totalcarecomplete247.info

[fr8pil8]

I didn't get a screen shot of the "Warning" splash screen but it is the same as EricLee posted (see his post of 0635 today titled Remove"Windozssupport247.info".  One difference is that mine shows the URL as "totalcarecomplete247.info".  It's the same old 'you may have a virus' BS that pops up from time to time...'call tech support @...'  

 

Ctrl+Alt+Delete worked fine but I'd like to remove this #!*% with your help.  Thanks!

[MrCharlie]

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products, Windows), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 Please enable your system to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

You can also use this version of RogueKiller which works on both 32 and 64 bit:

RogueKiller 32 & 64 bit

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Sometimes when clearing out an infection the winsock stack will become corrupt and you'll loose your internet connection. To resolve this....reset the stack as outlined HERE

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

[fr8pil8]

MR C...not that I don't like talking to ya, but I was hoping after the last two malware problems I had last year that I was done with needing your help.  Anyway, here's the info...

 

Rouge Killer:

 

 

RogueKiller V10.10.1.0 [Aug 17 2015] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : Al & Mindy [Administrator]

Started from : C:\Users\Al & Mindy\Desktop\MB8-20\RogueKiller.exe

Mode : Scan -- Date : 08/21/2015 09:47:30

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 18 ¤¤¤

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)])  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤

[sSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e1357571000000

[sSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e1357589000000

[sSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x41e12ed8fc000000

[sSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x41e1241be7000000

[sSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x41e135747f000000

[sSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x41e1357527000000

[sSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x41e135742f000000

[sSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x41e1357408000000

[sSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x41e1357497000000

[sSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x41e12ed92e000000

[sSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x41e12ed8c8000000

[sSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x41e1357541000000

[sSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x41e1357559000000

[sSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x41e13574c7000000

[sSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x41e12ed8ac000000

[sSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x41e135750f000000

[sSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x41e12ca2d2000000

[sSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x41e12ed916000000

[sSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x41e13574df000000

[sSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x41e12ed948000000

[sSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x41e1357465000000

[sSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : Unknown @ 0x41e13677e7000000

[sSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[261] : Unknown @ 0x41e13677cd000000

[sSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x41e13575a1000000

[sSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x41e13575e9000000

[sSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x41e12ed87a000000

[sSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x41e13574af000000

[sSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x41e13574f7000000

[sSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x41e13575b9000000

[sSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x41e12ed806000000

[sSDT:Addr(Hook.SSDT)] unknown[335] : Unknown @ 0x41e13575d1000000

[sSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x41e12ed894000000

[sSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x41e12ed8e2000000

[sSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x41e1357449000000

[shwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x41e0ef3336000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x41e0ef3541000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x41e0ef3529000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x41e0ef3559000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x41e0ef3571000000

[shwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x41e0ef34d4000000

[shwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x41e0ef350f000000

[shwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x41e0ef34ee000000

[shwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x41e0ef333d000000

[shwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x41e0ef3691000000

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ARRAY +++++

--- User ---

[MBR] aba52d45b8e1f2adf216397c6e932b8c

[bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB

User = LL1 ... OK

Error reading LL2 MBR! ([57] The parameter is incorrect. )

 

+++++ PhysicalDrive1: Seagate FA GoFlex Desk USB Device +++++

--- User ---

[MBR] 15185c225eb6fb0a3de71f124a83710c

[bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty|VT.Unknown MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB [Windows XP Bootstrap | Windows XP Bootloader]

User = LL1 ... OK

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive2: DELL USB   HS-CF Card USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive3: DELL USB   HS-xD/SM USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive4: DELL USB   HS-MS Card USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive5: DELL USB   HS-SD Card USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive6: Canon MX870 series USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

Addition.txt

FRST.txt

rk_7CB8.tmp.txt

scan 8-20a.txt

scan 8-20b.txt

[MrCharlie]

Download Delfix from Here and save it to your desktop.

• Place a check mark in front of .......
• Create registry backup <---only!
• Uncheck the rest!
• Click the Run button.

  Close the tool out when it's done....we'll use it later.

  =====================================

  Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

  Run FRST.exe/FRST64.exe and click Fix only once and wait

  The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

  ==========================

  Lets check for any adware/spyware now:

  Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  Next..................

