer")
• Follow these instructions to check for and download the latest Windows Updates.
• I recommend installing the latest version of Internet Explorer for added security. The latest version IE can be installed via Windows Update.
   

Now for the good news!
 
All Clean!
Congratulations, your computer appears clean! 
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful. 
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. 
 
 DelFix

• Please download DelFix and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
  • Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP
   

The following programmes come highly recommended in the security community.

•  AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware. 
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
•  Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
•  Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing.    
Adam

[Dr_Jekyll]

Hi Adam,

 

Sorry for the late reply - I've been working nights.

 

I have performed the recommended changes and am satisfied that everything is now fixed.

 

Thank you very, very, very much!

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!