  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  Next.........

  Please Update and run a Threat Scan (Malwarebytes)

  Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

  Same for PUM (Potentially Unwanted Modifications)

  Quarantine All that's found

  MrC

fixlist.txt

[fr8pil8]

Here's the results...

 

Fix result of Farbar Recovery Scan Tool (x86) Version:21-08-2015

Ran by Al & Mindy (2015-08-21 21:33:34) Run:1

Running from C:\Users\Al & Mindy\Desktop\MB8-20

Loaded Profiles: Al & Mindy (Available Profiles: Al & Mindy & UpdatusUser)

Boot Mode: Normal

 

==============================================

 

fixlist content:

*****************

CreateRestorePoint:

Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]

GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

GroupPolicyScripts: Group Policy detected <======= ATTENTION

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

SearchScopes: HKU\S-1-5-19 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

SearchScopes: HKU\S-1-5-20 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Security Suite\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL No File

Toolbar: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File

FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-02-11] (Coupons, Inc.)

CHR Extension: (No Name) - C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\balimbofoedmklhpnchbgmlfipgpbjnl [2015-07-08]

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

S2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]

CustomCLSID: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}\InprocServer32 -> {1FE960F5-9468-D082-A3F0-98EE85889A47} No File

CustomCLSID: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}\InprocServer32 -> {46CC2438-9468-D082-6EB4-BDB785889A47} No File

AlternateDataStreams: C:\Users\Al & Mindy\BCHW - Feburary Mount St. Helens Chapter newsletter.eml:OECustomProperty

AlternateDataStreams: C:\Users\Al & Mindy\Bells Mountain Trail.eml:OECustomProperty

AlternateDataStreams: C:\Users\Al & Mindy\Fwd- Bells Mountain Trail - Copy (1).eml:OECustomProperty

AlternateDataStreams: C:\Users\Al & Mindy\Fwd- Bells Mountain Trail.eml:OECustomProperty

AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo

 

*****************

 

Restore point was successfully created.

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully.

C:\Windows\system32\GroupPolicy\Machine => moved successfully

C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully

"C:\Windows\system32\GroupPolicy\Machine" => File/Folder not found.

"HKLM\SOFTWARE\Policies\Google" => key removed successfully.

"HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.

"HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully.

HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found. 

"HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully.

HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found. 

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.

"HKCR\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.

HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => value removed successfully.

HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} => key not found. 

"HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully.

C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => moved successfully

C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\balimbofoedmklhpnchbgmlfipgpbjnl => moved successfully

"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully.

SessionLauncher => service removed successfully.

"HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}" => key removed successfully.

"HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}" => key removed successfully.

C:\Users\Al & Mindy\BCHW - Feburary Mount St. Helens Chapter newsletter.eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Al & Mindy\Bells Mountain Trail.eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Al & Mindy\Fwd- Bells Mountain Trail - Copy (1).eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Al & Mindy\Fwd- Bells Mountain Trail.eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Public\.DS_Store => ":AFP_AfpInfo" ADS removed successfully..

 

 

The system needed a reboot.

 

==== End of Fixlog 21:34:19 ====

 

 

# AdwCleaner v5.003 - Logfile created 21/08/2015 at 21:46:43

# Updated 20/08/2015 by Xplode

# Database : 2015-08-20.1 [server]

# Operating system : Windows Vista Ultimate Service Pack 2 (x86)

# Username : Al & Mindy - RUSTRANCH

# Running from : C:\Users\Al & Mindy\Desktop\MB8-20\AdwCleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons

 

***** [ Files ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Web browsers ] *****

 

[C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider_Data] Found : {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}{google:contextualSearchVersion}ie={inputEncoding}","usage_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_bit":true,"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"n","commands":{},"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"install_time":"13042140344411000","last_launch_time":"13084222849287800","location":5,"manifest":{"app":{"launch":{"web_url":"hxxps://chrome.google.com/webstore"},"urls":["hxxps://chrome.google.com/webstore"]},"description":"Chrome Web Store","icons":{"128":"webstore_icon_128.png","16":"webstore_icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG+aN5qFE3z+1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRDp76wR6jjFzsYwQIDAQAB","name":"Store","permissions":["webstorePrivate","management"],"version":"0.2"},"page_ordinal":"n","path":"C:\\Program Files\\Google\\Chrome\\Application\\29.0.1547.66\\resources\\web_store","was_installed_by_default":false},"aohghmighlieiainnegkcijnfilokake":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"disable_reasons":1,"events":[],"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"has_declarative_rules":false,"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13067493018921800","lastpingday":"13084613983883651","location":1,"manifest":{"api_console_project_id":"619683526622","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en_US","default_locale":"en_US","description":"Create and edit documents ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJhLK6fk/BWTEvJhywpk7jDe4A2r0bGXGOLZW4/AdBp3IiD9o9nx4YjLAtv0tIPxi7MvFd/GUUbQBwHT5wQWONJj1z/0Rc2qBkiJA0yqXh42p0snuA8dCfdlhOLsp7/XTMEwAVasjV5hC4awl78eKfJYlZ+8fM/UldLWJ/51iBQwIDAQAB","manifest_version":2,"name":"Google Docs","offline_enabled":true,"update_url":"hxxps://clients2.google.com/service/update2/crx","version":"0.9"},"page_ordinal":"n","path":"aohghmighlieiainnegkcijnfilokake\\0.9_0","preferences":{},"regular_only_preferences":{},"state":0,"was_installed_by_default":true,"was_installed_by_oem":false},"apdfllckaahabafndbhieahigkjlhalf":{"ack_external":true,"active_bit":false,"active_permissions":{"api":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"manifest_permissions":[]},"app_launcher_ordinal":"x","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"manifest_permissions":[]},"has_declarative_rules":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13081623576698600","last_active_pingday":"13063795186262538","last_launch_time":"13063851359047538","lastpingday":"13084613983883651","location":1,"manifest":{"app":{"launch":{"web_url":"hxxps://drive.google.com/?usp=chrome_app"},"urls":["hxxp://docs.google.com/","hxxp://drive.google.com/","hxxps://docs.google.com/","hxxps://drive.google.com/"]},"background":{"allow_js_access":false},"current_locale":"en_US","default_locale":"en_US","description":"Google Drive: create, share and keep all your stuff in one place.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIl5KlKwL2TSkntkpY3naLLz5jsN0YwjhZyObcTOK6Nda4Ie21KRqZau9lx5SHcLh7pE2/S9OiArb+na2dn7YK5EvH+aRXS1ec3uxVlBhqLdnleVgwgwlg5fH95I52IeHcoeK6pR4hW/Nv39GNlI/Uqk6O6GBCCsAxYrdxww9BiQIDAQAB","manifest_version":2,"name":"Google Drive","offline_enabled":true,"options_page":"hxxps://drive.google.com/settings","permissions":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"update_url":"hxxps://clients2.google.com/service/update2/crx","version":"14.0"},"page_ordinal":"n","path":"apdfllckaahabafndbhieahigkjlhalf\\14.0_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"balimbofoedmklhpnchbgmlfipgpbjnl":{"ack_settings_bubble":true,"active_permissions":{"api":["cookies","searchProvider","storage","tabs","unlimitedStorage"],"explicit_host":["hxxp://*/*","hxxps://*/*"],"manifest_permissions":[]},"blacklist_state":3,"commands":{},"content_settings":[],"creation_flags":9,"disable_reasons":1,"events":[],"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["cookies","searchProvider","storage","tabs","unlimitedStorage"],"explicit_host":["hxxp://*/*","hxxps://*/*"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13079137717632000","lastpingday":"13084613983883651","location":1,"manifest":{"background":{"scripts":["/extensions_base/basejs/jquery-1.9.1.js","/extensions_base/basejs/products/zooms_musixlib_parameters_ds.js","/extensions_base/basejs/base.js","background.js"]},"chrome_settings_overrides":{"search_provider":{"alternate_urls":[],"encoding":"UTF-8","favicon_url":"hxxp://www.gozooms.com/images/favicon.ico","image_url":"hxxp://zooms.searchalgo.com/search/?category=images&q={searchTerms}

 

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [6647 bytes] ##########

 

 

I ran JRT three times but it would not generate a report.  The program self closed each time as it was checking the registry.  Also, is it normal for this program to start off stating that "the system could not find the desired path" multiple times before it started the "create a restore point"?

 

Here's the MB threat scan txt:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 8/21/2015

Scan Time: 10:18:56 PM

Logfile: MBscan 8-21.txt

Administrator: Yes

 

Version: 2.1.8.1057

Malware Database: v2015.08.21.09

Rootkit Database: v2015.08.16.01

License: Premium

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Enabled

 

OS: Windows Vista Service Pack 2

CPU: x86

File System: NTFS

User: Al & Mindy

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 465062

Time Elapsed: 23 min, 49 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

I am puzzled that this scan indicates that Malware Protection and Malicious Website Protection are Disabled?  I doubled checked my settings in Malwarebytes and they show both of these settings to be Enabled.

 

 

 

[MrCharlie]

We'll address those problems when we're done.

Please do this:

Download zoek.exe to your Desktop:

http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here

http://www.bleepingcomputer.com/forums/topic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator

Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:

autoclean;

emptyalltemp;

Now...

Close any open programs.

Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.

The log is also found on the systemdrive, normally C:\

If a reboot is needed, the log is opened after the reboot.

==================================

Please re-scan with FRST and Make sure the Addition Box is checked.

http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png

Post or attach the 2 logs FRST.txt and Addition.txt

MrC

[fr8pil8]

zoek has gone bonkers.  It ran for ten minutes then froze when it got to C:\Users\Public\Desktop DB Check.  I gave up on it after letting it run for another 40 minutes.  I tried to close the program using the X close button, but the program kept coming back to the freeze point.  Finally, after two hours plus I used Cont+Alt+Delete to try to shut it down with no luck

[MrCharlie]

OK.......

Please re-scan with FRST and Make sure the Addition Box is checked.

http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png

Post or attach the 2 logs FRST.txt and Addition.txt

MrC

[fr8pil8]

OK......also, zoek is raising cain with mozilla thunderbird so the sooner we can get rid of it the sooner the wife will let me off the hook 

FRST.txt

Addition.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

=====================

Let me know how it is. (ie: what browser or browsers are a problem)

fixlist.txt

[fr8pil8]

Here's the log...

Fixlog.txt

[MrCharlie]

Let me know how it is. (ie: what browser or browsers are a problem) ?????

[fr8pil8]

It appears that the "fix" got rid of the scrolling to the bottom of the page issues I was having with both Thunderbird and Chrome.  When we get to the cleanup phase I'd like your opinion on this:  sometime during the first round of scans with the various programs two "desktop.ini" icons appeared on my desktop (one from 2011, the other from 2013).  Is it safe to delete these?

[fr8pil8]

I meant to say it appears that the FRST fix took care of the scrolling issue...thanks, all appears normal...so far 

[MrCharlie]

When we get to the cleanup phase I'd like your opinion on this: sometime during the first round of scans with the various programs two "desktop.ini" icons appeared on my desktop (one from 2011, the other from 2013). Is it safe to delete these?

They may have appeared because you "enabled your system to show hidden files".
 

 Please enable your system to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

If you go back and hide them again...they should be gone, if not, you can delete them.

==========================

If there's no other problems.......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• If you can't post it, attach it

MrC

[fr8pil8]

Do I run this security scan with Norton/Malwarebytes enabled or disabled?

[MrCharlie]

Enabled

[fr8pil8]

The program ran but the log was an empty text file...I'll try it again.

[MrCharlie]

OK......I have to go, be back in the AM

 

 

MrC

[fr8pil8]

Thanks...

[fr8pil8]

Well sir, the second scan gave the same blank txt report in notebook.   I did notice a lot of path not found entries as the program ran...don't know if that's relevant.

[MrCharlie]

That's OK, I looked through your logs to ensure important programs are up to date and they are.

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[fr8pil8]

Looks like things are back to normal.  The "desktop.ini" icons went away when I re-hid the system files;  no more uncommanded browser scrolling;  and, total care complete 247 hasn't been back.  Your preventive maintenance tips are good and I follow those routinely.  Too bad my son doesn't.  Thanks again for your expert advice...I put a little in your paypal sack...the next drink's on me!

[MrCharlie]

OK...Take Care MrC

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!